search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.7k stars 1.77k forks source link

Properly parse SingleSignOnService #1883

Open klizhentas opened 6 years ago

klizhentas commented 6 years ago

What happened:

In case if SAML entity descriptor contains multiple tags like this:

    <tag0:SingleSignOnService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' Location='https://...'></tag0:SingleSignOnService>

Teleport's SAML library gets confused and picks the last one that is the wrong one. It has to specifically pick the service with a proper binding.

This causes us a lot of trouble setting some identity providers up.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Environment:

Browser environment

Relevant Debug Logs If Applicable

kontsevoy commented 6 years ago

Punt if not easy to fix.

russjones commented 4 years ago

Let's check if this has been fixed upstream since then.