Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10877

SSO service URL for HTTP Redirect binding accepts POST requests

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      OS Version: Ubuntu 14.04 LTS
      Container Version: Tomcat 8.5.11
      JVM Version: 1.8.0_121
    • Target Version/s:

      Description

      Problem

      The following is an excerpt from the SAML2 standard about message exchange using the HTTP Redirect binding:

      3.4.4 Message Encoding
      Messages are encoded for use with this binding using a URL encoding technique, and transmitted using the HTTP GET method.

      Still, OpenAM accepts POST requests on the service URL for the HTTP Redirect binding. The request binding is then deduced from the employed HTTP method (e.g. idpSSOFederate.jsp:81-83), and the request is handled accordingly.

      This leads to subsequent problems. For instance, destination verification fails, because destination is deduced from request binding (see UtilProxySAMLAuthenticator.java:194-200, String ssoURL).

      Proposed solution

      Reject requests to SSO service URL for HTTP Redirect binding using other methods than GET with error 405 Method Not Allowed.


      References

      // idpSSOFederate.jsp:81-83
      String reqBinding = SAML2Constants.HTTP_REDIRECT;
      if (request.getMethod().equals("POST")) {
          reqBinding = SAML2Constants.HTTP_POST;
      }
      
      // UtilProxySAMLAuthenticator.java:194-200
      // verify Destination
      List ssoServiceList = idpSSODescriptor.getSingleSignOnService();
      String ssoURL = SPSSOFederate.getSSOURL(ssoServiceList, binding);
      if (!SAML2Utils.verifyDestination(data.getAuthnRequest().getDestination(), ssoURL)) {
          SAML2Utils.debug.error(classMethod + "authn request destination verification failed.");
          throw new ClientFaultException(data.getIdpAdapter(), "invalidDestination");
      }
      

        Attachments

          Activity

            People

            • Assignee:
              jonathan Jonathan Scudder
              Reporter:
              hbjorlo Henrik Bjørlo [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: