Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authn request - AssertionConsumerServiceUrl should be accompanied by ProtocolBinding #1088

Open
lscorcia opened this issue May 1, 2019 · 3 comments
Open

Authn request - AssertionConsumerServiceUrl should be accompanied by ProtocolBinding #1088

lscorcia opened this issue May 1, 2019 · 3 comments
Labels
enhancement

Comments

@lscorcia
Copy link

lscorcia commented May 1, 2019
edited
Loading

Information needed

  1. What nuget packages are you using
    Plain SampleHttpModuleApplication from the latest github repository. I'm testing the SP application, configured to connect to my organization IDP provider. IDP config is explicitly set via web.config and not read from remote metadata.

  2. What is the expected behaviour
    During authentication on the IDP side, my IDP provider should accept the Authentication request.

  3. What happens instead.
    My IDP refuses the SAML Authentication request because the library populates the AssertionConsumerServiceURL attribute but does not populate the ProtocolBinding attribute. While not explicitly mandated by the SAML standard, §3.4.1 (lines 2061+) of the SAML standard saml-core-2.0-os says:

AssertionConsumerServiceURL [Optional]
...
This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute.

In fact, the IDP has no way to know which binding it should use for the response message.

Possible solution

Some configuration setting should be added to specify the available assertion consumer services and their bindings, with an option to specify which one is the default to be set in the AuthnRequest.

Additional info

Please include

  • .Net Framework your application is compiled against (e.g. net472, netcoreap2.1)
    Framework 4.7 as per the default of the sample application.

  • .Net Framework installed. This might be different than above. You can compile with net452, but have 4.7.2 installed.
    Framework 4.7.2 is installed.

  • Version of Asp.Net MVC / Asp.NET Core used.
    Version used by the sample application.

Thanks for your help
@maxpowernz
Copy link

maxpowernz commented Nov 30, 2020
edited
Loading

I fixed it by modifying Saml2AuthenticationRequest.cs in ns Sustainsys.Saml2.Saml2P

//x.AddAttributeIfNotNullOrEmpty("AssertionConsumerServiceURL", AssertionConsumerServiceUrl); x.AddAttributeIfNotNullOrEmpty("AssertionConsumerServiceIndex", 0);

is there a better way than having to alter the source?

@MarcusNilsson-RS
Copy link

In a project only consuming Nuget package, you can use this in your Startup.ConfigureServices

options.Notifications.AuthenticationRequestCreated = (request, provider, dictionary) =>
{
    if (request.Binding == null)
    {
        request.Binding = Saml2BindingType.HttpPost;
    }
};

@pakomp
Copy link

pakomp commented Aug 18, 2021

I'm having problems with our IDP ignoring the AssertionConsumerServiceURL value, which I think might be because of the missing ProtocolBinding part.
I have opened a issue on their end FusionAuth, but so far having heard anything back, so thought I'd let you guys know that the missing ProtocolBinding might be causing issues for multiple IDPs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pakomp @AndersAbel @lscorcia @maxpowernz @MarcusNilsson-RS