Bug 1433517 - [GSS] (6.4.z) SAML LogoutResponse includes invalid Responder status
Summary: [GSS] (6.4.z) SAML LogoutResponse includes invalid Responder status
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.4.13
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.15
Assignee: jboss-set
QA Contact: Josef Cacek
URL:
Whiteboard:
: 1433516 (view as bug list)
Depends On:
Blocks: 1343635 eap6415-payload 1430526
TreeView+ depends on / blocked
 
Reported: 2017-03-17 21:12 UTC by dhorton
Modified: 2020-05-14 15:47 UTC (History)
9 users (show)

Fixed In Version:
Clone Of: 1430526
Environment:
Last Closed: 2017-05-19 08:04:23 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-9677 0 Critical Verified [GSS] (7.1.0) SAML LogoutResponse includes invalid Responder status 2017-07-17 09:36:59 UTC
Red Hat Issue Tracker JBEAP-9851 0 Critical Verified [GSS] (7.0.z) SAML LogoutResponse includes invalid Responder status 2017-07-17 09:36:59 UTC
Red Hat Knowledge Base (Solution) 2960171 0 None None None 2017-03-17 21:14:20 UTC

Description dhorton 2017-03-17 21:12:28 UTC 
+++ This bug was initially created as a clone of Bug #1430526 +++

Description of problem:

Upon a logoutRequest from an identity server a logoutResponse is generated by the picketlink client with our application that contains that contains a samlp:StatusCode inside a samlp:StatusCode:

	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
			<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:StatusCode>
	</samlp:Status>
Comment 1 dhorton 2017-03-17 21:20:29 UTC 
Cherry-pick fix from here:
http://git.app.eng.bos.redhat.com/git/picketlink25.git/log/?h=2.5.4.SP11-redhat-1_BZ-1430526
Comment 2 dhorton 2017-03-17 21:26:04 UTC 
Reproducer notes:

hit employee
hit sales-post
hit employee
hit employe/?GLO=true


View LogoutResponse sent from sales-post to idp:

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                      Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml"
                      ID="ID_c3e91cee-65cb-4652-ad94-e97e69cddbda"
                      InResponseTo="ID_a5aa1ad4-d131-4819-b38e-9534050fb722"
                      IssueInstant="2017-03-08T17:40:13.119Z"
                      Version="2.0"
                      >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post/</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        </samlp:StatusCode>
    </samlp:Status>
</samlp:LogoutResponse>


Notice the "Success" tag is inside the "Responder" tag.


expected:

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                      Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml"
                      ID="ID_8b350147-9a1c-4192-b95a-ef20b1d72f39"
                      InResponseTo="ID_91bc6671-8f07-4cee-ac8e-9fa91ff941bc"
                      IssueInstant="2017-03-08T17:50:48.238Z"
                      Version="2.0"
                      >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post/</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>
Comment 3 dhorton 2017-03-17 21:26:33 UTC 
Issue appears to be fixed upstream.
Comment 4 dhorton 2017-03-17 21:36:50 UTC 
PR:  https://github.com/jbossas/redhat-picketlink/pull/38
Comment 5 dhorton 2017-03-17 21:41:28 UTC 
7.x bug is located here:  https://issues.jboss.org/browse/JBEAP-9677
Comment 6 Brad Maxwell 2017-03-19 16:49:25 UTC 
*** Bug 1433516 has been marked as a duplicate of this bug. ***
Comment 7 Ivo Hradek 2017-05-03 06:48:46 UTC 
Verified with EAP-6.4.15.CP.CR{2,3}
Comment 8 Petr Penicka 2017-05-19 08:04:23 UTC 
Released on May 18 as part of EAP 6.4.15.
Note You need to log in before you can comment on or make changes to this bug.