Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client.handle_logout_request signs response twice #874

Closed
Lapeth opened this issue Sep 16, 2022 · 4 comments
Closed

client.handle_logout_request signs response twice #874

Lapeth opened this issue Sep 16, 2022 · 4 comments

Comments

@Lapeth
Copy link

Lapeth commented Sep 16, 2022

When handling an IdP-initiated LogoutRequest, with sign=True and redirect binding, the LogoutResponse gets a signature in an XML element (client.create_logout_response). The XML is then deflated and Base64-encoded, and inserted in a URL as a SAMLResponse parameter. This parameter is then signed again (client.apply_binding), with the signature put in another parameter, and the whole url returned.

This double-signing causes the IdP I'm interfacing with to reject the resulting response, and there's no option to just sign once. When only doing the outermost signing, the response goes through and logout is successful.

Excerpt from client.py:

    response = self.create_logout_response(
        _req.message,
        bindings=response_bindings,
        status=status,
        sign=False,  # <-- Only sign once
        # sign=sign,
        # sign_alg=sign_alg,
        digest_alg=digest_alg,
    )
    rinfo = self.response_args(_req.message, response_bindings)

    return self.apply_binding(
        rinfo["binding"],
        response,
        rinfo["destination"],
        relay_state,
        response=True,
        sign=sign,
        sigalg=sign_alg,
    )

The innermost signature also contains newline escapes (base64'd string contains '\n'), failing validation with XSD: https://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd, but forgoing the innermost signature makes this a non-issue.

Code Version

7.2.1

Expected Behavior

An option is present to sign in xml, sign in urlparam, or both

Current Behavior

Only signature in both places can be done.

Possible Solution

Add option in method signature, or an explanation why both signatures are necessary.

Steps to Reproduce

  1. Initiate a logoutrequest from an IdP
  2. Analyze the response from SP; observe that the request contains a Signature parameter, and base64-decoding and inflating the SAMLResponse parameter reveals a second signature.

It's likely that this behavior is intended, but some IdPs reject the response, necessitating an option to sign just once.
@vladimir-mencl-eresearch
Copy link
Contributor

Hi,

This was already reported as #819 for SSO requests - and fixed for SATOSA in IdentityPython/SATOSA#380. I hope a similar fix would also work for logout requests...

Cheers,
Vlad

@c00kiemon5ter
Copy link
Member

Hello, indeed this is a related issue as Vlad says.
I pushed 71c94d5 and 52b7ccd to fix this.
This should fix the issue, but please test it and let me know.

@Lapeth
Copy link
Author

Lapeth commented Sep 26, 2022

I'm unable to test it right now, but will do so when circumstances permit. The code looks good though.

@Lapeth
Copy link
Author

Lapeth commented Oct 2, 2022

I was finally able to install the updated code on my SP and connect to the third-party IdP.

The solution works as intended. Thanks for the fix.

@Lapeth Lapeth mentioned this issue Dec 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c00kiemon5ter @Lapeth @vladimir-mencl-eresearch