lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-11-28T17:47:32Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/88Better signature management2017-11-28T17:47:32ZClément OUDOTBetter signature managementSAML messages signatures are managed 2 times:
* In service metadata, SP and IDP part can require authnrequest signed, or not (see WantAuthnRequestSigned parameter)
* In IDP and SP nodes, we have options to check or not signature
We have...SAML messages signatures are managed 2 times:
* In service metadata, SP and IDP part can require authnrequest signed, or not (see WantAuthnRequestSigned parameter)
* In IDP and SP nodes, we have options to check or not signature
We have to check all combinations of these parameters.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/89Security keys in service metadata2017-11-28T17:47:32ZClément OUDOTSecurity keys in service metadataWe use one public key for SP and another for IDP but they are linked to the same private key.
We should only manage on public key (or certificate) and use it everywhere.
We can also use on key for signing, and another for encryption.We use one public key for SP and another for IDP but they are linked to the same private key.
We should only manage on public key (or certificate) and use it everywhere.
We can also use on key for signing, and another for encryption.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/91SOAP configuration parameter is not needed in SAML2017-11-28T17:47:32ZClément OUDOTSOAP configuration parameter is not needed in SAMLIndeed, we do not use LL::NG SOAP services to manager SAML SOAP messages.Indeed, we do not use LL::NG SOAP services to manager SAML SOAP messages.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/96Add encryptionkey in Attribute Authority metadata2017-11-28T17:47:32ZClément OUDOTAdd encryptionkey in Attribute Authority metadata1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/98Add option to disable SAML conditions checks2017-11-10T06:04:24ZClément OUDOTAdd option to disable SAML conditions checks1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/100Secondary SAML session should be destroyed when primary session is deleted2017-11-28T17:47:35ZClément OUDOTSecondary SAML session should be destroyed when primary session is deletedElse we can have something like that:
{quote}
[Fri Jun 11 15:30:30 2010] [warn] More than one SAML session found for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Retrieve SAM...Else we can have something like that:
{quote}
[Fri Jun 11 15:30:30 2010] [warn] More than one SAML session found for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Retrieve SAML session b5038fc53956d28f40dc7bc9e4ebdf5c for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Retrieve real session 5551c6b12c19577d836907f3306c1268 for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [info] Session 5551c6b12c19577d836907f3306c1268 isn't yet available (213.41.232.151)
[Fri Jun 11 15:30:30 2010] [error] Cannot get session 5551c6b12c19577d836907f3306c1268
{quote}1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/104Store entities metadata in raw format2017-11-28T17:47:35ZClément OUDOTStore entities metadata in raw formatBy now entities metadata are converted in a big Hash, and then reformated, but this breaks markups order and this can have an impact (RSA KeyValue for example).
We have to store raw metadata, and import them correctly in portal.By now entities metadata are converted in a big Hash, and then reformated, but this breaks markups order and this can have an impact (RSA KeyValue for example).
We have to store raw metadata, and import them correctly in portal.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/105Error on SLO request for already closed session2017-11-28T17:47:36ZClément OUDOTError on SLO request for already closed sessionWhen receiving an SLO request for an already closed session, we have:
{quote}
[Mon Jun 14 15:15:07 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get session id 20189080805e4e4bdff2c840498106b5 (decrypted from 673D6bgWdpr2...When receiving an SLO request for an already closed session, we have:
{quote}
[Mon Jun 14 15:15:07 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get session id 20189080805e4e4bdff2c840498106b5 (decrypted from 673D6bgWdpr2rg/3sdRBcuCzCyxB4zO/XUT16e4kpilfx2P5cAFxFFV4O1LGuKZB)
[Mon Jun 14 15:15:07 2010] [info] Session 20189080805e4e4bdff2c840498106b5 isn't yet available (213.41.232.151)
[Mon Jun 14 15:15:07 2010] [error] Can't use string ("0") as a HASH ref while "strict refs" in use at /usr/local/share/perl/5.10.0/Lemonldap/NG/Portal/IssuerDBSAML.pm line 293.\n
[Mon Jun 14 15:15:07 2010] [debug] mod_deflate.c(615): [client 213.41.232.151] Zlib: Compressed 387 to 289 : URL /saml/singleLogout, referer: http://wcs.vm2.lemonsaml.linagora.com/
{quote}1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/106Display OK or ERROR icons on HTTP REDIRECT and HTTP POST SLO iframes2017-11-28T17:47:36ZClément OUDOTDisplay OK or ERROR icons on HTTP REDIRECT and HTTP POST SLO iframesWe should be able to have a graphical SLO state, as we have with SOAPWe should be able to have a graphical SLO state, as we have with SOAP1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/107Manage asynchronous SLO request on closed SSO session (SAML IDP)2017-11-28T17:47:36ZClément OUDOTManage asynchronous SLO request on closed SSO session (SAML IDP)We should send an SLO response when catching an SLO request for an already closed SSO session. This is done for SOAP, but not for HTTP-REDIRECT or HTTP-POSTWe should send an SLO response when catching an SLO request for an already closed SSO session. This is done for SOAP, but not for HTTP-REDIRECT or HTTP-POST1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/108NameID unspecified format should use the default NameID format2017-11-28T17:47:36ZClément OUDOTNameID unspecified format should use the default NameID formatFor example Google Apps send AuthnRequest with NameID unspecified format. But Google Apps wait for user mail in AuthnResponse, so we should always map unspecified format to choosen default NameID format.For example Google Apps send AuthnRequest with NameID unspecified format. But Google Apps wait for user mail in AuthnResponse, so we should always map unspecified format to choosen default NameID format.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/109Do not send AttributeStatement when no attribute should be sent2017-11-28T17:47:36ZClément OUDOTDo not send AttributeStatement when no attribute should be sentWe have an empty attribute statement in AuthResponse from IDP when no attributes are present. This should not be teh case, and cause for example a problem with Google Apps.
