Bug 1433517

Summary:	[GSS] (6.4.z) SAML LogoutResponse includes invalid Responder status
Product:	[JBoss] JBoss Enterprise Application Platform 6	Reporter:	dhorton
Component:	PicketLink	Assignee:	jboss-set
Status:	CLOSED CURRENTRELEASE	QA Contact:	Josef Cacek <jcacek>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.4.13	CC:	anmiller, bdawidow, bmaxwell, ihradek, jcacek, jtruhlar, psilva, pskopek, rnetuka
Target Milestone:	CR1
Target Release:	EAP 6.4.15
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1430526	Environment:
Last Closed:	2017-05-19 08:04:23 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1343635, 1419353, 1430526

Description dhorton 2017-03-17 21:12:28 UTC

+++ This bug was initially created as a clone of Bug #1430526 +++

Description of problem:

Upon a logoutRequest from an identity server a logoutResponse is generated by the picketlink client with our application that contains that contains a samlp:StatusCode inside a samlp:StatusCode:

	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
			<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:StatusCode>
	</samlp:Status>

Comment 1 dhorton 2017-03-17 21:20:29 UTC

Cherry-pick fix from here:
http://git.app.eng.bos.redhat.com/git/picketlink25.git/log/?h=2.5.4.SP11-redhat-1_BZ-1430526

Comment 2 dhorton 2017-03-17 21:26:04 UTC

Reproducer notes:

hit employee
hit sales-post
hit employee
hit employe/?GLO=true


View LogoutResponse sent from sales-post to idp:

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                      Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml"
                      ID="ID_c3e91cee-65cb-4652-ad94-e97e69cddbda"
                      InResponseTo="ID_a5aa1ad4-d131-4819-b38e-9534050fb722"
                      IssueInstant="2017-03-08T17:40:13.119Z"
                      Version="2.0"
                      >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post/</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        </samlp:StatusCode>
    </samlp:Status>
</samlp:LogoutResponse>


Notice the "Success" tag is inside the "Responder" tag.


expected:

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                      Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml"
                      ID="ID_8b350147-9a1c-4192-b95a-ef20b1d72f39"
                      InResponseTo="ID_91bc6671-8f07-4cee-ac8e-9fa91ff941bc"
                      IssueInstant="2017-03-08T17:50:48.238Z"
                      Version="2.0"
                      >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post/</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>

Comment 3 dhorton 2017-03-17 21:26:33 UTC

Issue appears to be fixed upstream.

Comment 4 dhorton 2017-03-17 21:36:50 UTC

PR:  https://github.com/jbossas/redhat-picketlink/pull/38

Comment 5 dhorton 2017-03-17 21:41:28 UTC

7.x bug is located here:  https://issues.jboss.org/browse/JBEAP-9677

Comment 6 Brad Maxwell 2017-03-19 16:49:25 UTC

*** Bug 1433516 has been marked as a duplicate of this bug. ***

Comment 7 Ivo Hradek 2017-05-03 06:48:46 UTC

Verified with EAP-6.4.15.CP.CR{2,3}

Comment 8 Petr Penicka 2017-05-19 08:04:23 UTC

Released on May 18 as part of EAP 6.4.15.