New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] SAML LogoutResponse InResponseTo validation is not working #331
Comments
First of all: Issue reporter referenced codebase via via this link:
which becomes obsolete once content of that file at
Evidence suggests that you debugged code path related to your SP's SingleLogoutService's HTTP-POST binding.
You did not rule out any solutions so have you tried HTTP-Redirect binding? Based on quick look at codebase Lines 866 to 868 in e691ccf
inresponseto is validated for LogoutResponse messages if those arrive via HTTP-Redirect binding Lines 952 to 964 in e691ccf
FYI: You might have better luck with SLO over HTTP-Redirect binding during other circumstances (depending on your IdP's and your SPs domains and how your IdP propagates SLOs). This FYI is related to how modern browsers handle session related cookies (in case your implementation depends on cookies during SLO scenarios and it should not depend on those but if .... ) see node-saml/passport-saml#419 for background information.
It also seems that it (inresponseto validation of LogoutResponse to SP via HTTP-Post binding) might have worked at some point of time or not or it might have become broken after some version update or not. Author of following issue has not left any other traces of versions except timestamps of the issue report: node-saml/passport-saml#438 Timestamp suggest that problem was spotted prior to split of core SAML functionality to |
Thanks for your reply! |
@eerohakio , if this issue no longer applies, feel free to close it. |
Correct me if I'm wrong but it seems that SAML LogoutResponse InResponseTo validation is not working.
When going through code this one was particularly interesting https://github.com/node-saml/node-saml/blob/master/src/saml.ts#L698
It seems that InResponseTo is always taken from Response rather than LogoutResponse when request is LogoutResponse type.
All the test cases/static mocks are made with only Response format without any tests to test LogoutResponse validations.
Is there a way to overcome this issue with LogoutResponses?
Example from SAML official bindings
The text was updated successfully, but these errors were encountered: