Fixed a bug in XML canonicalisation causing a digest mismatch on Okta… - Githubissues

mbg / wai-saml2

WAI middleware implementing SAML2

MIT License

5 stars 6 forks source link

Fixed a bug in XML canonicalisation causing a digest mismatch on Okta… #51

Closed fumieval closed 1 year ago

fumieval commented 1 year ago

… when attributes are present

When parsing a SAML response, it has been inappropriately stripping xmlns:xs="http://www.w3.org/2001/XMLSchema" attribute in saml2:Assertion. This was causing a discrepancy between Okta's digest and our digest (but only when AttributeStatement is present).

This change fixes the problem by setting psRetainNamespaces = True and adding "xs" to the list of allowed prefixes for c14n.

Special thanks to @hiroqn for figuring this out

Summary

Checklist

[ ] All definitions are documented with Haddock-style comments.
[ ] All exported definitions have @since annotations.
[ ] Code is formatted in line with the existing code.
[ ] The changelog has been updated.

fumieval commented 1 year ago

Thank you for reviewing. I updated documentation of those functions (also rebased the branch in order to fix a conflict).