Skip to content

BREAKING CHANGE: Verify the SAMLResponse based on the raw query string #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 19, 2022
Merged

BREAKING CHANGE: Verify the SAMLResponse based on the raw query string #85

merged 1 commit into from
Aug 19, 2022

Conversation

@waterkip
Copy link
Collaborator

@waterkip waterkip commented Aug 3, 2022
edited
Loading

BREAKING CHANGE: The verify function now requires the raw query string from
the server in order to verify the signature.

Because URI parses and re-encodes URI-escapes in uppercase (%3f becomes
%3F, for instance), which leads to signature verification failures if the
other party uses lower case (or mixed case). This seems to have been an issue
with the current code base as well due to the various flags that need to be
supplied to the constructor to work around it.

This code is mostly ported from Zaaksysteem's code base, written by MSTREEK.

Signed-off-by: Wesley Schwengle waterkip@cpan.org

@waterkip waterkip force-pushed the GH-redirect-verify_fixes branch 9 times, most recently from 2c2d05f to 61fc4c8 Compare August 9, 2022 02:16
@waterkip waterkip mentioned this pull request Aug 10, 2022
Merged
@waterkip waterkip force-pushed the GH-redirect-verify_fixes branch 2 times, most recently from 540faa1 to 7aae8ce Compare August 18, 2022 16:54
@waterkip
Verify the SAMLResponse based on the raw query string
f43727d 
BREAKING CHANGE: The verify function now requires the *raw* query string from
the server in order to verify the signature.

Because `URI` parses and re-encodes URI-escapes in uppercase (`%3f` becomes
`%3F`, for instance), which leads to signature verification failures if the
other party uses lower case (or mixed case). This seems to have been an issue
with the current code base as well due to the various flags that need to be
supplied to the constructor to work around it.

The problem lies with the RFC 3986[^1] and the SAML specs[^2] that both offer
different implementations of the same thing. RFC 3986 states that say the URI
must be normalized so uppercasing %2f to %2F is correct behavior. The SAML
specs states that we must operate on the original URL-encoded values. Thus no
uppercasing is allowed. It is the author's opinion that Net::SAML2 should
follow the SAML spec and and that implementations that normalize the URI should
return the original URI to the application.

This code is mostly ported from Zaaksysteem's code base, written by MSTREEK.

Users of lighttpd need to be aware that they need to configure their instance
with the following http-parseopts:

    server.http-parseopts = (
        "url-normalize"            => "disable",
        "url-normalize-unreserved" => "disable",
        "url-normalize-required"   => "disable"
    )

You cannot change it on a URI basis because lighttpd needs a parsed URI before
it can process conditions as was mentioned on #lighttpd:

> The request must be parsed (using server.http-parseopts settings) *before* you
> can apply lighttpd.conf conditions to the parsed results.

[^1]: https://www.rfc-editor.org/rfc/rfc3986#section-6.2.2.1
[^2]: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
(line 620)

Signed-off-by: Wesley Schwengle <waterkip@cpan.org>
@waterkip waterkip force-pushed the GH-redirect-verify_fixes branch from 7aae8ce to f43727d Compare August 18, 2022 17:41
timlegge
timlegge approved these changes Aug 19, 2022
View reviewed changes
Copy link
Contributor

@timlegge timlegge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved - The binding redirect is only used for Logout so the change is of limited risk and impact should there be issues. May need to implement a method to grab the real Query URL similar to how onelogin does theirs in the future.

@timlegge timlegge merged commit 5185a1a into perl-net-saml2:master Aug 19, 2022
@waterkip waterkip deleted the GH-redirect-verify_fixes branch August 29, 2022 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timlegge timlegge timlegge approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waterkip @timlegge