search

SAML-Toolkits / php-saml

Simple SAML toolkit for PHP
MIT License
1.23k stars 469 forks source link

SubjectConfirmation validation not working #559

Open GrahamCampbell opened 1 year ago

GrahamCampbell commented 1 year ago

The following valid data is being rejected:

    <saml2:Subject>
      <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://samltest.id/saml/idp" SPNameQualifier="https://example.co/sso/saml2/223J5JXysUDoutRd1DHgmoYgVfk/metadata">KABUOZP2NMDOSU2L6ISHMEONVCFWVI2U</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData Address="81.102.133.168" InResponseTo="ONELOGIN_f08011d1c9d5cf2479c06d773709f124433f3541" NotOnOrAfter="2023-07-04T09:21:26.053Z" Recipient="https://example.com/sso/saml2/223J5JXysUDoutRd1DHgmoYgVfk/acs"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>

The issue seems to be that the library code only works with saml and not saml2, which is also allowed by the spec.

GrahamCampbell commented 1 year ago

Seems to be an issue, even if saml2 is replaced with saml, actually.

pitbulk commented 1 year ago

@GrahamCampbell can you share what IdP are you using? What error do you get?