New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix LogoutResponse issuer validation and implement SAML Response issuer validation. Related to Pull Request 116 #147
Conversation
@luisvm @inakidelamadrid @Lordnibbler , can you validate this so we can close this and the #116 |
👍 looks good, but what should we do with #116? that one seems to fix another issue as well https://github.com/onelogin/ruby-saml/pull/116/files#diff-58e0f05945ffec83ea2c44ce4e7b8550R34 |
you da man! :) got my thumbsup already |
Let's wait the review of @Lordnibbler |
btw, we should add some specs |
@@ -43,7 +45,9 @@ def saml_settings | |||
|
|||
settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize" | |||
settings.issuer = request.host | |||
settings.idp_sso_target_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}" | |||
settings.idp_entity_id = "https://app.onelogin.com/saml2/metadata/#{OneLoginAppId}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are you sure you want to show these URLs to the world?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not?, we want our customers uses the toolkit to connect OneLogin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just double checking, you know better than me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @pitbulk I don't think the endpoint is correct, it states /saml2/metadata/<app-id>
which I don't see is being defined anywhere in our routes, in any case that would be /saml/metadata/<app-id>
instead.
The ones below are correct, though
@Lordnibbler @luisvm What do you think of this PR? @luisvm where are the specs that you promised? |
I tested it against OL and simpleSAMLphp IdP and worked |
Awesome! Looks good to me except for tests. Seems like we should have a few cases added to:
|
Looking into adding tests to this PR, and it appears we need a new test response XML file ( Once we have the test file, we can test that the errors are correctly added. @pitbulk, an familiarity with how we might generate those sample files? Also, we need to figure out how to ensure |
I talked about that on this comment: We have the php-saml toolkit and the python-saml toolkit for inspiration. Related to the settings.idp_entity_id, on the other toolkits I have a validator method on the settings class [1], this method is called in order to be sure that the inputs of the settings are ok, we could implement that method [1] https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Settings.php#L351 , https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/settings.py#L301 |
@pitbulk, awesome, thanks! I'll look into those |
@pitbulk can you rebase off master? we cannot merge this PR cleanly |
@Lordnibbler , I thought that @pwnetrationguru was working on this issue. Does he need help? |
I can add errors to |
@pwnetrationguru please rebase and let me know if you need help |
@pitbulk, there are merge conflicts with the rebase around the README, which seems to be a bulk of these changes. Can you please rebase I tried to resolve the conflicts, but it appears this PR updates information that is now outdated in the README |
@pwnetrationguru Done |
@pitbulk @luisvm @pwnetrationguru is this one good to merge? |
@Lordnibbler 👍 Ready for merge |
Fix LogoutResponse issuer validation and implement SAML Response issuer validation. Related to Pull Request 116
Review this PR, a solution for the #116