Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Implement message correlation in SAML2 encoder/decoder

Description

Hi Everybody,

 

I'm facing a really weird behavior inside a specific shibboleth security policy: Bearer policy control.

According to documentation, it is supposed to perform 4 different checks during the validation of a SAML Response. Among those, the one, object of this issue, is the {{checkCorrelation}} control.

It doesn't work. It is supposed to work by default and is enabled by default, but I can't make it work.

It basically compares the SAML Response attribute InResponseTo, inside the <samlp response> tag, with the parameter of the same name but contained inside the <saml:SubjectConfirmationData> element.

If i put inside the <saml:SubjectConfirmationData> tag, InResponseTo attribute, a fake value the checkCorrelation is always true and the SAML Response is not rejected as expected.

Could you please help me

Thank you

Tommaso

 

 

 

Environment

None

Activity

Show:

Scott CantorFebruary 25, 2020 at 2:35 AM

Implementation now defaults off, but honors checkCorrelation and blockUnsolicited properties. Former does what was proposed earlier, and the latter implies the former but also adds rejection of an empty InResponseTo.

Scott CantorFebruary 11, 2020 at 6:02 PM

Working code checked in, checks are off by default.

Tentative plan is to require manual adjustment of SecurityPolicy rules to turn it on.

Scott CantorFebruary 10, 2020 at 11:16 PM

Prototyped a cookie-backed solution that's implemented within the MessageEncoder/Decoder layers, so will work (in theory) generically but slots into the SP properly.

Scott CantorFebruary 6, 2020 at 10:37 PM

Provisionally my thinking is to define the option that enables correlation checking as:

If a correlation (that is, Request) ID is provided, then the message (and eventually the Bearer rule) would have to carry a matching InResponseTo.

If a correlation ID is NOT provided, then the Response would have to be unsolicited and NOT carry an InResponseTo.

To avoid compatibility problems, it's likely the default for correlation checking on the MessageFlow rule will be false, but the SP generally creates the Bearer rule to apply itself, so I can disable correlation checks there to maintain compatibility.

Scott CantorFebruary 6, 2020 at 5:09 PM

I'm revisiting this as part of broader possible enhancements to actually implement optional correlation, so will make a final assessment at that point.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created August 6, 2019 at 3:28 PM
Updated June 23, 2021 at 9:49 PM
Resolved February 25, 2020 at 2:35 AM