SAML SessionIndex may leak SSO data and cause interoperability issues
Currently Lemonldap::ng uses SAML SessionIndex in a meaningfull maner. By that, I mean SAML SessionIndex is actually the SSO session id encrypted. This has several drawbacks:
1 - Although SAML specification state that "In general, any string value MAY be used as a SessionIndex value." (chap 2.7.2 saml-core-2.0-os), it also states that "the value SHOULD NOT be usable to correlate activity by a principal across different session participants".
2 - using SSO session Id encrypted can be seen as a security risk as it leaks data from the main SSO layer, that could potentially lead to more informations being gathered from the master session.
3 - Nowadays, a lot of applications (SP for instance) have several composants talking to each other through REST api. As a consequence, some characters need to be url encore to go through http requests. Current encryption generates strings that are not Url friendly. For exemple, "+" is usually translate to %1.3.1 by many url encoding methods as the "+" is used also to represent spaces in Url... In short, generally speaking, using characters like this is prone to interoperability issues (I've experienced myself issues with "+" and "/" when using single logout profile)
I would like to propose using meaningless UUIDs instead as sessionIndex. Such sessionIndex are already stored in the SAML session, together with the main SSO session ID (_saml_id) so it shouldn't be a big deal to change that behaviour.
Please find attached a patch I have written (not a perl expert at all - feel free to blame me for this code!) and tested with LemonLDAP configured as an IdP and a third party SP. Tests were successful using the SSO and SLO profiles.