-
-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fun & games with AWS Identity center #666
Comments
Sorry, not sure what kind of support you are looking for. Are you able to see why valid_saml? is failing? you should check on errors. The toolkit should be compatible with Google and AWS as well, let me know if you experience any issue. |
Sorry for not being clear.
|
Can you try to validate the SAML Message at: https://www.samltool.com/validate_xml.php and see if you have an error there as well? |
Which is not very helpful, as the response has 41 lines. I'm going to X out the sensitive stuff & try to paste in useful details
I note that the examples here are all for samlp responses, but your tests match the saml2p of the message. |
Just for fun, I posted the above as well. I got a bunch of invalid base64 warnings, an invalid id warning, and the attribute complaint from the above. So I'm guessing that the problem actually is with the empty attribute statement. |
And... adding a mapped attribute to the settings in AWS Identity center results in So back to your "What do you want?" above...
|
@NathanZookCH Saml2Responses with empty AttributeStatement
are not allowed according to the standard. They should either contain other elements or be non existing all together. From Scott Cantor, one of the authors of SAML spec:
Scott: As Chad said, no, that's not allowed. See: https://lists.internet2.edu/sympa/arc/shibboleth-dev/2009-03/msg00008.html See also: http://www.datypic.com/sc/saml2/e-saml_AttributeStatement.html where you see that if AttributeStatement exists, at least it requires 1 Attribute defined. An IdP that generates a SAMLResponse with an empty AttributeStatement does not follow the SAML standard.
|
@pitbulk I can accept that AWS is violating the SAML standard. They are also double-encoding their data, which also causes problems. What I find difficult to accept is a situation where a major use case of the gem is going to fail unless adjustments are made, and there is no documentation of this fact. If you want to be strict with the spec, I can totally support that, but please have pity on the poor user who wants to use this gem specifically because they don't want to have to become an expert on SAML or SAML implementations. A clear mention in the documentation, along with the workaround I found, is going to save such a user quite a bit of time and effort. |
I'm using AWS, setting up a custom service provider as a lambda to be fed by the IAM Identity Center. I'm having lots of fun, but the final bug/issue is that AWS is failing
OneLogin::RubySaml::SamlMessage.valid_saml?
In order to get to this point, there are a few things to beware:
subject
to${user:subject}
. I use theemailAddress
format. Others have saidtransient
.Base64.decode64(CGI.unescape(saml_response))
.It should not matter, but we use Google Workspace as our primary IdP. AWS IIC is reflecting from there. All identities in AWS IIC are emails.
I would rather not copy the message in here, as I get too much spam anyway. If you're not in a position to set up your own experiment quickly, perhaps we could communicate the message out of band.
The text was updated successfully, but these errors were encountered: