auth0 / node-samlp

SAML Protocol support for node (only IdP for now)
MIT License
136 stars 117 forks source link

fix: support signed logout response sent via POST #140

Closed ArtiomCiumac closed 1 year ago

ArtiomCiumac commented 1 year ago

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This fixes checking for signed LogoutResponse during SLO scenarios when the app posts the response via POST. In such situation the code was still trying to load the signature from query and was failing to do so.

Testing

Set up SAML SLO with 2 applications:

  1. Set up applications in Auth0 with SLO configured and a custom signing certificate as per docs page.
  2. Set up two applications to sign their requests with a self-signed certificate.
  3. Set up the applications to send their requests via POST, but leave the settings on Auth0 side by default (which would use Redirect to send the responses to the apps - note that mixed bindings are fully allowed by the spec).
  4. Log into both applications.
  5. Initiate a Single Log Out.

Expected results after this PR:

The SLO should complete and it should be visible in browser dev tools that the app sends signed responses across all SAML requests.

Actual results before this PR:

The second session participant app LogoutResults fails the verification on the IDP side (this lib).

Checklist