search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
487 stars 90 forks source link

SAML parsing breaks on ADFS because it expects a specific XML prefix #147

Closed Tantalon closed 3 years ago

Tantalon commented 3 years ago

ADFS (we're using an older version) is returning Assertion using xmlns rather than a prefix, as the example below. This breaks because saml.py is checking for "saml:Assertion" with a specific prefix, rather than checking the element namespace.

<samlp:Response ... xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
Tantalon commented 3 years ago

The changes below fixed it for me, I had to provide the expected prefixes to xmltodict, and also set force_cdata (because it looks like xmltodict sometimes returns a string directly rather than a {'#text': value}). Will submit a PR.

17a18,24
>     namespaces = {
>         'urn:oasis:names:tc:SAML:2.0:protocol': 'saml2p',
>         'urn:oasis:names:tc:SAML:2.0:assertion': 'saml2',
>         'urn:oasis:names:tc:SAML:1.0:protocol': 'samlp',
>         'urn:oasis:names:tc:SAML:1.0:assertion': 'saml',
>     }
> 
19c26
<     response = xmltodict.parse(base64.b64decode(assertion))
---
>     response = xmltodict.parse(base64.b64decode(assertion), process_namespaces=True, namespaces=namespaces, force_cdata=True)
Tantalon commented 3 years ago

Duplicate of #81