Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthnRequest Subject MUST NOT contain SubjectConfirmation #561

Open
Udachin opened this issue Jul 20, 2023 · 3 comments
Open

AuthnRequest Subject MUST NOT contain SubjectConfirmation #561

Udachin opened this issue Jul 20, 2023 · 3 comments

Comments

@Udachin
Copy link

Udachin commented Jul 20, 2023

AuthnRequest::__construct with provided $nameIdValueReq add SubjectConfirmation but according to the SAML documentation this element (SubjectConfirmation ) MUST NOT contain any elements.

Link to SAML documentation: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Quote from SAML documentation:

4.1.4.1 Usage
Note that the service provider MAY include a element in the request that names the actual identity about which it wishes to receive an assertion. This element MUST NOT contain any elements. If the identity provider does not recognize the principal as that identity, then it MUST respond with a message containing an error status and no assertions.
@pitbulk
Copy link
Contributor

pitbulk commented Jul 20, 2023

@Udachin Thanks for sharing this, I will need to research

I think my doubts came from this reference:
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

3.4.1 Element 

<saml:Subject> [Optional]
Specifies the requested subject of the resulting assertion(s). This may include one or more
<saml:SubjectConfirmation> elements to indicate how and/or by whom the resulting assertions
can be confirmed. For more information on this element, see Section 2.4.

If entirely omitted or if no identifier is included, the presenter of the message is presumed to be the
requested subject. If no <saml:SubjectConfirmation> elements are included, then the presenter
is presumed to be the only attesting entity required and the method is implied by the profile of use
and/or the policies of the identity provider.

And also for the fact that the XSD allows it
http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html

@Udachin
Copy link
Author

Udachin commented Jul 21, 2023

Specifies the requested subject of the resulting assertion

AuthnRequest is not resulting assertion

@Udachin
Copy link
Author

Udachin commented Jul 21, 2023

4.1.4.1 in http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf says only about Web Browser SSO Profile, so probably (not sure) in another profiles its allowed to use this tag and therefore it exists in xsd.

https://github.com/SAML-Toolkits/php-saml/blob/4.0.0/README.md

General description
Implements the SAML 2.0 Web Browser SSO Profile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @Udachin