Missing ProtocolBinding in AuthnRequest to IdP about saml HOT 12 CLOSED

https://pkg.go.dev/github.com/crewjam/saml#AuthnRequest

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

from saml.

Well, ProtocolBinding is set as: ProtocolBinding="".
This should be ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" probably.

from saml.

If I add

ProtocolBinding:             HTTPPostBinding,

around line 185 in service_provider.go, I get further, but the authentication still fails with an error from the library:

ERROR: Status code was not urn:oasis:names:tc:SAML:2.0:status:Success

The status returned seems to be:

urn:oasis:names:tc:SAML:2.0:status:Responder

from saml.

You are using samlsp? If so I agree with @puiterwijk that we need to set ProtocolBinding there.

The urn:oasis:names:tc:SAML:2.0:status:Responder seems to mean it is an IDP error. I wonder if there is a message on the Ipsilon side that might offer a clue.

from saml.

Yes, using samlsp.

The IDP (ipsilon) has at least this in the log:

[Tue Oct 18 15:14:47.910108 2016] [:error] [pid 24560] [18/Oct/2016:15:14:47]  ERROR: Authentication succeeded but it was not provided by NameID urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

from saml.

That's related to #21: this library doesn't suggest a NameID to use.
You probably want to reconfigure the Allowed NameIDs and default NameID in Ipsilon to "unspecified", as that'll just provide the username. You can also use "transient".

from saml.

Yes, unspecified/transient does work, as long as ProtocolBinding is set. No X-Saml-Cnheader like in the example, though.

Thank you very much @puiterwijk for helping with this!

from saml.

Thank you again for the swift response.

So I removed my little patch of adding ProtocolBinding, updated my git checkout of saml and tried to auth against ipsilon again. Without success, I'm afraid. The error message is the same as before.

@puiterwijk thinks the sp metadata needs to have HTTP-Redirect as well, i.e. HTTPRedirectBinding

from saml.

So, the problem with your commit is that you're now telling the IdP that you want to use the SP's HTTP-Redirect ProtocolBinding.
While this is sane to use for SP -> IdP communication, this is unfeasible for IdP -> SP communication.
Especially if you're requesting AuthnResponse's to be signed, since the size of the response would exceed the max limit of most client's HTTP headers.

Some libraries, like the Lasso library used by Ipsilon, will just refuse this for this and other reasons: https://repos.entrouvert.org/lasso.git/commit/?id=88236da2

For this reason, I would suggest to request PostBinding as response, even if you use the HTTP-Redirect binding at the IdP.

So, I think that in the func Redirect(), you need to use: reqCopy.ProtocolBinding = HTTPPostBinding

from saml.

You are absolutely right. I messed it up.

Architecturally, saml.AuthnRequest should probably not be opinionated about how the response is returned. But samlsp.Middleware only supports post, so req.ProtocolBinding should be set there.

Thanks for setting me straight.

from saml.

Thank you again!

That seems to have done it. Even the user name is present as the X-Saml-Subject header.

from saml.

where is this all documented that there is field called ProtocolBinding in AuthnRequest object. Can someone reference me pls.

from saml.