Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sp_name_qualifier is acs destination instead of entity_id? #18

Closed
lindycoder opened this issue Dec 19, 2018 · 1 comment
Closed

sp_name_qualifier is acs destination instead of entity_id? #18

lindycoder opened this issue Dec 19, 2018 · 1 comment

Comments

@lindycoder
Copy link

First of all, thanks for the tool, sorry if this is a silly question,

I have my IDP settings containing:
'name_id_format': [NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED]

and my service provider metadata contains
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

my auth library (onelogin's python-saml) has this config:
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",

When i try to process the SAMLResponse, i got this error:

Traceback (most recent call last):
  File ".../test_saml.py", line 58, in test_full_saml
    auth.process_response()
  File ".../.tox/py34/lib/python3.4/site-packages/onelogin/saml2/auth.py", line 107, in process_response
    self.__nameid = response.get_nameid()
  File ".../.tox/py34/lib/python3.4/site-packages/onelogin/saml2/response.py", line 457, in get_nameid
    nameid_data = self.get_nameid_data()
  File ".../.tox/py34/lib/python3.4/site-packages/onelogin/saml2/response.py", line 443, in get_nameid_data
    OneLogin_Saml2_ValidationError.SP_NAME_QUALIFIER_NAME_MISMATCH
nose.proxy.OneLogin_Saml2_ValidationError: The SPNameQualifier value mistmatch the SP entityID value.

And i found out that it is expecting my entityID and not my acs destination, which are not the same:
(From my sp_metadata.xml)
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="..." cacheDuration="..." entityID="https://my-sp.example.org/metadata/">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-sp.example.org/?acs" index="1"/>

I found out this code
name_id=NameID(format=resp_args['name_id_policy'].format, sp_name_qualifier=resp_args['destination'], text=user_id),
at https://github.com/OTA-Insight/djangosaml2idp/blob/master/djangosaml2idp/views.py#L149

and fixed my problem by passing
sp_name_qualifier=resp_args['sp_entity_id']

So i'm wondering if my service provider or my identity is not setup properly or your use case just happend to have the entity id and the acs being the same?

I may have got something wrong, any help is appreciated!
lindycoder pushed a commit to internap/djangosaml2idp that referenced this issue Dec 19, 2018
Use entity_id instead of destination as name qualifier
8a4a1b6 
This might not be a good fix :)

see OTA-Insight#18
@mhindery
Copy link
Contributor

I think you are correct and it should be resp_args['sp_entity_id'], it is used in the lines above as well, and destination might coincidently with our setup just have worked.

The documentation of both the create_authn_response function or the NameID class don't offer a great explanation or understanding about their meaning to me, so I can't be 100% sure, but the change makes sense to me :)

I'll change it in an upcoming release when the currently open PR is merged. Thanks for the report!

@mhindery mhindery mentioned this issue Jan 10, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mhindery @lindycoder