-
-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure to handle "saml2" and "saml2p" xml namespaces #189
Comments
The toolkit works with Google IdP and saml2 / saml2p namespace. |
Maybe I'm misinterpreting what I'm seeing but take this function for example. def validate_num_assertions(self):
"""
Verifies that the document only contains a single Assertion (encrypted or not)
:returns: True if only 1 assertion encrypted or not
:rtype: bool
"""
encrypted_assertion_nodes = OneLogin_Saml2_Utils.query(self.document, '//saml:EncryptedAssertion')
assertion_nodes = OneLogin_Saml2_Utils.query(self.document, '//saml:Assertion')
valid = len(encrypted_assertion_nodes) + len(assertion_nodes) == 1
if (self.encrypted):
assertion_nodes = OneLogin_Saml2_Utils.query(self.decrypted_document, '//saml:Assertion')
valid = valid and len(assertion_nodes) == 1
return valid This is the first place validating my response fails. The xpath query explicitly uses @staticmethod
def query(dom, query, context=None):
"""
Extracts nodes that match the query from the Element
:param dom: The root of the lxml objet
:type: Element
:param query: Xpath Expresion
:type: string
:param context: Context Node
:type: DOMElement
:returns: The queried nodes
:rtype: list
"""
if context is None:
return dom.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
else:
return context.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
|
I tested in the past and the toolkit Is able to process saml2p / saml2 namespaces Check this response example with saml2p /saml2 namespace Is used on that test and you can see is able to extract the nameid value that internally uses the query method. You can try to modify that test and use:
And you will see how the test pass and the assertion node is found. If you want send me to my mail your SAMLResponse... and I will try to review if I find something wrong... |
Hi, I just encountered the same exact issue, trying to work with a SAMLResponse from Okta's SSO service. Here is the response structure: <?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:8000/?acs" ID="id22940872238742692662900027" InResponseTo="ONELOGIN_f3c135eb1bcfff5f2478c9f18c5d2a35343d114b" IssueInstant="2017-05-09T08:10:41.616Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exkaad9tdgNdcPTcu0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id22940872238742692662900027">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>pvXgG0Me77AKhrAgy2feOOFCX5LqNGWOJNjTeqXRUVc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_d1a2d16c7d590487bd641ef5083f7604" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_4a2a5a0d0bdb360327fb8dc041925b2c"/>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey Id="_4a2a5a0d0bdb360327fb8dc041925b2c" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_d1a2d16c7d590487bd641ef5083f7604"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml2:EncryptedAssertion>
</saml2p:Response> |
@zshauli what error have you experienced? |
@pitbulk I'm sorry, I just tried to re-investigate the issue I encountered and I think it is not related to the namespace issue that @kingoftheknoll raised. Here's the debug print from xmlsec:
I'll try to debug some more to get to the bottom of this. Thanks. |
I just recorded a SAMLResponse from Okta with saml2p/saml2 namespace and I was able to validate it with strict = True, and I was able to retrieve NameID and Attributes. I'm closing now that ticket because I was not able to reproduce any issue related with namespaces with the provided info. @zshauli If you experience an issue, open a new ticket. Maybe you have some issues with your xmlsec instalation, review #30 |
Google Suite Admin tools allows for Google to be used as an Identity Provider. I'm able to successfully authenticate and get a SAML response back. However, the response xml has
saml2
andsaml2p
xml namespaces on the tags. From what I read this format is allowed but discouraged in the 2.0 spec. SourceLooking through the project it appears that all xpath selectors explicitly use
saml
andsamlp
namespaces and cannot support the format that google uses.Here is a condensed response.
Has anyone used this library with Google or do you have suggestions about how I can get around this?
The text was updated successfully, but these errors were encountered: