SAMLv2 IdP initiated Identity Provider doesn't accept Okta issuer

[mooreds]

SAMLv2 IdP initiated Identity Provider doesn't accept Okta issuer

Description

You can't set up a SAMLv2 IdP Initiated Identity Provider correctly because the issuer okta workforce provides isn't a URL.

Affects versions

1.27

Steps to reproduce

• Create an SAMLv2 app in okta workforce
• Follow the setup instructions here for sign on here (from the SSO page):

Configuring SAML 2.0 in your service provider
# to your service provider

# to your service provider as a user with Administrative rights.

Find the single sign on configuration section for your service provider, and enter the following information:

    The Identity Provider Issuer is `IDkpalq1y2TYaG0oq5d6`. This might also be referred to as the Identity Provider Entity Id

    The Identity Provider HTTP POST URL is https://example.okta.com/app/generic-saml/IDkpalq1y2TYaG0oq5d6/saml2. Okta currently supports the HTTP POST binding for SAML authentication.

    You can download the Identity Provider Certificate by CLICKING HERE. You will need to import this into your service provider through their configuration UI.

• Other setup: the ACS url is https://local.fusionauth.io/samlv2/acs/<idp initiated SAML v2 identity provider id>/<application id> and the service provider entity id is /samlv2/sp/<idp initiated SAML v2 identity provider id>. set Application username format to email.
• Import the Okta certificate into keymaster (as a cert)
• make sure you have a valid license.
• Set up an IdP Initiated SAMLv2 Identity Provider: verification key is the public cert. user nameId for email. The issuer however, must be a URL. I used the post URL.
• Make sure you turn on debugging
• Set up CORS to allow posts for https://example.okta.com and https://example.okta.com/
• visit the 'embed link' url found on the 'general' tab in Okta.

If you look in the event logs, you'll see this message:

5/7/2021 01:46:10 AM GMT Assert the SAMLResponse with ID of [id1295232112418597119050170] has not already been processed.
5/7/2021 01:46:10 AM GMT Assert the [Audience] is eligible for confirmation if [NotBefore] is defined.
5/7/2021 01:46:10 AM GMT The [Audience] did define a [NotBefore] constraint and it is now available for assertion.
5/7/2021 01:46:10 AM GMT Assert the [Audience] is eligible for confirmation if [NotOnOrAfter] is defined.
5/7/2021 01:46:10 AM GMT The [Audience] did define a [NotOnOrAfter] constraint and it is still available for assertion.
5/7/2021 01:46:10 AM GMT Assert the [Audience] of the SAML response is equal to the expected value ending in [/samlv2/sp/REDACTED].
5/7/2021 01:46:10 AM GMT Assert the [Issuer] attribute is equal to the expected [https://example.okta.com/app/generic-saml/IDkpalq1y2TYaG0oq5d6/saml2].
5/7/2021 01:46:10 AM GMT Unable to verify the [Issuer]. Expected to find [https://example.okta.com/app/generic-saml/IDkpalq1y2TYaG0oq5d6/saml2] but found [IDkpalq1y2TYaG0oq5d6].

Expected behavior

The issuer is allowed to be set to the non URL value.

Additional context

Here's the full SAML response from the debug logs (somewhat redacted):

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="id12942788385879621213696016" IssueInstant="2021-05-06T22:37:47.609Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDkpalq1y2TYaG0oq5d6</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#id12942788385879621213696016">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>ltESsUYUf63dDJyZx1/zhf4WmfQ=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>ALYSJNosk/DW6Yj0UqbKFTxKXBc44JCOPRzP6STJQ68SEhETL7UdLd2uy3VZsuss8eBAnKiEbwtmpB0UhOYMWw5Ra935qt9yF0IwYlrU3tJOw7IX4Ly/DdCvjvfvbuX5EcOomyhshne3n2KCLtEv8SHOB1HrPRhAiz+6S8vQPSaRxYVTF3H6z8YG9xDsQJmb7pJ/Jg0GEGZWpSV2McGdJXFSOirg2Z2CJzAbwcLlcp3ORDnVyffLPegE/NNFKwokaAPX6O0TSsjnAKLN/K5ty6yNq4SeXSmxgX0RkRUfbdhlJIColJaSgQPYs3i4KuEsx7SdSIOl7VJHadZUh32T7g==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDnjCCAoagAwIBAgIGAXlDaMIwMA0GCSqGSIb3DQEBCwUAMIGPMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB21vb3JlZHMxHDAaBgkqhkiG9w0BCQEWDWlu
Zm9Ab2t0YS5jb20wHhcNMjEwNTA2MjAzOTA5WhcNMzEwNTA2MjA0MDA5WjCBjzELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdtb29yZWRzMRwwGgYJKoZIhvcN
AQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcz3+r9X
/S2qYeJ4pUTHSAvTG8I8XmzmfA5b9T+Qp2SV05ntvBLCaNpekHKhzyZLRZArPvOMBJObceNq94s2
IVgvXf6subtX1Jp2+59oWnXfkZan4hhD+mEjiC/4blSY0YKITJvYIFtEVPcT6P5CJfPg55c7N7Oy
EOHEG4Hs/hPynDRe1MfD69Efqog282nJ1+lv7Er+A20FXaqe6UARZLG8Xua7SgE9zpzjeL0uoX6t
+ykzhcSdHWAD7FfP0YV0SnhSyusUgeuhAdcx8/8rRqFJfXLgov01zIRMh96Jw6cvSji8nzhqYKWm
kovBIlMRMIUPtx8tuEeM4GnITWG50QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBYPqM4Ulj19ERx
056mijKBYmDWR7Kr1jrr+ts0agFFI2bm9pKCaCA1tdJuYaUTXWEV4biIrY+P2g3EbOz8QA92Gdur
Lq9y7hKDGR3qsYaxLGU63sMAGdLsful5CIMRtl+VwPVxFxVuQ8JeJNPNmd3VnHFck3J9/IGA/Hft
biOnRgK1ODspjz+3TZqXnt/BwdDoZC3Ov8SYy5ipU3NCTU+WhwSpgMLSeqNwz7ybEK49f35xF5UT
Dvbo6B7PWI10AqYAgWOV1PoU2AD7Bjg8jd5YQpCT+Ml8GizXCjSkgn1GR5WEXQiVo9FDyaQuE56A
8x5EJjN0N7551i1ulBdeYthS</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id12942788386595531987960857" IssueInstant="2021-05-06T22:37:47.609Z" Version="2.0">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">exkpalq1y2TYaG0oq5d6</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">validemail@example.com</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData NotOnOrAfter="2021-05-06T22:42:47.609Z" Recipient="https://local.fusionauth.io/samlv2/acs/REDACTED/REDACTED"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2021-05-06T22:32:47.609Z" NotOnOrAfter="2021-05-06T22:42:47.609Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>/samlv2/sp/REDACTED</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2021-05-06T20:42:09.812Z" SessionIndex="id1620340667608.58393330">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
  </saml2:Assertion>
</saml2p:Response>

[robotdan]

Fixed, tested with Okta and Google.

[robotdan]

Closing, it looks like the doc for this new IdP is not out yet (as far as I could tell) so we'll just want to document that this field is a String and not a URL.