jma
commented
2 years ago Any news? Do you think that my post if irrelevant?
Closed jma closed 1 year ago
jma
commented
2 years ago Any news? Do you think that my post if irrelevant?
pitbulk
commented
1 year ago 
lhaemmerle
commented
1 year ago I agree, there is nothing in the SAML2 specification that mandates that the Service Provider needs to check that the Issuer has the same entityID as was used when the user was sent to the Identity Provider. Neither the Shibboleth SP, nor SimpleSAML have these checks (SimpleSAML had this check but then removed it they were made aware that this check is not according to the standard and that these obsolete checks in fact prevent some legit use-cases).
pitbulk
commented
1 year ago @lhaemmerle , @jma
The situation described on the SSP ticket is totally different than the use case here.
On SSP the exception happened when the SP sent an AuthNRequest to IdP A, stored. In the status the IdP Entity ID and then while processing the SAMLResponse, checked that the Issuer of such Response matched the IdP Entity ID stored.
php-saml does not store such initial IdP Entity ID and do later any check. The check you reference in this ticket is done between the Entity ID lf the IdP that generated the SAMLResponse received and the Entity ID of the IdPs that are trusted, a legit check.
SSP and Shibboleth do also this check, otherwise, how SAML settings/metadata of such IdP are retrieved to be managed by the toolkit during the SAMLResponse validation? If they dont recognize the Entity ID, they raise an exception.
I tried to use this library to be connected to https://www.switch.ch/edu-id/docs/services/. Depending of the configuration, the EntityID of the Issuer can be different from the IDP which is required by python3-saml (https://github.com/onelogin/python3-saml/blob/59dd034a9a04246fc2b3cf462216aaa5a776f1f9/src/onelogin/saml2/response.py#L216).
Moreover, this check https://github.com/onelogin/python3-saml/blob/59dd034a9a04246fc2b3cf462216aaa5a776f1f9/src/onelogin/saml2/response.py#L307 also failed.
I did not find in the SAML documentation that these checks are required (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf).
Do you think that these checks can be optional by configuration?
Many thanks in advance.