SAML forceAuthn attribute XML encoding issue
Corin.Langosch at swisscom.com
Corin.Langosch at swisscom.com
Wed Oct 20 10:00:15 UTC 2021
Hi guys,
we are using shibboleth SP 3.1.0 and trying to get forced re-authentication to work.
In our configuration we have forceAuthn set to "true" but it seems shibboleth is always sending it as "1" in the XML auth request. According to this old post from 2019 of the keycloak mailing list (https://lists.jboss.org/pipermail/keycloak-user/2019-August/019058.html) also "1" is compliant with the spec and should be accepted.
However, the IDP we are integrating insists that only "true" or "false" are compliant and doesn't accept the answer given in the post mentioned above. "Whilst XML schemas may consider 1 as a valid boolean value, the SAML spec specifically states that the values should be true or false. http://docs.oasis-open.org/security/saml/Post2.0/sstc-request-initiation-cd-01.html<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2FPost2.0%2Fsstc-request-initiation-cd-01.html&data=04%7C01%7CCorin.Langosch%40swisscom.com%7C7a8abdc3519c4fcd580808d99220949a%7C364e5b87c1c7420d9beec35d19b557a1%7C0%7C0%7C637701490894224397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aTydkuh5vqnZHgizDLA4no6%2FHn0dHX3lQxcg3uXUlwM%3D&reserved=0>"
Is our IDP right and thus this would need to be fixed in shibboleth? Or do they have to adjust their code? Thank you very much in advance.
Kind regards
Corin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211020/3b801bcf/attachment.htm>
More information about the users
mailing list