Bug 1730018 - lasso includes "Destination" attribute in SAML AuthnRequest populated with SP AssertionConsumerServiceURL when ECP workflow is used which leads to IdP-side errors
Summary: lasso includes "Destination" attribute in SAML AuthnRequest populated with SP...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: lasso
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Jakub Hrozek
QA Contact: Scott Poore
URL:
Whiteboard: sync-to-jira
Depends On: 1730009
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-15 15:16 UTC by John Dennis
Modified: 2020-04-28 15:37 UTC (History)
3 users (show)

Fixed In Version: lasso-2.6.0-8.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1730009
Environment:
Last Closed: 2020-04-28 15:37:27 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1596 None None None 2020-04-28 15:37:28 UTC

Comment 3 Scott Poore 2020-01-28 22:50:56 UTC
Verified.

Version ::

lasso-2.6.0-8.el8.x86_64

Results ::

With diagnostics setup:

[root@web1 conf.d]# curl -L -H "Accept: application/vnd.paos+xml" -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://$(hostname):8443/example_app/private/index.html
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:paos="urn:liberty:paos:2003-08" xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><s:Header><paos:Request responseConsumerURL="https://web1.kite.test:8443/example_app/mellon/paosResponse" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" messageID="_3AD6EDD7C8353606729BF5216CCB975C" s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next"/><ecp:Request s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next" IsPassive="false"><saml:Issuer>https://web1.kite.test:8443/example_app/mellon/metadata</saml:Issuer></ecp:Request><ecp:RelayState s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next">https://web1.kite.test:8443/example_app/private/index.html</ecp:RelayState></s:Header><s:Body><samlp:AuthnRequest ID="_E85CDAC0D161ABDE99479AFF0C905DC8" Version="2.0" IssueInstant="2020-01-28T22:47:30Z" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://web1.kite.test:8443/example_app/mellon/paosResponse"><saml:Issuer>https://web1.kite.test:8443/example_app/mellon/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...

[root@web1 conf.d]# grep -i destination /var/log/httpd/mellon_diagnostics

[root@web1 conf.d]# wc -l /var/log/httpd/mellon_diagnostics
378 /var/log/httpd/mellon_diagnostics

Comment 8 errata-xmlrpc 2020-04-28 15:37:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1596


Note You need to log in before you can comment on or make changes to this bug.