See http://www.google.com/support/forum/p/apps/thread?tid=262be...We have an empty attribute statement in AuthResponse from IDP when no attributes are present. This should not be teh case, and cause for example a problem with Google Apps.
See http://www.google.com/support/forum/p/apps/thread?tid=262beadae133a615&hl=fr&fid=262beadae133a61500048948ff302e661.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/110Store SAML token in session2017-11-28T17:47:36ZClément OUDOTStore SAML token in sessionWe should store SAML token in session (SAML SP side), to replay this token on other applications or web services.We should store SAML token in session (SAML SP side), to replay this token on other applications or web services.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/111Build SLO response request with other SLO request status2017-11-28T17:47:36ZClément OUDOTBuild SLO response request with other SLO request statusIDP send SLO request to connected SP. We should store SP SLO status and then build SLO response to SLO issuer SP.IDP send SLO request to connected SP. We should store SP SLO status and then build SLO response to SLO issuer SP.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/113Lemonldap::NG is not compatible with the use of a LDAP server using a differe...2017-11-28T17:47:36ZYaddLemonldap::NG is not compatible with the use of a LDAP server using a different encoding than UTF-8 for storing passwordsSince Lemonldap::NG web pages are UTF-8 encoded, the LDAP bind use the same encoding to test user password. I propose to add a "ldapPwdEnc" parameter to indicate LDAP password encodingSince Lemonldap::NG web pages are UTF-8 encoded, the LDAP bind use the same encoding to test user password. I propose to add a "ldapPwdEnc" parameter to indicate LDAP password encoding1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/114Bad usage of Apache::Session::searchOn() on portal2017-11-28T17:47:36ZYaddBad usage of Apache::Session::searchOn() on portalWhen singleIP is used, searchOn is called with $self->{ipAddr} instead of 'ipAddr', Apache::Session::Browseable indexes are never used.When singleIP is used, searchOn is called with $self->{ipAddr} instead of 'ipAddr', Apache::Session::Browseable indexes are never used.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/115In info page, when clicking on "Continue", we are not redirected to urldc2017-11-28T17:47:36ZClément OUDOTIn info page, when clicking on "Continue", we are not redirected to urldcIt seems there is a problem with hidden fieldsIt seems there is a problem with hidden fields1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/119Special UTF-8 characters raise error in metadata2017-11-28T17:47:36ZClément OUDOTSpecial UTF-8 characters raise error in metadataWhen we have a special character (eg: é) in a metadata, it is well saved by Manager, but then we have this Lasso error in portal:
{quote}
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get Metadata for...When we have a special character (eg: é) in a metadata, it is well saved by Manager, but then we have this Lasso error in portal:
{quote}
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get Metadata for IDP lemonldapng-vm2
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: libxml2: Input is not proper UTF-8, indicate encoding !\\nBytes: 0xE9 0x20 0x4C 0x65\\n
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error [ debug ]: 2010-06-28 10:46:02 (server.c/:65) Failed to add new provider.
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error code -202: Failed to add new provider.
[Mon Jun 28 10:46:02 2010] [error] Fail to use IDP lemonldapng-vm2 Metadata
{quote}
1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/122Secondary SAML session are not deleted on local IDP logout2017-11-28T17:47:39ZClément OUDOTSecondary SAML session are not deleted on local IDP logoutthis should be corrected in issuerLogout method.this should be corrected in issuerLogout method.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/124Stop info/confirm timer at 02017-11-28T17:47:39ZClément OUDOTStop info/confirm timer at 0Our timer become negative if we have a big load time (for example when using SAML artifact binding), and this displays --2, or ---3 on info/confirm pageOur timer become negative if we have a big load time (for example when using SAML artifact binding), and this displays --2, or ---3 on info/confirm page1.0-rc2