Merge branch 'feature-SAML-14_overhaul' into release-6.0.0

pixl8 · Mar 7, 2024 · 59393c8 · 59393c8
2 parents f2b6a02 + 0108574
commit 59393c8
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 8 deletions.
diff --git a/handlers/Saml2.cfc b/handlers/Saml2.cfc
@@ -305,14 +305,17 @@ component {
 			var xmlPresent         = Len( samlResponse.samlXml ?: "" ) > 0;
 			var entityFound        = StructKeyExists( samlResponse, "issuerentity" ) && !IsEmpty( samlResponse.issuerEntity );
 			var requestTypePresent = Len( samlResponse.samlResponse.type ?: "" ) > 0;
-			var totallyBadRequest  = !xmlPresent || !entityFound || !requestTypePresent;
+			var hasError           = Len( samlResponse.error ?: "" ) > 0;
+			var totallyBadRequest  = !xmlPresent || !entityFound || !requestTypePresent || hasError;
 
 			if ( !xmlPresent ) {
 				debugInfo.failureReason = "noxml";
 			} else if ( !entityFound ) {
 				debugInfo.failureReason = "entitynotfound";
 			} else if ( !requestTypePresent ) {
 				debugInfo.failureReason = "noresponsetype";
+			} else if ( hasError ) {
+				debugInfo.failureReason = samlResponse.error;
 			}
 		} catch( any e ) {
 			logError( e );

diff --git a/helpers/saml2SsoHelpers.cfm b/helpers/saml2SsoHelpers.cfm
@@ -1,10 +1,11 @@
 <cfscript>
 	function formatX509Certificate( required string raw ) {
 		var x509cert = "-----BEGIN CERTIFICATE-----" & Chr( 10 );
-		var stripped = ReReplace( arguments.raw, "[\s\n]", "", "all" );
+		var stripped = arguments.raw;
 
 		stripped = Replace( stripped, "-----BEGIN CERTIFICATE-----", "" );
 		stripped = Replace( stripped, "-----END CERTIFICATE-----", "" );
+		stripped = ReReplace( stripped, "[\s\n]", "", "all" );
 
 		for( var i=1; i <= Len( stripped ); i++ ) {
 			x509cert &= stripped[i];

diff --git a/services/saml/response/SamlResponseParser.cfc b/services/saml/response/SamlResponseParser.cfc
@@ -57,12 +57,9 @@ component {
 						  samlResponse = parsedResponse.samlXml
 						, signingCert  = parsedResponse.issuerEntity.idpRecord.signing_certificate ?: ""
 					);
-					if ( !signaturesValid ) {
-						throw(
-							  type    = "saml2responseparser.invalid.signature"
-							, message = "The assertion response failed signature validation."
-							, detail  = parsedResponse.samlXml
-						);
+
+					if ( !sigValid ) {
+						parsedResponse.error = "invalidsignature";
 					}
 				}
 			} catch ( entitypool.missingentity e ) {