Details
-
Bug
-
Status: Closed (View Workflow)
-
P2
-
Resolution: Done
-
1.3.0, 2.0.0
-
Fameflower - presumably on Goldenrod too
-
CP: sprint 125, CP: sprint 126, CP: sprint 127, CP: sprint 128
-
5
-
Core: Platform
-
Not Scheduled
Description
Overview:
As discovered in MODLOGSAML-69, if decryption of the saml assertions fails, resubmitting the post to the callback succeeds, providing the user with an access (okapi) token and redirecting them to the landing page.
Steps to Reproduce:
- Configure SSO and verify it's working as expected
- Change the certificate on the IdP
- Try to login via SSO again, you should see an error: "No valid subject assertion found in response"
- Refresh the page - and you'll be redirected to the landing page!
Expected Results:
The user remains logged out and an okapi token is not furnished. The user should not be redirected to the landing page.
Actual Results:
The user is issued an okapi token and redirected to the landing page
Additional Information:
SPs should store the IdP metadata that contains the IdP public key certificate, and should check that all answers from the IdP are signed by that public key.
mod-login-saml doesn't:
https://github.com/folio-org/mod-login-saml/blob/v2.2.0/src/main/java/org/folio/config/SamlClientLoader.java#L196
https://github.com/folio-org/mod-login-saml/blob/v2.2.0/src/main/java/org/folio/config/SamlClientLoader.java#L207
This Java code should be changed to take the IdP metadata file (and not only the IdP URL).
Storing the IdP metadata allows for certificate pinning and results in higher security than provided by https TLS certficiates where even domain validated certificates (like let's encrypt) are possible that are discouraged for production use: https://blog.pki.dfn.de/2019/03/lets-dfn-pki/
Task:
Allow to upload the IdP metadata to mod-login-saml.
Check that IdP responses are signed by the IdP public key.
UI:
Current UI, note that one can only specify the IdP URL, the possibility to upload the IdP metadata is missing:
Example for a site that allows to upload the IdP metadata:
Example IdP metadata file, it is an xml file:
Complete example: https://samltest.id/saml/idp
Abbreviated example:
<?xml version="1.0"?> <md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <md:EntityDescriptor entityID="http://idp-domain/simplesamlphp/saml2/idp/metadata.php"> <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MII...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MII...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://idp-domain/simplesamlphp/saml2/idp/SingleLogoutService.php"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://idp-domain/simplesamlphp/saml2/idp/SingleLogoutService.php"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://idp-domain/simplesamlphp/saml2/idp/SSOService.php"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://idp-domain/simplesamlphp/saml2/idp/SSOService.php"/> </md:IDPSSODescriptor> </md:EntityDescriptor> </md:EntitiesDescriptor>
mod-configuration
The IdP metadata XML file should be stored in mod-configuration.
TestRail: Results
Attachments
Issue Links
- relates to
-
MODLOGSAML-112 SAML improvements and Basic Federation support
-
- Closed
-
-
STCOR-580 Link to IdP's simple logout page
-
- Blocked
-
-
-
- Closed
-
-
MODLOGSAML-70
Periodically recreate SAML clients
-
- Open
-