Auth::SAML generates invalid SAML requests by default
Concerned version
Version: 2.0.15 Lasso Verion: 2.8.0 (fixed in 2.8.1)
Summary
- Enable Auth::SAML
- Add an IDP (samltest.id, etc)
- Try to authenticate
- Generated AuthnRequest is invalid
❌
(Luckily for us, most SAML IDPs are tolerant enough to accept it anyway)
- If you enable "Allow proxied authentication" in IDP options, the request becomes valid again
Logs
Here is an example AuthnRequest, which shows an invalid ProxyRestriction:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_A5B1138C5B9AD58325D0DDE4BEFD4E1B" Version="2.0" IssueInstant="2022-09-29T08:28:53Z" Destination="http://idp.example.com/saml" ForceAuthn="false" IsPassive="false">
<saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
<saml:Conditions>
<saml:ProxyRestriction>
<saml:Audience>http://idp.example.com/saml</saml:Audience>
<saml:Count>0</saml:Count>
</saml:ProxyRestriction>
</saml:Conditions>
</samlp:AuthnRequest>
According to https://www.samltool.com/validate_xml.php :
The XML is invalid.
Line: 7 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:assertion}Count': This element is not expected. Expected is ( {urn:oasis:names:tc:SAML:2.0:assertion}Audience ).
Keycloak agrees:
ERROR [org.keycloak.saml.common] (default task-80) Error in base64 decoding saml message: java.lang.RuntimeException: PL00062: Parser : Unknown tag:Count::location=org.codehaus.stax2.XMLStreamLocation2$1@450268f8
Possible fixes
See https://dev.entrouvert.org/issues/69673 for the upstream bug
However, I don't think we should set ProxyRestriction by default.
Our documentation states:
- **Allow proxied authentication**: allow an authentication response to
be issued from another IDP that the one we register (proxy IDP). If
you disallow this, you should also disallow direct login form IDP,
because proxy restriction is set in authentication requests.
But this is not what ProxyRestriction is for.
ProxyRestriction is an Assertion condition that:
Specifies limitations that the asserting party imposes on relying parties that wish to subsequently act
as asserting parties themselves and issue assertions of their own on the basis of the information
contained in the original assertion
Setting this condition in the AuthnRequest means:
Specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting
assertion(s).
In other words, we tell the IDP that we don't intend to use the issued assertion to authenticate users on another app.... but this is exactly what we do when we propagate the identity sent by the IDP to a CAS/OIDC/SAML app or to a vhost!
I think this option has no reason to exist in a product like LLNG and I will open a MR to remove it