The verification rule on address within SubjectConfirmationData is too strict

[Littlefisher619]

Code Version

I'm using djangosaml2 which depend on pysaml2==7.1.0

Expected Behavior

The verification rule is too strict! The address format like "ip:port" can't be think as malformed.
The idp sent client's address within the SubjectConfirmationData section, but the address may not always a ip address only, it may contains port which determine by the implemention of idp.
SO, Expected Behavior is the verifaction returns True.

Current Behavior

I got a saml2.validate.ShouldValueError: Not an IPv4 or IPv6 address while idp connecting to my service provider.

Possible Solution

More rules to support different types of address field.

Steps to Reproduce

Sent address like "ip:port" in the section as below:

[vladimir-mencl-eresearch]

Hi,
The SAML 2.0 Core specification explicitly defines the SubjectLocality Address attribute (on page 28) as:

The network address of the system from which the principal identified by the subject was authenticated. IPv4 addresses SHOULD be represented in dotted-decimal format (e.g., "1.2.3.4").
IPv6 addresses SHOULD be represented as defined by Section 2.2 of IETF RFC 3513 [RFC 3513] (e.g., "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210").

I think the code correctly implements the specification.

Cheers,
Vlad

[Littlefisher619]

Hi, The SAML 2.0 Core specification explicitly defines the SubjectLocality Address attribute (on page 28) as:

The network address of the system from which the principal identified by the subject was authenticated. IPv4 addresses SHOULD be represented in dotted-decimal format (e.g., "1.2.3.4").
IPv6 addresses SHOULD be represented as defined by Section 2.2 of IETF RFC 3513 [RFC 3513] (e.g., "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210").

I think the code correctly implements the specification.

Cheers, Vlad

Hi, @vladimir-mencl-eresearch

The standard SAML 2.0 Core specification is NOT always suitable for all environement.

Maybe the client(the User) is behind a NAT gateway, and the address is not the real ip address.

Thus a single ip address without port can NOT be used for the verifactions.

If you do not agree with the modifcation of the verify function, I hope I can toggle off the verifaction in config.

[AndrewChau]

I agree, would love to have a config option for this.

[kushaldas]

I was hit by this issue yesterday, I hope we have a better way to handle the port numbers in the Address.