Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sa-gw error response has wrong issuer #411

Open
phavekes opened this issue Nov 30, 2024 · 1 comment
Open

Sa-gw error response has wrong issuer #411

phavekes opened this issue Nov 30, 2024 · 1 comment
Labels

Comments

@phavekes
Copy link
Member

This issue is imported from pivotal - Originaly created at Sep 15, 2021 by Thijs Kinkhorst

  • Start a tiqr authentication via the EB SFO interface (e.g.: go to manage.test.surfconext.nl)
  • On the tiqr spinner screen, press cancel
  • User is returned to EB with a status reponse with wrong issuer, so EB throws "unknown idp" error since it does not know this entity.

Tqir responds this to sa-gw when cancel pressed:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_ee1f06dce54b704d154391e150727e6c3cf400840db7ac213c770b8e9f3a"
                Version="2.0"
                IssueInstant="2021-09-15T12:32:29Z"
                Destination="https://sa-gw.test.surfconext.nl/gssp/tiqr/consume-assertion"
                InResponseTo="_ef55dc864d0b01295fb81c187d1b353d859f916c3853f32a5ea5d3e06d72"
                >
    <saml:Issuer>https://tiqr.test.surfconext.nl/saml/metadata</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
        </samlp:StatusCode>
        <samlp:StatusMessage>User cancelled the request</samlp:StatusMessage>
    </samlp:Status>
</samlp:Response>

The sa-gw then posts this back to EB:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_539303b1e5542228983ce7c1902de96b4fbb16b653927319de9f9456f4b3"
                Version="2.0"
                IssueInstant="2021-09-15T12:32:29Z"
                Destination="https://engine.test.surfconext.nl/authentication/stepup/consume-assertion"
                InResponseTo="CORTOf87f454e54ac07274300604590b2b11af3c1b603"
                >
    <saml:Issuer>https://sa-gw.test.surfconext.nl/authentication/metadata</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
        </samlp:StatusCode>
        <samlp:StatusMessage>Could not process received Response, error: "Cannot process response, preconditions not met: "Responder/AuthnFailed User cancelled the request""</samlp:StatusMessage>
    </samlp:Status>
</samlp:Response>

Note that the following two things are off:

  • The issuer is wrong (expected https://sa-gw.test.surfconext.nl/second-factor-only/metadata
  • The StatusMessage is completely mangled up
@phavekes phavekes self-assigned this Nov 30, 2024
@phavekes
Copy link
Member Author

On slack we decided to use just the message originating from the IdP that returned the failed saml response. (Michiel Kodde - May 2, 2023)

@phavekes phavekes removed their assignment Nov 30, 2024
@phavekes phavekes transferred this issue from OpenConext/Stepup-Project Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: New
Development

No branches or pull requests

1 participant