-
Notifications
You must be signed in to change notification settings - Fork 479
SES-38: WebSSOProfileConsumerImpl fails if there is more than one AudienceRestriction #44
Comments
Phil Varner said: Patch: Index: saml2-core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.java--- saml2-core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.java (revision 74)
|
Vladimir Schäfer said: Hi, I'm just checking this bug and the original implementation seems to be correct. In SAML2-core, 922: "Note that multiple elements MAY be included in a single assertion, and each The original code failed when any of the AudienceRestrictions didn't contain the current SP, as defined. Is it possible that your assertions is not formatted in accordance with the specification? If this is the case I'd recommend to override the WebSSOProfileConsumerImpl#verifyAssertionConditions method in your custom implementation to solve the problem. |
Phil Varner said: Thanks Vladimir. When you say "the original code failed", you mean that it correctly returned an error? |
Vladimir Schäfer said: Yes, that's what I meant. |
Phil Varner said: It looks like Siteminder might not implement the spec correctly. I'm working with a client using Siteminder, and the Assertions contain two separate ARs with one correctly containing the entityID and the other with the Siteminder name for the IdP-SP configuration. This document on WebEx / Siteminder integration has an example AuthnRequest in the appendix: This zip has a doc:http://developer.webex.com/c/document_library/get_file?folderId=22041&name=DLFE-1803.zip The IDPM I'm working with told me this is how he always configures it, and that Google Apps and SFDC work with it. Maybe there should be a "relaxed" mode by which the semantics of matches at least one AR passes? |
Phil Varner (Migrated from SES-38) said:
In WebSSOProfileConsumerImpl#verifyAssertionConditions, if the local entity is not in the first AudienceRestriction, an exception is thrown. The relevant code is:
340 audience:
341 for (AudienceRestriction rest : conditions.getAudienceRestrictions()) {
342 if (rest.getAudiences().size() == 0) {
343 log.debug("No audit audience specified for the assertion");
344 throw new SAMLException("SAML response is invalid");
345 }
346 for (Audience aud : rest.getAudiences()) {
347 if (context.getLocalEntityId().equals(aud.getAudienceURI())) {
348 continue audience;
==> this should return rather than continue.
349 }
350 }
==> If it's not in the first AR, we get here and throw an exception
351 log.debug("Our entity is not the intended audience of the assertion");
352 throw new SAMLException("SAML response is not intended for this entity");
353 }
The text was updated successfully, but these errors were encountered: