rhtyd commented on issue #4519: URL: https://github.com/apache/cloudstack/issues/4519#issuecomment-738888486
I did a quick code investigation, looks like when there is no encryption in place we get the unencrypted username (`uid` usually) parameter from the SAML token: (if I recall correctly this was done only to allow and test unsecure IDP servers) https://github.com/apache/cloudstack/blob/master/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java#L241 ... however, I'm not sure if changing the whole SAML token/response should fail at https://github.com/apache/cloudstack/blob/master/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java#L232 which was signed by a signature? However, if the SAML IDP server has encryption enforced (see for example https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration#SecurityConfiguration-SigningandEncryptionEnablement) we get the username from the encrypted assertion value: https://github.com/apache/cloudstack/blob/master/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java#L289 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
