Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Support for <AssertionConsumerServiceIndex> in AuthnContext #380

Open
stevenztruong opened this issue Jul 6, 2019 · 4 comments
Open

[Question] Support for <AssertionConsumerServiceIndex> in AuthnContext #380

stevenztruong opened this issue Jul 6, 2019 · 4 comments
Labels
pr-welcome

Comments

@stevenztruong
Copy link

stevenztruong commented Jul 6, 2019
edited
Loading

Hi,

I am stuck in the situation where the IDP server (Siteminder) requires that the application needs to include and the IDP will use this index to look up the Assertion Consumer Service URL in case multiple SP servers are registered under one application name. This also means that AssertionConsumerServiceURL in the request will be ignored.

I have gone over passport-saml document but could not find anything. Does anyone know whether passport-saml supports this? If not, can anyone suggest a workaround?

Thanks!
@stevenztruong
Copy link
Author

Worst case scenario, can I interrupt passport-saml flow somehow to modify the SAML request before it is sent to IDP?

@DbCrWk
Copy link

DbCrWk commented Aug 30, 2019

tl;dr passport-saml does correctly set this index.

After you instantiate the strategy, you can output the service provider metadata to see exactly what is sent, like this

const myPublicCertificate = ...;
const strategy = new SamlStrategy(opts, callbackFn);
// This will output XML
strategy.generateServiceProviderMetadata(myPublicCertificate [, optionalEncryptionCertificate]);

If you check the metadata, you'll see

<AssertionConsumerService
    index="1"
    isDefault="true"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://your-service.sp/callbackRoute"
/>

@MoreSaltMoreLemon
Copy link

I am also running into a need for the ability to control the AssertionConsumerServiceIndex property.

I'm interfacing with an Okta SAML endpoint which allows multiple requestable endpoints which are specified with the AssertionConsumerServiceIndex property.

Looking over the source code there's nowhere where this property is can be externally specified. It is given a default value of 1 here, and a similar property is set in exactly the manner that I'd like to utilize here.

If I extend passport-saml to have a assertionConsumingServiceIndex property like so:

    if (this.options.attributeConsumingServiceIndex != null) {
      request['samlp:AuthnRequest']['@AssertionConsumingServiceIndex'] = this.options.assertionConsumingServiceIndex;
    }
  metadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService = {
    '@index': this.options.assertionConsumingServiceIndex || '1',
    '@isDefault': 'true',
    '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
    '@Location': this.getCallbackUrl({})
  };

Will these modifications cause issues for the integrity of the SAML request?

@cjbarth
Copy link
Collaborator

cjbarth commented Oct 12, 2020

At first glace, it doesn't seem that this would cause any problems. Would you be willing to make a PR that includes this new option, include tests, and references the part of the SAML spec that calls for this. That will likely get more eyes on this matter and help others down the road.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pr-welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cjbarth @stevenztruong @DbCrWk @MoreSaltMoreLemon