lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-11-08T16:01:45Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2[SAML] Attribute authority2017-11-08T16:01:45ZClément OUDOT[SAML] Attribute authorityLemonLDAP::NG IDP will also be an SAML2 attribute authority.LemonLDAP::NG IDP will also be an SAML2 attribute authority.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3[SAML] Attribute authority declaration in metadata2017-11-08T16:01:43ZClément OUDOT[SAML] Attribute authority declaration in metadata1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/21Special characters from SAML attribute statement are not well encoded2017-11-08T16:01:40ZClément OUDOTSpecial characters from SAML attribute statement are not well encodedSAML attributes are not automatically encoded in UTF-8. We should maybe check this before register them into session.
This can be tested by using AuthSAML with an IDP sending attributes values containing accentsSAML attributes are not automatically encoded in UTF-8. We should maybe check this before register them into session.
This can be tested by using AuthSAML with an IDP sending attributes values containing accents1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/31[SAML] Proxy IDP2017-11-08T16:01:52ZClément OUDOT[SAML] Proxy IDPWe can configure LemonLDAP::NG as SP and IdP. We have to work on some functionnalities to be full proxy IDP compliany :
* Reuse authnStatement from SP in IDP
* Check proxyCount and other proxy conditionsWe can configure LemonLDAP::NG as SP and IdP. We have to work on some functionnalities to be full proxy IDP compliany :
* Reuse authnStatement from SP in IDP
* Check proxyCount and other proxy conditions1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/32[SAML] Manage Artifact methods for SAML messages emission in SP2017-11-08T16:01:51ZClément OUDOT[SAML] Manage Artifact methods for SAML messages emission in SPSP know how to handle an artifact in a received SAML message, but do not know how to send its messages trought artifact methodsSP know how to handle an artifact in a received SAML message, but do not know how to send its messages trought artifact methods1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/33[SAML] Check "Destination" attribute2017-11-08T11:36:31ZClément OUDOT[SAML] Check "Destination" attributeSAML messages can carry a "Destination" attribute. We should check that its value is the authentication portal URL.SAML messages can carry a "Destination" attribute. We should check that its value is the authentication portal URL.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/35[SAML] Manage SLO trough SOAP2017-11-08T15:56:41ZClément OUDOT[SAML] Manage SLO trough SOAPThe idea is to use images that will call a script on the portal. This script will manage SLO SOAP request and catch the response.
We should use a special SLO cookie, so that script is aware of which user is asking SLO. This can't be the...The idea is to use images that will call a script on the portal. This script will manage SLO SOAP request and catch the response.
We should use a special SLO cookie, so that script is aware of which user is asking SLO. This can't be the main WebSSO cookie because it is already destroyed at this stage (local logout already occured).1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/36[SAML] Check dates and other conditions in SLO requests2017-11-08T16:01:50ZClément OUDOT[SAML] Check dates and other conditions in SLO requests1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/37[SAML] Proxy restriction should include all known IDP, and not only target IDP2017-11-08T11:36:31ZClément OUDOT[SAML] Proxy restriction should include all known IDP, and not only target IDPIn AuthSAML, we can allow or not that authn statements were proxified. For now, we just test this was not proxified, but we should allow proxy for all known IDP (in our circle of trust), and just refuse them from unknown IDP.In AuthSAML, we can allow or not that authn statements were proxified. For now, we just test this was not proxified, but we should allow proxy for all known IDP (in our circle of trust), and just refuse them from unknown IDP.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/40[SAML] Dedicated portal errors code for SAML errors2017-11-08T16:01:52ZClément OUDOT[SAML] Dedicated portal errors code for SAML errorsFor now, SAML errors are only reported in Apache error log. User only see "Error". For some specific SAML errors, we should give more information to final user.For now, SAML errors are only reported in Apache error log. User only see "Error". For some specific SAML errors, we should give more information to final user.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/42[SAML][SP] Attrubtes sent trought IDP initiated SSO are not registered into s...2017-11-08T11:36:31ZClément OUDOT[SAML][SP] Attrubtes sent trought IDP initiated SSO are not registered into session1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/44[SAML][SP] IDP list when unknown IDP in IDP cookie2017-11-08T11:36:31ZClément OUDOT[SAML][SP] IDP list when unknown IDP in IDP cookie1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/46[logout] verify referer into logout process2017-11-08T15:56:39ZThomas Chemineau[logout] verify referer into logout processWhen handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP ...When handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP request when user goes to the portal. An error is produced: "Bad URL".
1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/47[SAML] RequestedAuthnContext should always be translated into authenticationL...2017-11-28T17:47:22ZClément OUDOT[SAML] RequestedAuthnContext should always be translated into authenticationLevelAs SP, when we request an authentication context, we verify that IDP has used this context. But it can have used another one, stronger. In this case, we should not raise an error.
We should always associate SAML authnContext to an authe...As SP, when we request an authentication context, we verify that IDP has used this context. But it can have used another one, stronger. In this case, we should not raise an error.
We should always associate SAML authnContext to an authenticationLevel, and translate them back. We will never raise error, but this authenticationLevel can then be used in rules.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/49[SAML][IDP] Manage encrypted NameID2017-11-28T17:47:23ZClément OUDOT[SAML][IDP] Manage encrypted NameIDEncrypted NameID should be set in Lasso::Provider (so it will be read from an option). Then all NameID for this provider will be encrypted. Encrypted NameID should be set in Lasso::Provider (so it will be read from an option). Then all NameID for this provider will be encrypted. 1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/50[SAML][SP] OneTimeUse flag should not reduce session duration2017-11-28T17:47:23ZClément OUDOT[SAML][SP] OneTimeUse flag should not reduce session durationOneTimeUse flag was not used correctly. We should only trust SessionNotOnOrAfter for session duration calculation. Our SP will behave the same with or without OneTimeUse flag.OneTimeUse flag was not used correctly. We should only trust SessionNotOnOrAfter for session duration calculation. Our SP will behave the same with or without OneTimeUse flag.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/51[SAML][IDP] SAML sessionIndex value should be a crypted value of LL::NG sessi...2017-11-28T17:47:23ZClément OUDOT[SAML][IDP] SAML sessionIndex value should be a crypted value of LL::NG session_idSAML sessionIndex should carry the real session_id (but encrypted). This will next be used in SLO to destroy the correct LL::NG session.SAML sessionIndex should carry the real session_id (but encrypted). This will next be used in SLO to destroy the correct LL::NG session.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/52IssuerDB activation rule2017-11-28T17:47:23ZClément OUDOTIssuerDB activation ruleWe should have an IssuerDB rule that will be check before IssuerDB send authn response.
This is needed to serve authn response only for specific users (like those locally authenticated for example).We should have an IssuerDB rule that will be check before IssuerDB send authn response.
This is needed to serve authn response only for specific users (like those locally authenticated for example).1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/53[SAML][IDP] sendLogoutResponseAfterLogoutRequest method does not exists2017-11-28T17:47:23ZClément OUDOT[SAML][IDP] sendLogoutResponseAfterLogoutRequest method does not existsThis method is called in IssuerDBSAML, in issuerForUnAuthUser.
Is is not defined anywhere.This method is called in IssuerDBSAML, in issuerForUnAuthUser.
Is is not defined anywhere.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/56[SAML][IDP] SLO trough HTTP-POST2017-11-28T17:47:23ZClément OUDOT[SAML][IDP] SLO trough HTTP-POST1.0-rc2