SAML forceAuthn attribute XML encoding issue
ndk at signet.id
Wed Oct 20 10:13:00 UTC 2021
The specification they're referencing is designed for a user-agent to SP interaction to get an AuthnRequest, so it has no direct relevance to the AuthnRequest's contents, although it should also be interpreted as an XML Boolean. The schema for an AuthnRequest contains:
<attribute name="IsPassive" type="boolean" use="optional"/>
While the example text includes "true" or "false" only, "1" and "0" should be permissible as well AFAIK under the XML and SAML specifications. It is a formal Boolean, and "1" is probably used here in order to constrain the size of an AuthnRequest, which has to be serialized into a URL with the Redirect binding. I might consider requesting a configuration option in the SP or asking the IdP to support it per the XML specification.
The Art of Access ®
From: Corin.Langosch at swisscom.com
Sent: Wednesday, October 20 2021, 10:00 am
To: users at shibboleth.net
Subject: SAML forceAuthn attribute XML encoding issue
we are using shibboleth SP 3.1.0 and trying to get forced re-authentication to work.
In our configuration we have forceAuthn set to "true" but it seems shibboleth is always sending it as "1" in the XML auth request. According to this old post from 2019 of the keycloak mailing list (https://lists.jboss.org/pipermail/keycloak-user/2019-August/019058.html <https://lists.jboss.org/pipermail/keycloak-user/2019-August/019058.html>)
also "1" is compliant with the spec and should be accepted.
However, the IDP we are integrating insists that only "true" or "false" are compliant and doesn't accept the answer given in the post mentioned above. "Whilst XML schemas may consider 1 as a valid boolean value, the SAML spec specifically states that the values
should be true or false. http://docs.oasis-open.org/security/saml/Post2.0/sstc-request-initiation-cd-01.html <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2FPost2.0%2Fsstc-request-initiation-cd-01.html&data=04%7C01%7CCorin.Langosch%40swisscom.com%7C7a8abdc3519c4fcd580808d99220949a%7C364e5b87c1c7420d9beec35d19b557a1%7C0%7C0%7C637701490894224397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aTydkuh5vqnZHgizDLA4no6%2FHn0dHX3lQxcg3uXUlwM%3D&reserved=0>"
Is our IDP right and thus this would need to be fixed in shibboleth? Or do they have to adjust their code? Thank you very much in advance.
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users