search

OpenConext / Stepup-Gateway

Stepup Gateway
Apache License 2.0
6 stars 3 forks source link

Use ADFS specific response format for SAMLResponse with error status to ADFS #399

Open phavekes opened 2 days ago

phavekes commented 2 days ago

This issue is imported from pivotal - Originaly created at Jan 25, 2023 by Pieter van der Meulen

SAML responses from and to the ADFS MFA extension (https://github.com/SURFnet/ADFS-MFA-SAML2.0-Extension) require special handling.

The ADFS MFA extension uses the gateway\'s SFO endpoint only. A request from the MFA extension requires parameters in the URL to be preserved, so these are stored in the gateway state and added back to the response. However, the gateway does currently not add these ADFS specific parameters back when it returns a SAML Response with an error StatusCode (i.e. a SAML error response). This means that the ADFS MFA extension is unable to handle these responses the user instead gets a generic error from the ADFS server.

Requested change: When the gateway detects an ADFS request to the SFO endpoint it must send all SAML responses, including those containing errors, using the ADFS specific response encoding.

See:

phavekes commented 2 days ago

Upon rendering a saml failed response, we use the responserendering service. And that service is not aware if we are dealing with an error response to an adfs AR.

We could use https://github.com/OpenConext/Stepup-Gateway/blob/fc9d16cdb927bf4b4b44fcd7cea2fe4804f4e7a7/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Adfs/RequestHelper.php#L57 to determine if the original request was an adfs request. In that case we should add the adfs params to the response. Alternatively we could utilize the handleAdfsResponse method of the AdfsService https://github.com/OpenConext/Stepup-Gateway/blob/fc9d16cdb927bf4b4b44fcd7cea2fe4804f4e7a7/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/AdfsService.php#L92. Either way, there are real life examples on how to go about this. (Michiel Kodde - Feb 13, 2023)

phavekes commented 2 days ago

Tested in 4.0.3 and 4.1.1 with Tiqr GSSP.

In both 4.0.4 and 4.1.1 the ADFS specific response format is not used when POSTing the SAML error status Reponse back to the ADFS server. Instead the normal SAML POST binding is used with the registered ACS (https://adfs-2016.test2.surfconext.nl:443/adfs/ls)

Logs from stepup-gateway 4.1.1:


"NOTICE" "Received SAMLResponse, attempting to process for Second Factor Verification"

"ERROR" "Could not process received Response, error: \"Cannot process response, preconditions not met: \"Responder/AuthnFailed User cancelled the request\"

"WARNING" "AuthnRequest requests ACS location \"https://adfs-2016.test2.surfconext.nl:443/adfs/ls/?SAMLRequest=pVJdj9MwEPwrkd%2Fz4TSkPautVK5CVDqgupZ74AVtnQ215NjBu4bj35O6IA4k7uUkS7Zmd2bHo10SDHZUm8hnd49fIxJnj4N1pFJhJWJwygMZUg4GJMVaHTbv7lRdVGoMnr32VjyhPM8AIgxsvBPZbrsSn2e1lPpVW%2BO8hoXsFo08wex0ulnMm1bXjW5022LTAmqRPWCgibkSk9BEJ4q4c8TgeIKqepZX81w2x%2BpGTUe2n0S2nX5jHHBinZlHUmUJXU95Xcm24KlcFxRDr73DRy6cTdXSUimyzW%2Brt95RHDAcMHwzGj%2Fe3%2F0RGw0yhgLAJB2HSYTMMFpMAZ7HcvBdtFhcnheopOtd56ApoR32EC3nNIps%2FyvS18Z1xn15Ps3TtYnU2%2BNxn%2B8%2FHI5ivbxoq5ROWL%2FQ5oAMHTD843JZPp2xvG7Q%2B8ndbrv31ugf2RsfBuD%2Fm5eFTIjp8j61quhoRG16g90UvbX%2B%2B21AYFwJDhFFub4O%2FXtT1z8B&RelayState=https%3A%2F%2Fpieter.aai.surfnet.nl%2Fsimplesamlphp%2Fsp.php%3Fsp%3Ddefault-sp&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=zGDpGVZ8NoVewvywbtEFdwb8ry8jvOWe%2BGzojONgZE3ATK4X1vO6mLDFfSTyu1JzPjY4GjJ4jYH8R60%2BVMJWlcijfZbuOVBXY4uqsP4YRvaE9TvGJHEzGYkhYjKe0ZdPmLfS3Hy5J53uD60nGX20%2FZ36nIz4pg8N06OnHhFQhFYAiq1HIq%2F46d3I%2BtG74JUynBlaZ1zDlR7Jqbth0cGcu0VblK3hDnIqsQfYFFyAkWMXb4FWZuDknj3NDmmGolxRix0gPj0cI%2FxlcrLPo1hfmzYse7tC%2FQ881dj%2FAwiF8iPc9n13v4v5QB6Ev9cR%2Fi1vEez3wEV1UVxcbwAAa4Czww%3D%3D\" but it is not configured in the list of allowed ACS locations"
``` (Pieter van der Meulen - Jul 14, 2023)