Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

sp_name_qualifier is acs destination instead of entity_id? #18

Closed
lindycoder opened this issue Dec 19, 2018 · 1 comment
Closed

sp_name_qualifier is acs destination instead of entity_id? #18

lindycoder opened this issue Dec 19, 2018 · 1 comment

Comments

@lindycoder
Copy link

First of all, thanks for the tool, sorry if this is a silly question,

I have my IDP settings containing:
'name_id_format': [NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED]

and my service provider metadata contains
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

my auth library (onelogin's python-saml) has this config:
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",

When i try to process the SAMLResponse, i got this error:

Traceback (most recent call last):
  File ".../test_saml.py", line 58, in test_full_saml
    auth.process_response()
  File ".../.tox/py34/lib/python3.4/site-packages/onelogin/saml2/auth.py", line 107, in process_response
    self.__nameid = response.get_nameid()
  File ".../.tox/py34/lib/python3.4/site-packages/onelogin/saml2/response.py", line 457, in get_nameid
    nameid_data = self.get_nameid_data()
  File ".../.tox/py34/lib/python3.4/site-packages/onelogin/saml2/response.py", line 443, in get_nameid_data
    OneLogin_Saml2_ValidationError.SP_NAME_QUALIFIER_NAME_MISMATCH
nose.proxy.OneLogin_Saml2_ValidationError: The SPNameQualifier value mistmatch the SP entityID value.

And i found out that it is expecting my entityID and not my acs destination, which are not the same:
(From my sp_metadata.xml)
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="..." cacheDuration="..." entityID="https://my-sp.example.org/metadata/">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-sp.example.org/?acs" index="1"/>

I found out this code
name_id=NameID(format=resp_args['name_id_policy'].format, sp_name_qualifier=resp_args['destination'], text=user_id),
at https://github.com/OTA-Insight/djangosaml2idp/blob/master/djangosaml2idp/views.py#L149

and fixed my problem by passing
sp_name_qualifier=resp_args['sp_entity_id']

So i'm wondering if my service provider or my identity is not setup properly or your use case just happend to have the entity id and the acs being the same?

I may have got something wrong, any help is appreciated!
lindycoder pushed a commit to internap/djangosaml2idp that referenced this issue Dec 19, 2018
Use entity_id instead of destination as name qualifier
8a4a1b6 
This might not be a good fix :)

see OTA-Insight#18
@mhindery
Copy link
Contributor

I think you are correct and it should be resp_args['sp_entity_id'], it is used in the lines above as well, and destination might coincidently with our setup just have worked.

The documentation of both the create_authn_response function or the NameID class don't offer a great explanation or understanding about their meaning to me, so I can't be 100% sure, but the change makes sense to me :)

I'll change it in an upcoming release when the currently open PR is merged. Thanks for the report!

@mhindery mhindery mentioned this issue Jan 10, 2019
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mhindery @lindycoder