search

plp050452 / simplesamlphp

Automatically exported from code.google.com/p/simplesamlphp
Other
0 stars 0 forks source link

signed authnRequest over HTTP-POST loses state due to overwritten ID #459

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?

1. enable authnRequest via HTTP-POST binding by modifying 
modules/saml/lib/Auth/Source/SP.php to do  
if ($this->metadata->getValue('ProtocolBinding') === 
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') {
                        $b = new SAML2_HTTPPost();
                } else {
                        $b = new SAML2_HTTPRedirect();
                }
instead of $b = new SAML2_HTTPRedirect();, and by adding 'ProtocolBinding' => 
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' to IdP config in 
config/authsources.php

2. enable signed authnRequest by adding 'sign.authnrequest' => TRUE, to 
metadata/saml20-idp-remote.php

3. try to login 

What is the expected output? What do you see instead?

after login instead of attribute list you will see "State information lost" 
error page

What version of the product are you using? On what operating system?

v1.8.1 on sles11sp1

Please provide any additional information below.

simplesamlphp.log shows that ID changes thus it can not restore state:

Nov 23 06:58:41 simplesamlphp DEBUG [a5d99543fa] Saved state: 
'_89384ac9627698445445a9ab470362cdd6ee1266ba'
Nov 23 06:58:41 simplesamlphp DEBUG [a5d99543fa] Sending SAML 2 AuthnRequest to 
'https://idp.anytime.com/ppp/idp/simplesaml/saml2/idp/metadata.php'
Nov 23 06:58:41 simplesamlphp DEBUG [a5d99543fa] Sending message:
Nov 23 06:58:41 simplesamlphp DEBUG [a5d99543fa] <samlp:AuthnRequest 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="pfxe6baa345-e97a-4b07-5066-82c9e0d6b640" Version="2.0" 
IssueInstant="2011-11-23T14:58:41Z" 
Destination="https://idp.anytime.com/ppp/idp/simplesaml/saml2/idp/SSOService.php
" 
AssertionConsumerServiceURL="https://sp.anytime.com/ppp/sp/simplesaml/module.php
/saml/sp/saml2-acs.php/idp-anytime-com" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
...
Nov 23 06:58:49 simplesamlphp DEBUG [a5d99543fa] <samlp:Response 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="pfx5d04df9c-03a5-3d61-2888-c6a9762e9ce0" Version="2.0" 
IssueInstant="2011-11-23T14:58:47Z" 
Destination="https://sp.anytime.com/ppp/sp/simplesaml/module.php/saml/sp/saml2-a
cs.php/idp-anytime-com" InResponseTo="pfxe6baa345-e97a-4b07-5066-82c9e0d6b640">
...
Nov 23 06:58:49 simplesamlphp DEBUG [a5d99543fa] Loading state: 
'pfxe6baa345-e97a-4b07-5066-82c9e0d6b640'
Nov 23 06:58:49 simplesamlphp ERROR [a5d99543fa] Error report with id df91ffa8 
generated.
Nov 23 06:58:49 simplesamlphp DEBUG [a5d99543fa] Template: Reading 
[/srv/www/public/ppp/sp/simplesamlphp/modules/core/dictionaries/no_state]

troubleshooted down to lib/xmlseclibs.php and addRefInternal was always 
overwriting ID. Modifying insertSignature in lib/SAML2/Utils.php and adding 
'overwrite' => FALSE option helps

could you please review those two code changes (enabling HTTP-POST authnRequest 
and not overwriting signed authnRequest ID) and include in next release?

Original issue reported on code.google.com by ppaz...@gmail.com on 24 Nov 2011 at 8:26

GoogleCodeExporter commented 8 years ago 
I think this is already fixed in r2778. The fix will be in 1.9, when it is 
released.

(Marking this issue as fixed, for future reference.)

Original comment by olavmrk@gmail.com on 2 Dec 2011 at 10:56