Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-5405

Provide access to the originalUri value when processing SAML2 requests

    XMLWordPrintable

    Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 6.5.3, 7.0.0, 7.0.1
    • 7.1.0
    • SAML

      Description

      When routes use the SamlFederationHandler and also apply a baseURI decorator to the whole route, requests are being rebased before they are handled by the SamlFederationHandler which can lead to a couple of different processing errors:

      - Invalid Assertion Consumer Location specified

      - Invalid Relay State URL specified

       This is due to how the request URI is used when comparing against the SP (IG) metadata which is most often based on the request hitting IG.

      Making the original URI value available as an alternative to the request URI would help resolve this issue and also fits in well with use-cases where a load-balancer is in front of IG.

      A workaround to this problem is to move the baseURI decorator to the section of the route that is just dealing with making the downstream request once validation has been completed to avoid it having an impact on the SamlFederationHandler.

       

        Attachments

          Issue Links

            Activity

              People

              markdr Mark de Reeper
              markdr Mark de Reeper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: