Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix logout response validation #18

Merged
merged 3 commits into from
Feb 3, 2023
Merged

Fix logout response validation #18

merged 3 commits into from
Feb 3, 2023

Conversation

alexanderzobnin
Copy link

This PR fixes issue described in crewjam#489
It contains 2 parts:

  1. Fix reading compressed XML doc.
  2. Fix signature verification. The issue here is that if SAML message does not contain signature, validation fails even if signature is provided in URL query params and verified. It fixes single logout flow in case of redirect request, but I feel that it requires a bit more investigation since validateSignature() function is used widely in SP implementation.

alexanderzobnin
alexanderzobnin commented Feb 3, 2023
View reviewed changes
service_provider.go Outdated Show resolved Hide resolved
Jguer
Jguer reviewed Feb 3, 2023
View reviewed changes
service_provider.go
retErr.PrivateErr = err
return retErr
}

if err := sp.validateSignature(doc.Root()); err != nil {
retErr.PrivateErr = err
return retErr
if err != errSignatureElementNotPresent || !hasValidSignature {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 if I understand it correctly, we're checking here if either the assertions are signed or the document itself is signed.

One of which most be true

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we only want to fire error if no signature was found at all or if it's wrong.

@alexanderzobnin alexanderzobnin merged commit 5f476db into main Feb 3, 2023
@alexanderzobnin alexanderzobnin deleted the fix-logout-response-validation branch February 3, 2023 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jguer Jguer Jguer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alexanderzobnin @Jguer