search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
959 stars 602 forks source link

WantAuthnRequestsSigned, configured using config file, is ignored when metadata is loaded #1346

Closed P-39-Airacobra closed 2 years ago

P-39-Airacobra commented 2 years ago

Symptoms

When the WantAuthnRequestsSigned property of the IdentityProvider class is configured in a configuration file by setting wantAuthnRequestsSigned = "true" and, at the same time, loadMedata = "true" then the setting is overridden when metadata is loaded.

And what's worse, when the WantAuthnRequestsSigned attribute is missing in the metadata the property is always set to false, regardless of the setting of the wantAuthnRequestsSigned in the config file.

Expected behaviour

Expected behaviour should be that setting wantAuthnRequestsSigned in the config file should always take precedence over a value loaded from the metadata.

Suggested fix

In the ReadMetadataIdpDescriptor() method of the IdentityProvider class (file IndentityProvider.cs, line 443), replace:

WantAuthnRequestsSigned = idpDescriptor.WantAuthnRequestsSigned ?? false;

with:

if (!WantAuthnRequestsSigned)
{
    WantAuthnRequestsSigned = idpDescriptor.WantAuthnRequestsSigned ?? false;
}
AndersAbel commented 2 years ago

Yes, the way Metadata overwrites configured values is not optimal. This is something that will be addressed in the new configuration model for versions 3.x.

For existing versions 2.x you can use the AuthenticateRequestSigningBehavior flag to control how the SP behaves when WantAuthnRequestsSigned is not present in Metadata.