Fun & games with AWS Identity center

[NathanZookCH]

I'm using AWS, setting up a custom service provider as a lambda to be fed by the IAM Identity Center. I'm having lots of fun, but the final bug/issue is that AWS is failing OneLogin::RubySaml::SamlMessage.valid_saml?

In order to get to this point, there are a few things to beware:

1. You need to configure the attribute mapping for your provider to map subject to ${user:subject}. I use the emailAddress format. Others have said transient.
2. AWS (and Google) say that their messages are base64. Use Base64.decode64(CGI.unescape(saml_response)).

It should not matter, but we use Google Workspace as our primary IdP. AWS IIC is reflecting from there. All identities in AWS IIC are emails.

I would rather not copy the message in here, as I get too much spam anyway. If you're not in a position to set up your own experiment quickly, perhaps we could communicate the message out of band.

[pitbulk]

Sorry, not sure what kind of support you are looking for.

Are you able to see why valid_saml? is failing? you should check on errors.

The toolkit should be compatible with Google and AWS as well, let me know if you experience any issue.

[NathanZookCH]

Sorry for not being clear.

1. The failure is the schema validation. Errors is: ["Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"]
2. It would be useful to see if someone else has had success with the AWS, and if there is any magic that they used.

[pitbulk]

Can you try to validate the SAML Message at: https://www.samltool.com/validate_xml.php and see if you have an error there as well?

[NathanZookCH]

Line: 41 | Column: 0  --> Element '{urn:oasis:names:tc:SAML:2.0:assertion}AttributeStatement': Missing child element(s). Expected is one of ( {urn:oasis:names:tc:SAML:2.0:assertion}Attribute, {urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAttribute ).

Which is not very helpful, as the response has 41 lines.

I'm going to X out the sensitive stuff & try to paste in useful details

<?xml version='1.0' encoding='UTF-8'?><saml2p:Response Destination='https://XXX.lambda-url.us-east-1.on.aws/XXX' ID='XXX' IssueInstant='2023-08-18T16:28:27.712Z' Version='2.0' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' xmlns:enc='http://www.w3.org/2001/04/xmlenc#' xmlns:saml2='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:saml2p='urn:oasis:names:tc:SAML:2.0:protocol'><saml2:Issuer Format='urn:oasis:names:tc:SAML:2.0:nameid-format:entity'>https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXX</saml2:Issuer><ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo>                                                                            
<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>           
<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>
<ds:Reference URI='XXX'>
<ds:Transforms>                              
<ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
<ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
</ds:Transforms>                             
<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>
<ds:DigestValue>XXX</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XXX
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>XXX</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value='urn:oasis:names:tc:SAML:2.0:status:Success'/></saml2p:Status><saml2:Assertion ID='XXX' IssueInstant='2023-08-18T16:28:27.712Z' Version='2.0'><saml2:Issuer Format='urn:oasis:names:tc:SAML:2.0:nameid-format:entity'>https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXX</saml2:Issuer><ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>
<ds:Reference URI='XXX'>
<ds:Transforms>
<ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
<ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
</ds:Transforms>
<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>
<ds:DigestValue>XXX</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XXX
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>XXX</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' SPNameQualifier='audience'>XXX</saml2:NameID><saml2:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'><saml2:SubjectConfirmationData NotOnOrAfter='2023-08-19T04:28:27.713Z' Recipient='https://XXX.lambda-url.us-east-1.on.aws/base'/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore='2023-08-18T16:23:27.713Z' NotOnOrAfter='2023-08-19T04:28:27.713Z'><saml2:AudienceRestriction><saml2:Audience>audience</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant='2023-08-18T16:28:27.713Z' SessionIndex='_d2fd6c31-3e90-46f1-8df6-ce92f0a32d34' SessionNotOnOrAfter='2023-08-19T04:28:27.713Z'><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement/></saml2:Assertion></saml2p:Response>

I note that the examples here are all for samlp responses, but your tests match the saml2p of the message.

[NathanZookCH]

Just for fun, I posted the above as well. I got a bunch of invalid base64 warnings, an invalid id warning, and the attribute complaint from the above. So I'm guessing that the problem actually is with the empty attribute statement.

[NathanZookCH]

And... adding a mapped attribute to the settings in AWS Identity center results in response.is_valid? being true.

So back to your "What do you want?" above...

1. Change the logic in

   ruby-saml/lib/onelogin/ruby-saml/saml_message.rb

   Line 88 in c9685a9

   def decode_raw_saml(saml, settings = nil)

   to identify and unescape CGI escaped base64 strings.
2. Either loosen the validation to permit <saml2:AttributeStatement/> or document that some providers are known to fail this validation unless attributes are mapped.

[pitbulk]

@NathanZookCH Saml2Responses with empty AttributeStatement

<saml2:AttributeStatement/> 

are not allowed according to the standard. They should either contain other elements or be non existing all together.

From Scott Cantor, one of the authors of SAML spec:

Under the situation described above, shouldn't the IdP send a SAML assertion with an empty AttributeStatement instead of no AttributeStatement at all?

Scott: As Chad said, no, that's not allowed.

See: https://lists.internet2.edu/sympa/arc/shibboleth-dev/2009-03/msg00008.html

See also: http://www.datypic.com/sc/saml2/e-saml_AttributeStatement.html where you see that if AttributeStatement exists, at least it requires 1 Attribute defined.

An IdP that generates a SAMLResponse with an empty AttributeStatement does not follow the SAML standard.
The error from the toolkit is clear to me, if AttributeStatement exists, it looks for an Attribute:

Element '{urn:oasis:names:tc:SAML:2.0:assertion}AttributeStatement': Missing child element(s). Expected is one of ( {urn:oasis:names:tc:SAML:2.0:assertion}Attribute

[NathanZookCH]

@pitbulk I can accept that AWS is violating the SAML standard. They are also double-encoding their data, which also causes problems. What I find difficult to accept is a situation where a major use case of the gem is going to fail unless adjustments are made, and there is no documentation of this fact. If you want to be strict with the spec, I can totally support that, but please have pity on the poor user who wants to use this gem specifically because they don't want to have to become an expert on SAML or SAML implementations. A clear mention in the documentation, along with the workaround I found, is going to save such a user quite a bit of time and effort.