Description:
support for SAML2's SessionNotOnOrAfter property of the would be useful for enforcing an idle session timeout on Service Providers, and ensuring that service providers will refresh from the IdP within that timeframe to prevent an idle timeout.

Suggested Labels:
enhancement, Feature, Type/Improvement

Affected Product Version:
IS 5.4.0

Description:
Changing the NameIDFormat which a service provider is configured to use to a value other than "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" results in incorrect behavior, as the behavior of the NameID field is not actually changed. For example (from SAML Core section 8.3):

• "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" should cause the NameID field to be set to the user's email address
• "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" specifies that the NameID "must not be shared with other providers" (where the current system uses one ID for all service providers)

As the NameID behavior doesn't actually change to match the NameIDFormat used, I recommend either removing the option to specify this (and only using "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified") or moving to a drop-down box, to which options are added when support is added.

Suggested Labels:
bug
Type/Bug

Affected Product Version:
WSO2 IS 5.4.0

Steps to reproduce:

1. set up a default installation of WSO2 IS 5.4.0
2. register a SaaS Service Provider with a SAML metadata file
3. change NameIDFormat to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" in their SAML config
4. set up a user with an email address
5. initiate an SSO request
6. see that the response contains the user's ID, not email address

Description:
If there is a error in SAML SP configuration retrieval, backend error logs are not getting printed out. So not able to find out the exact cause for the issue

                } catch (IdentityException e) {
                    throw new IdentitySAML2SSOException("Error occurred while retrieving SAML service provider for "
                            + "issuer : " + issuer + " in tenant domain : " + tenantDomain);

Description:
When a user has an SSO session active at an SP and logs out from WSO2, they should also be logged out of those SPs per the SAML2 Single Logout specification. I have not had reason to check SOAP profile support, but neither POST nor Redirect profiles are used.

Suggested Labels:
Complexity/High (https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues)
Feature
Type/New Feature

Affected Product Version:
WSO2 IS 5.4.0

OS, DB, other environment details and versions:
Debian stable (9), WSO2 IS 5.4.0, FireFox LTS (52)

Steps to reproduce:

• set up a default installation of WSO2 IS 5.4.0
• set up a Service Provider with a SAML metadata file including SingleLogoutService endpoints with a binding of either "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
• set up a user in both the SP and WSO2, with access to log in to the WSO2 dashboard
• use a request from that service provider to log in to WSO2
• navigate to the WSO2 dashboard
• open dev tools to watch the request
• logout (via the WSO2 dashboard)
• see that no SLO request was made to the service provider
• navigate to the service provider and see that you are still authenticated

Description:
When configuring new service provider using SAML configurations in the UI, by default single logout is enabled. But the two response and request urls are disable to edit. User need to first uncheck the checkbox for single logout option and then check again to edit urls.

Suggested Labels:
Bug

Suggested Assignees:
N/A

Affected Product Version:

WSO2IS-5.7.0

Steps to reproduce:

1. Login to the Carbon Management Console.
2. Create a Service Provider.
3. Go to Inbound Authentication Configuration-> SAML2 Web SSO Configuration-> Configure
4. Try to add SLO response and request URLs under Enable Single Logout checkbox

Related Issues:

Description:

Current the variables:

• ssoSigner
• ssoEncrypter
• samlAssertionBuilder
• samlHTTPRedirectSignatureValidator

in SAMLSSOUtil are initialized in a synchronized block inside each method which they are used as below:

A suggested improvement to the process would be to initialize them in one place like the doBootstrap() method:

Suggested Labels:
Improvement

Suggested Assignees:
N/A

Related Issues:
N/A

Description:
After a succesful login with SAML for a user stored in a seconday user store I am trying to query the attributes of the user from the IdP since there is a dynamic attribute that may change.

Although the validation of the query partially succeeds in SAMLSubjectQueryValidator.validateSubject() the user store that is loaded is the primary userstore, so UserStoreManager.isExistingUser() returns false since the user is unknown in the primary datastore of a tenant, causing the entire query to fail with Unknown subject.

Suggested Labels:

Suggested Assignees:

Affected Product Version: 5.9.0

OS, DB, other environment details and versions:
org.wso2.carbon.identity.inbound.auth.saml2 running version is 5.6.14

Steps to reproduce:

1. Create a secondary user datastore with appropriate connections. In my example the secondary datastore is connecting to a MySQL instance.
2. Create a Service Provider
3. Login to the service provider using a user stored in a secondary datastore.
4. Retrieve nameId from the assertion response and try to execute an AttributeQuery for that nameId

Related Issues:
The org.wso2.carbon.identity.query.saml bundle seems to be completely unaware of any secondary user datastores. The primary datastore is used for every operation. This applies to both tenants and super tenant.

The AttributeQuery is executed using SAMLAttributeQueryRequestClient from saml-query-profile-client from samples-is version 4.2.1.

Complete SAML response - request can be provided in case they are needed.

SAML Assertion query doc