search

i8beef / SAML2

Other
88 stars 43 forks source link

Usage of EntitiesDescriptor impossible #53

Closed Smith00101010 closed 3 years ago

Smith00101010 commented 3 years ago

Hi,

I am currently testing this Library with different Identity Providers and while trying out Keycloak I encountered a Problem. The generated Metadata file has EntitiesDescriptor as a root element:

<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">
    <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://localhost:8088/auth/realms/master">
        <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo>
                    <ds:KeyName>Qlz5MHMBVHTyz0FJWWHTcrWoEKsPB9w3ZfzoG-Az6yE</ds:KeyName>
                    <ds:X509Data>
                        <ds:X509Certificate>MIICmzCCAYMCBgF0oGBiaDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwOTE4MDg0MDA1WhcNMzAwOTE4MDg0MTQ1WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXoExBWsIpwQr24CUZ/w5PoAmPHixRRkFyeEyV939C5lanqO57t4RVrNgkdnYyOCoFbdx94YmCOoFS08e2PoVCEKd/l9lqiVKhNUk483zkxhIkfCWA7DC8keHsH57yiqNPRCb48HnTbCXU95IVRKJn1pV85oQyAGsP3Sbdg8X7iQ+RtgQF8ifWTJcoqoooPvZxzXv46rBpGBbDSoCVdU4Ln3mvAXtyfBwBzxsdxs6PTF2nilF287yspuMcUVlQRA1rsKyiL7TYV1N3qU1NL+bAasLo1jZJyGxXLLY+BGvfHgOyOlZuSYsll6PEYkGN3fwH6V1BECvZ/O/Attz7yDYVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAI8VdcZZr0ym2+UgCjrJSoYQhfpw9Fe545yxf2sFg1psaSxlRytWX2+nBhDedARGxNoA+iWJth+OvWxOisvvCq4HxvO8HRXULx6Y6pV53zlJEIWxeX2+Xa9XmbP+C1Gim12pFrqdNRloAkqq9F2kkeBZN1g+IaZsfrvUEHzZWx4LdcXEm40le5oSAQXzIxtDkqj3n//V3xtPnRmIqe4rTlvLZ1+pI8VWY0Jn0QNj5c9Y3ysv+K0KYmRNcXtttKWfSm3LcyEhSuJjniYaAWbBwKu0FUclYiSLJP7LsPrWm7e99BxdkJoBelShI1wRasdfoHVPbEWsWOwyS0admoZ1pus=</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8088/auth/realms/master/protocol/saml"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8088/auth/realms/master/protocol/saml"/>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8088/auth/realms/master/protocol/saml"/>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8088/auth/realms/master/protocol/saml"/>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8088/auth/realms/master/protocol/saml"/>
        </md:IDPSSODescriptor>
    </md:EntityDescriptor>
</md:EntitiesDescriptor>

If the Library tries to load this file an InvalidOperationException with the message

The XmlDocument must have its "PreserveWhitespace" property set to true when a signed document is loaded.

is thrown.

After a bit of digging I found, that a new XmlDocument is created for each EntityDescriptor, where PreserveWhitespace is not configured:

https://github.com/i8beef/SAML2/blob/814892305e3007e3c549a526655eb4636ac472f4/src/SAML2/Config/IdentityProviderCollection.cs#L362-L373

The XmlDocument then arrives at the CheckDocument Function which throws the exception:

https://github.com/i8beef/SAML2/blob/814892305e3007e3c549a526655eb4636ac472f4/src/SAML2/Utils/XmlSignatureUtils.cs#L342-L353

In my testing this could easily be fixed by setting PreserveWhitespace to true for the created document. If you wish I can submit a pull request.

i8beef commented 3 years ago

Sounds straightforward. Ill take a PR for it.