Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10877

SSO service URL for HTTP Redirect binding accepts POST requests


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      OS Version: Ubuntu 14.04 LTS
      Container Version: Tomcat 8.5.11
      JVM Version: 1.8.0_121



      The following is an excerpt from the SAML2 standard about message exchange using the HTTP Redirect binding:

      3.4.4 Message Encoding
      Messages are encoded for use with this binding using a URL encoding technique, and transmitted using the HTTP GET method.

      Still, OpenAM accepts POST requests on the service URL for the HTTP Redirect binding. The request binding is then deduced from the employed HTTP method (e.g. idpSSOFederate.jsp:81-83), and the request is handled accordingly.

      This leads to subsequent problems. For instance, destination verification fails, because destination is deduced from request binding (see UtilProxySAMLAuthenticator.java:194-200, String ssoURL).

      Proposed solution

      Reject requests to SSO service URL for HTTP Redirect binding using other methods than GET with error 405 Method Not Allowed.


      // idpSSOFederate.jsp:81-83
      String reqBinding = SAML2Constants.HTTP_REDIRECT;
      if (request.getMethod().equals("POST")) {
          reqBinding = SAML2Constants.HTTP_POST;
      // UtilProxySAMLAuthenticator.java:194-200
      // verify Destination
      List ssoServiceList = idpSSODescriptor.getSingleSignOnService();
      String ssoURL = SPSSOFederate.getSSOURL(ssoServiceList, binding);
      if (!SAML2Utils.verifyDestination(data.getAuthnRequest().getDestination(), ssoURL)) {
          SAML2Utils.debug.error(classMethod + "authn request destination verification failed.");
          throw new ClientFaultException(data.getIdpAdapter(), "invalidDestination");




            • Assignee:
              jonathan Jonathan Scudder
              hbjorlo Henrik Bjørlo [X] (Inactive)
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: