Assertion sent to HTTP-Redirect via POST method

OpenConext / Stepup-Gateway

Stepup Gateway

Apache License 2.0

6 stars 3 forks source link

Assertion sent to HTTP-Redirect via POST method #176

Closed sitya closed 5 years ago

sitya commented 5 years ago

Hey,

I am using SFO, and after a successful tiqr authentication, Stepup-Gateway sends back the SAML Assertion to the -- as it was required in the AuthNRequest -- HTTP-Redirect endpoint of the SP, but it uses POST method.

<samlp:Response 
   ...
    Destination="https://xxxx/stepup/acs/redirect" 
    InResponseTo="id-UhuC6kFRqMSv4rx0l">
    <saml:Issuer>https://gateway.xxx.org/second-factor-only/metadata</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>

And:

Request URL:  https://xxxx/stepup/acs/redirect
Request Method:  POST
Status Code:  500 Internal Service Error

If I make a workaround, with deleting the redirect endpoint from the SP's metadata (in middleware-config.json.j2), I can force the Gateway to send the assertion back to the POST endpoint, and it works.

Thanks.

pmeulen commented 5 years ago

Hi Sitya,

I'm not sure I understand the problem you are describing. The Stepup-Gateway will always send the SAML Response message back to the SP using the HTTP-POST binding. It would be very unusual to send a SAML Response to an SP using the HTTP-Redirect binding, I have never seen it being used for that purpose. If you use an existing SAML library in your SP, it is unlikely to support this.

Why do you expect the Stepup-Gateway to use the HTTP-Redirect Binding to send the SAML Response?

Can you share the SP configuration you use in middleware-config.json.j2 and the change that you are making to make it work for you?

sitya commented 5 years ago

Honestly, you are absolutely right, there is the point :-) Actually I have not noticed there was a HTTP-Redirect binding as a superfluous endpoint in the generated metadata of the SP.

Just one remark, I think it might be good, if the Gateway ignored HTTP-Redirect endpoints at all in the given metadata in middleware-config.json.j2.

Thanks anyway!

pmeulen commented 5 years ago

The Stepup-Gateway is unaware of what is in the SPs metadata, it only looks at the acs propery. It is up to you to put a location there that supports the HTTP-POST binding.

For SFO multple ACS locations are not supported, so the first one is always used.

I updated the documentation of the acs property with the binding used and how multiple ACS locations are handled: https://github.com/OpenConext/Stepup-Middleware/blob/develop/docs/MiddlewareConfiguration.md#service-providers