Trying to get SAML setup between the wso2 Identity Server 5.0.0 +
Service pack and a 3rd party Service provider. Facing a similar problem
to a stack trace question
<http://stackoverflow.com/questions/22182354/sso-for-php-webapp-with-wso2-identity-server-authentication-request-failed>
Except that the SP is not able to add the Destination parameter to their
samlp:AuthnRequest.
To be more specific. The samlp:AuthnRequest I receive looks like this:
|<samlp:AuthnRequest
AssertionConsumerServiceURL='https://schoolname.academicworks.com/saml/callback'
ID='_388406f0-3581-0133-2bea-0610df7af2db'
IssueInstant='2015-09-04T22:21:32Z' Version='2.0'
xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'> <saml:Issuer
xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://schoolname.academicworks.com/saml-sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate='true'
Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/>
</samlp:AuthnRequest> |
This request is missing the Destination parameter. With this request,
the wso2 identity server logs the following and the SAML login fails:
|TID: [0] [IS] [2015-09-04 17:46:56,471] WARN
{org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
- Destination validation for Authentication Request failed.
Received: [null]. Expected:
[https://ourhostname.ourschool.edu:443/samlsso]
{org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
|
As the post I reference notes, this check can be found in the source:
|public class AuthnRequestProcessor <snip> // Validate 'Destination'
String idpUrl =
IdentityUtil.getProperty(IdentityConstants.ServerConfig.SSO_IDP_URL); if
(authnReqDTO.getDestination() == null ||
!idpUrl.equals(authnReqDTO.getDestination())) { String msg =
"Destination validation for Authentication Request failed. " +
"Received: [" + authnReqDTO.getDestination() + "]." + " Expected: ["
+ idpUrl + "]"; log.warn(msg); return
buildErrorResponse(authnReqDTO.getId(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg); } |
This is in the file:
components/identity/org.wso2.carbon.identity.sso.saml/4.2.1/src/main/java/org/wso2/carbon/identity/sso/saml/processors/AuthnRequestProcessor.java
There appears to be no way to turn off this check via settings. I
could hack the source to remove the check for [null], but then I would
be maintaining this forever. It is unclear from my read of the SAML
documentation that the Destination parameter is required, but the
Identity Server certainly seems to think so.
Here is the SAML documentation (my *bolding*):
From: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Destination [*Optional*]
A URI reference indicating the address to which this request has been
sent. This is useful to prevent
malicious forwarding of requests to unintended recipients, a protection
that is required by some
protocol bindings. If it is present, the actual recipient MUST check
that the URI reference identifies the
location at which the message was received. If it does not, the request
MUST be discarded. *Some**
**protocol bindings may require the use of this attribute (see [SAMLBind]).*
Also from
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
Section 3.4 HTTP Redirect Binding
3.4.5.2 Security Considerations
The presence of the user agent intermediary means that the requester and
responder cannot rely on the
transport layer for end-end authentication, integrity and
confidentiality. URL-encoded messages MAY be
signed to provide origin authentication and integrity if the encoding
method specifies a means for signing.
*If the message is signed, the Destination XML attribute in the root
SAML element of the protocol**
**message MUST contain the URL to which the sender has instructed the
user agent to deliver the**
**message. The recipient MUST then verify that the value matches the
location at which the message has**
**been received.*
In this particular case, the request is not signed, but I assume the
WSO2 programmers read this statement and assumed that they should always
validate the destination parameters and whoever wrote the ruby-saml
implementation looked at the "optional" keyword and said, don't worry
about it.
Any suggestions on how to deal with this? If I sent back a revised
AuthnRequestProcessor class could this be committed to future builds or
do I have to become a registered developer.
Thanks in advance for the assistance, Note I also cross posted this to
Stacktrace
(http://stackoverflow.com/questions/32460866/how-do-you-disable-wso2-identity-servers-destination-parameter-check-for-samlp
) since I was not sure where best to raise this issue.
Thanks,
John
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
