search

fedushare / mech_saml_ec

An open source implementation of draft-ietf-kitten-sasl-saml-ec
https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec
10 stars 5 forks source link

SP support for urn:ietf:params:xml:ns:samlec ACS Binding #25

Open nawatts opened 8 years ago

nawatts commented 8 years ago

https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec-13 specifies:

If metadata is used, a SASL service's role MUST contain a corresponding whose Location attribute contains the appropriate service name, as described above. The Binding attribute MUST be one of "urn:ietf:params:xml:ns:samlec" (RECOMMENDED) or "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" (for compatibility with older implementations of the ECP profile in existing identity provider software).

It appears that the SP does not support ECP requests using the samlec ACS binding. See shibsp/handler/impl/SAML2SessionInitiator.cpp#L282

ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
if (!ACS)
    request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
else if (ECP && !XMLString::equals(ACS->getString("Binding").second, samlconstants::SAML20_BINDING_PAOS)) {
    request.log(SPRequest::SPWarn, "acsIndex in request referenced a non-PAOS ACS, using default ACS location");
    ACS = nullptr;
}

Part of #13