Support SAML2 sender-vouches subject confirmation method

[GoogleCodeExporter]

Since attribute query responses use the sender-vouches subject confirmation 
method, SSP needs to accept and validate it.

Currently, SAML2_Assertion throws an Exception when the SubjectConfirmation 
doesn't use the bearer method 
(http://code.google.com/p/simplesamlphp/source/browse/trunk/lib/SAML2/Assertion.
php#296).

I think the confirmation method validation should be placed outside the 
Assertion parsing code, by introducing Assertion->getConfirmationMethod(), so 
AssertionConsumerService could validate the bearer method (since it is a MUST 
to use this method in the SAML2 WebSSO profile), and the AttributeQuery code 
could validate the sender-vouches method.

Original issue reported on code.google.com by hege%pla...@gtempaccount.com on 3 Aug 2010 at 9:53

[GoogleCodeExporter]

I can supply a patch if this modification sounds reasonable.

Original comment by hege%pla...@gtempaccount.com on 3 Aug 2010 at 9:54

[GoogleCodeExporter]

This sounds reasonable to me. In the long term we will probably want to move 
all of the logic out of the SAML2_Assertion class, but that will not happen in 
the near future. If you can send a patch that moves the check for the 
SubjectConfirmation method over to sspmod_saml_Message::processResponse, that 
would be great.

Original comment by olavmrk@gmail.com on 3 Aug 2010 at 10:34

• Changed state: Accepted
• Added labels: Type-Enhancement

[GoogleCodeExporter]

There seem to be several aspects of response processing which need to be 
extracted from processResponse:

 - signature validation is not needed when transport security is present
 - Assertion/Response Destination is empty when using SOAP transports with transport security
 - SubjectConfirmation method should be specified

A pretty ugly solution would be to introduce two extra options to the 
processResponse method: $transportSecurity and $requiredConfirmationMethod.

Original comment by hege%pla...@gtempaccount.com on 3 Aug 2010 at 1:18

[GoogleCodeExporter]

In r2554, I changed the Assertion class to return the entire 
SubjectConfirmation element, instead of the parsed data. This should allow the 
Assertion class to work with other SubjectConfirmation methods.

The processResponse method is tailored to the Web SSO profile of SAML 2, and I 
don't think it is appropriate to add code for other profiles there. What we 
could do is to extract those parts that are common to multiple profiles into 
separate functions.

Original comment by olavmrk@gmail.com on 20 Sep 2010 at 12:09

• Changed state: Fixed

[GoogleCodeExporter]

I've extracted several helper methods from the processResponse/processAssertion 
methods and made them protected, so they could be called from subclasses.

Original comment by hege%pla...@gtempaccount.com on 6 Jan 2011 at 2:01

Attachments:

• ssp-333.tgz

[GoogleCodeExporter]

i still get a 'Invalid Method on SubjectConfirmation' when the IdP gives me a 
'sender-vouches' SubjectConfirmation. (1.11.0)

Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Error validating SubjectConfirmation in 
Assertion: Invalid Method on SubjectConfirmation: 
'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
Backtrace:
3 /var/simplesamlphp/modules/saml/lib/Message.php:694 
(sspmod_saml_Message::processAssertion)
2 /var/simplesamlphp/modules/saml/lib/Message.php:528 
(sspmod_saml_Message::processResponse)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)

Is a patch available?

Original comment by fefefan...@googlemail.com on 21 Nov 2013 at 1:16