search

crewjam / saml

SAML library for go
BSD 2-Clause "Simplified" License
961 stars 432 forks source link

Logout response validation failed with Authentication failed error #489

Open alexanderzobnin opened 1 year ago

alexanderzobnin commented 1 year ago

When single logout is enabled, SP fails to perform logout with error Authentication failed. I tried to debug and found that error is happening in ValidateLogoutResponseRedirect(). It returns errors like invalid character entity &d (no semicolon) or invalid UTF-8. After some investigation, I've found that it's related to compressed response. Error happens here:

https://github.com/crewjam/saml/blob/2aeb2efd8c405fb7b40aa75b591b0828ef552670/service_provider.go#L1538

rawResponseBuf contains compressed bytes and should be deflate first. In previous versions it was correct:

https://github.com/crewjam/saml/blob/5e0ffd290abf0be7dfd4f8279e03a963071544eb/service_provider.go#L1561

where gr is deflated string:

https://github.com/crewjam/saml/blob/5e0ffd290abf0be7dfd4f8279e03a963071544eb/service_provider.go#L1538

So I think the fix is pretty straightforward.

rgl commented 1 year ago

@alexanderzobnin, is it because of this that the trivial example http://localhost:8000/logout endpoint ends up redirecting to http://localhost:8000/saml/slo and returning a 404?

alexanderzobnin commented 1 year ago

@rgl not sure, error here is happening during logout response processing, so it should not end up with 404, but with error ("Authentication failed").