Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1012

Delegation Liberty SSOS flow Assertion Subject C14N fails for transient NameIDs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.2.1
    • Fix Version/s: 3.3.0
    • Component/s: NameID Handling, SAML2
    • Labels:
      None
    • Operating System:
      Multiple

      Description

      See user's list discussion http://marc.info/?l=shibboleth-users&m=146956730325829&w=2

      The c14 of the presented Assertion token's Subject as performed by ProcessDelegatedAssertion is improperly using the current requesting relying party entityID as the SubjectCanonicalizationContext#requesterId. This fails for transient NameIDs, as they were issued to a different RP. Probably also fails for persistent and any other pairwise NameID.

      Should probably be based on the SPNameQualifier or other determination of to whom the ID was issued. Alternatively Scott comments that perhaps the entityID check could be relaxed in this case.

      The SAML presenter in the Liberty SSOS case would seem to always be the pairwise recipient of the token's NameID, as the NameID is always re-generated on each trip through the SSOS flow. But need to confirm.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              putmanb@shibboleth.net Brent Putman
              Reporter:
              putmanb@shibboleth.net Brent Putman
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: