Skip to content

RelyingPartyRegistrations#fromMetadataLocation: prioritize REDIRECT binding for sso and logout #10961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

RelyingPartyRegistrations#fromMetadataLocation: prioritize REDIRECT binding for sso and logout #10961

wants to merge 1 commit into from

Conversation

Kehrlann
Copy link
Contributor

@Kehrlann Kehrlann commented Mar 11, 2022
edited
Loading

Context

Since the introduction of SameSite cookie restrictions, SAML's SSO and Logout with POST break the SavedRequest behavior. See issues:

In their service metadata, some services have multiple SingleSignOnService entries, because they support both POST and REDIRECT bindings, see examples . Same is theoretically possible for SingleLogoutService, but I have not personally seen examples in the wild.

Currently, the OpenSamlMetadataAssertingPartyDetailsConverter takes whichever binding is first. So if POST comes first, it is selected, leading to the above "issues".

Proposed solution

Instead of selection the first SingleSignOnService available, iterate over all SingleSignOnServices and select the first REDIRECT-bound.

Note: I'm proposing this against 5.7.x but I'm unsure whether I should do this against main instead. I feel it is a feature change that should go in the next minor, but it could come before Spring Security 6.

Examples

Okta

<md:SingleSignOnService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://REDACTED.okta.com/app/REDACTED/sso/saml"
/>
<md:SingleSignOnService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
    Location="https://REDACTED.okta.com/app/REDACTED/sso/saml"
/>

Workspace One

<md:SingleSignOnService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
    Location="https://REDACTED.workspaceair.com/SAAS/auth/federation/sso"
/>
<md:SingleSignOnService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://REDACTED.workspaceair.com/SAAS/auth/federation/sso"
/>

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 11, 2022
@Kehrlann Kehrlann marked this pull request as ready for review March 11, 2022 16:54
@Kehrlann
Copy link
Contributor Author

Kehrlann commented Mar 14, 2022
edited
Loading

This PR has absolutely no effect on the aforementioned bugs. I mixed AuthN requests and responses, the binding is for the request, the SAML Asserting Party will always POST back, no matter what was used in the request.

Closing.

@Kehrlann Kehrlann closed this Mar 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kehrlann @spring-projects-issues