Skip to content

SAML IdP configure does not parse IdP metadata.xml correctly #31780

New issue
New issue
Closed
#31805
Closed
SAML IdP configure does not parse IdP metadata.xml correctly#31780
#31805
Assignees
rmartinc
Labels
area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugrelease/26.0.0team/core-clients
Milestone
26.0.0
@gknapowski

Description

@gknapowski
gknapowski
opened on Jul 30, 2024

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

When creating a new SAML2 IdP, if an IdP metadata is provided that has an SingleLogoutService Binding attribute that is different than the SingleSignOnService Binding attribute the Single logout service URL will not populate.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     entityID="https://example.com/saml/idp/entityid">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
		                        Location="https://example.com/saml/idp/sso"/>
		<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
		                        Location="https://example.com/saml/idp/slo"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>

Behavior has been verified in 25.0.x and 24.0.x

Version

25.0.2

Regression

  • The issue is a regression

Expected behavior

When an IdP metadata.xml is provided that contains both an SSO Service and a SLO Service, it is expect that the IdP is properly configured with both url and the correct binding sliders for each are set.

Actual behavior

When a metadata.xml that contains both a SLO service and a SSO service that have differnt bindings (one redirect, one POST), the Single logout service URL is not populated, the HTTP-POST binding logout slider is may not be correct (it defaults to off so it has a 50:50 chance of matching the correct value)

How to Reproduce?

  1. Save out this XML
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     entityID="https://example.com/saml/idp/entityid">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
		                        Location="https://example.com/saml/idp/sso"/>
		<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
		                        Location="https://example.com/saml/idp/slo"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>
  1. Create a new SAML2 IdP
  2. Switch Use entity descriptor slider to off.
  3. for Import config from file provide the xml file saved in step 1
  4. Observe that Single logout service URL is not populated.
  5. Observe that HTTP-POST binding logout remains on the default off.

Anything else?

The correct behavior can be observed if you use:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     entityID="https://example.com/saml/idp/entityid">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
		                        Location="https://example.com/saml/idp/sso"/>
		<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
		                        Location="https://example.com/saml/idp/slo"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>

or

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     entityID="https://example.com/saml/idp/entityid">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
		                        Location="https://example.com/saml/idp/sso"/>
		<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
		                        Location="https://example.com/saml/idp/slo"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>

This behavior can also be observed when providing when using Use entity descriptor and SAML entity descriptor as well when using the SDK to provide the SAML entity descriptor

KC25 has made Single logout service URL* a required field which is why I noticed this. I believe that is also a bug and will make a issue regarding it also.

Metadata

Metadata

Assignees

Labels

area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugrelease/26.0.0team/core-clients

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions