Bug 1342686

Summary: [GSS] (6.4.7 patch) IDP initiated (unsolicited) responses should not contain InResponseTo attributes
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: PicketLinkAssignee: dhorton
Status: CLOSED EOL QA Contact: Pavel Slavicek <pslavice>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.7CC: anmiller, bdawidow, bmaxwell, jboss-set, msochure, psilva, pskopek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
To apply this individual patch, follow the steps outlined in How do I apply individual or cumulative patches in JBoss EAP 6.2 and beyond [1]? To rollback this individual patch if installation has unexpected consequences, follow the steps outlined in How do I rollback individual or cumulative patches in JBoss EAP 6.2 and beyond [2]? [1] https://access.redhat.com/site/solutions/625683 [2] https://access.redhat.com/site/solutions/639403
 Story Points: ---
Clone Of: 1342685 Environment:
Last Closed: 2019-08-19 12:44:26 UTC Type: Support Patch
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1342685    
Bug Blocks:    
Attachments:
Description Flags
BZ1342686.zip
none
idp.war
none
employee.war none

Description dhorton 2016-06-03 21:58:49 UTC 
+++ This bug was initially created as a clone of Bug #1342685 +++

Description of problem:

IDP initiated (unsolicited) responses should not contain InResponseTo attributes

From saml-profiles-2.0-os.pdf:


4.1.5 Unsolicited Responses
An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a
service provider.
An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer
<SubjectConfirmationData> elements contain one. If metadata as specified in [SAMLMeta] is used,
the <Response> or artifact SHOULD be delivered to the <md:AssertionConsumerService> endpoint
of the service provider designated as the default.
Comment 2 dhorton 2016-07-07 20:57:14 UTC 
Created attachment 1177454 [details]
BZ1342686.zip
Comment 3 dhorton 2016-07-07 20:58:22 UTC 
Created attachment 1177455 [details]
idp.war
Comment 4 dhorton 2016-07-07 20:58:49 UTC 
Created attachment 1177456 [details]
employee.war
Comment 5 dhorton 2016-07-07 21:01:37 UTC 
To reproduce:

- deploy idp.war and employee.war
- login to IDP  -  http://localhost:8080/idp/
- trigger the SAMLv2 unsolicited response by going to http://localhost:8080/idp/index.html?TARGET=http://localhost:8080/employee/&SAML_VERSION=2.0
- view the SAML request that gets sent to the employee application
  - there should not be an InResponseTo attribute


Required security-domain configuration:

                <security-domain name="idp" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="sp" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                    </authentication>
                </security-domain>
Comment 6 dhorton 2016-07-08 21:45:55 UTC 
This is fixed upstream here:

https://issues.jboss.org/browse/PLINK-700

The patch needs to be rebuild using the fix from PLINK-700.