search

aerialship / SamlSPBundle

SAML 2.0 Symfony SP Bundle - new version available at
http://www.lightsaml.com/SP-Bundle/
MIT License
63 stars 43 forks source link

SAML protocol response cannot be sent via bindings other than HTTP POST #24

Closed tmilos closed 10 years ago

tmilos commented 10 years ago

Intro

Windows azure has following IDP metadata

<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">...</KeyDescriptor>
    <SingleLogoutService 
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="https://login.windows.net/554fbdfd-f04f-4975-91cb-ddc8b147aaa3/saml2"/>
    <SingleSignOnService 
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="https://login.windows.net/554fbdfc-f04f-4975-91cb-ddc8b147aaa3/saml2"/>
</IDPSSODescriptor>

Redirect binding spMeta config

If in security.yml is setup as 

services:
    azure:
        sp:
            meta:
                name_id_format: persistent
                binding:
                    authn_request: redirect

Then redirect binding is used to send AuthRequest with attribute ProtocolBinding="HTTP-POST", and Azure responds with

Unsuccessful SAML response: 
urn:oasis:names:tc:SAML:2.0:status:Requester 
ACS75006: An error occurred while processing a SAML2 Authentication request. 
ACS75003: SAML protocol response cannot be sent via bindings other than HTTP POST. 
Requested binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding

POST binding spMeta config

If in security.yml is setup as 

services:
    azure:
        sp:
            meta:
                name_id_format: persistent
                binding:
                    authn_request: post

Then post bindind is used to send AuthRequest with attribute ProtocolBinding="HTTP-Redirect", and Azure responds with HTTP 404 Page not found.

Summary

saml-core-2.0-os.pdf states AuthRequest ProtocolBinding attribute references "binding to be used when returning the message" while in current implementation it's both the binding that will be used for sending and as the value of that attribute.

It should be possible to use one binding for sending AuthRequest message that's different then the one put in it's ProtocolBinding attribute

tmilos commented 10 years ago

Main logic from building the AuthnRequest including the AssertionConsumerServiceURL and ProtocolBinding attributes is in https://github.com/aerialship/lightsaml and will be resolved with aerialship/lightsaml#20

After that in this project the spMeta configuration has to be adjusted for eventual new fields, and finally functionally tested

tmilos commented 10 years ago

Also related to #17 ACS must receive Response only on POST