-
Notifications
You must be signed in to change notification settings - Fork 81
Changes based on integrating with ADFS, Azure, and PingOne #7
base: master
Are you sure you want to change the base?
Commits on Nov 19, 2015
-
AuthnRequest: don't create 'signature' tag in request if disabled
Due to the way these elements were declared, building a request with no signature still sends the empty tags: ... To keep the request small and for better compatibility, suppress them altogether with unsigned requests.
Configuration menu - View commit details
-
Copy full SHA for 6d5e7e4 - Browse repository at this point
Copy the full SHA 6d5e7e4View commit details -
They were defining a prefix which was already defined in the scope of their definition, and it seems encoding/xml isn't clever enough to know that it doesn't need to emit them in that case. Remove them.
Configuration menu - View commit details
-
Copy full SHA for 5b91e34 - Browse repository at this point
Copy the full SHA 5b91e34View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6e5fbf2 - Browse repository at this point
Copy the full SHA 6e5fbf2View commit details -
Use persistent, not transient Name IDs
This may or may not be required for our use case. Slack sets this to persistent in their implementation and I was changing things I could see.
Configuration menu - View commit details
-
Copy full SHA for 8eb3a7d - Browse repository at this point
Copy the full SHA 8eb3a7dView commit details -
Don't send hi-resolution issue instants
Azure thinks dateTime values with nanosecond precision are not protocol compliant. http://www.w3.org/TR/xmlschema-2/#dateTime - Azure is wrong. It's OK, there's an ID in there anyway to resolve ambiguity.
Configuration menu - View commit details
-
Copy full SHA for 263a125 - Browse repository at this point
Copy the full SHA 263a125View commit details
Commits on Dec 2, 2015
-
SAML Response: parse out the SessionIndex
This value is required in order to implement logout; parse it.
Configuration menu - View commit details
-
Copy full SHA for 1257662 - Browse repository at this point
Copy the full SHA 1257662View commit details -
Permit setting of 'ForceAuthn' in AuthnRequest
Setting this field to the string "true" will force the identity provider (with the power of MUST) to authenticate the presenter directly rather than rely on a previous security context.
Configuration menu - View commit details
-
Copy full SHA for c249968 - Browse repository at this point
Copy the full SHA c249968View commit details
Commits on Dec 6, 2015
-
The type changed in order to support unsigned requests, but the test did not update.
Configuration menu - View commit details
-
Copy full SHA for 5f34f36 - Browse repository at this point
Copy the full SHA 5f34f36View commit details -
Add a 'ParseDecodedString' Response constructor
Callers may want to store the decoded XML, so allow them to do the base64 decoding and pass in the XML string. This is needed in order to set the 'originalString' method for validation.
Configuration menu - View commit details
-
Copy full SHA for 07a7a6a - Browse repository at this point
Copy the full SHA 07a7a6aView commit details -
Allow XML Signatures in one more location on responses
The XML Signature standard is designed to be re-usable standard by other standards, and it's up to those other standards how they bind it into their own messages. In SAML, the binding allows signatures to appear in a number of different places. XML Signatures can't assume anything about the document structure for the standard it is used with, so instead it uses references to specify which part of the document the signature applies to. A given directory may be consistent about which node it signs, and the previous implementation was coded to assume the signature appears on the root element. However, with Azure the "Assertion" block is the signed part. Update the implementation to delegate responsibility of which node to pass to "xmlsec" for signature verification to a response method, and add a basic implementation which supports ID referencing.
Configuration menu - View commit details
-
Copy full SHA for 25b974a - Browse repository at this point
Copy the full SHA 25b974aView commit details
Commits on Dec 7, 2015
-
Especially not with spaces. Eww. What a waste of space.
Configuration menu - View commit details
-
Copy full SHA for 22fc0a7 - Browse repository at this point
Copy the full SHA 22fc0a7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 032c321 - Browse repository at this point
Copy the full SHA 032c321View commit details -
AuthnRequest protocol compliance fix
Some implementations might accept xml elements at a particular level in any order, but due to the design of XMLSchema, typically only one ordering is valid. Azure rejects requests with the signature in the wrong place. Fix this and another minor compliance issue (capitalization of an attribute not matching the spec)
Configuration menu - View commit details
-
Copy full SHA for a9e951e - Browse repository at this point
Copy the full SHA a9e951eView commit details -
Reverse an earlier protocol change
Looks like I was mistaken; it's ID on the SAML specs, but Id on the XML Signature spec.
Configuration menu - View commit details
-
Copy full SHA for 4437955 - Browse repository at this point
Copy the full SHA 4437955View commit details
Commits on Dec 8, 2015
-
Compliance fix in XML Signature boilerplate, use SHA-256
ADFS fails with 'ID6027: Enveloped Signature Transform cannot be the last transform in the chain. The last transform must compute the digest which Enveloped Signature transform is not capable of.' The signature block in requests is now essentially identical to the one returned by Azure and ADFS.
Configuration menu - View commit details
-
Copy full SHA for 4482c55 - Browse repository at this point
Copy the full SHA 4482c55View commit details
Commits on Dec 9, 2015
-
AuthnRequest: set Destination for signed requests
From [SAMLCore], §3.2.1: Destination [Optional] A URI reference indicating the address to which this request has been sent. This is useful to prevent malicious forwarding of requests to unintended recipients, a protection that is required by some protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the request MUST be discarded. Some protocol bindings may require the use of this attribute (see [SAMLBind]). In the SAML Bindings spec, §3.4.5.2 we find: Security Considerations The presence of the user agent intermediary means that the requester and responder cannot rely on the transport layer for end-end authentication, integrity and confidentiality. URL-encoded messages MAY be signed to provide origin authentication and integrity if the encoding method specifies a means for signing. If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received. ie, this URL is here to prevent someone from taking a login request for one IdP and using it for a different IdP.
Configuration menu - View commit details
-
Copy full SHA for a561308 - Browse repository at this point
Copy the full SHA a561308View commit details
Commits on Dec 10, 2015
-
Allow AuthnRequests without name ID policy, auth context
These elements are not required by the standard, and some directory servers will refuse requests with them set. Change their types to be pointers so that they can be omitted.
Configuration menu - View commit details
-
Copy full SHA for 8ab58f4 - Browse repository at this point
Copy the full SHA 8ab58f4View commit details
Commits on Dec 12, 2015
-
Add (limited) support for encrypted response assertions
It's possible to encrypt SAML response assertions; this was primarily useful in the era where it ran over non-encrypted endpoints, and is still useful if there is some information in the assertions which you don't want the user to be able to access using tools such as Firefox SAML Tracer. Being an OASIS standard, there are of course several ways this can be arranged with relation to signatures: the assertions can be signed and then encrypted, or the assertions can be encrypted and the whole message signed. This implementation allows for Assertion nodes to appear under EncryptedAssertion, which is the form that 'xmlsec1' expects and returns the plaintext versions, even though it doesn't conform to the XML schema. Callers should take utmost care to keep track of which sections have been validated and which haven't when regarding assertions as authorative.
Configuration menu - View commit details
-
Copy full SHA for 663d4f4 - Browse repository at this point
Copy the full SHA 663d4f4View commit details -
These lines are a poor substitute for real exception logging, but carry it on for now.
Configuration menu - View commit details
-
Copy full SHA for c097a17 - Browse repository at this point
Copy the full SHA c097a17View commit details
Commits on Dec 16, 2015
-
The code was still depending on the original library for utils etc; use the ones in this fork instead.
Configuration menu - View commit details
-
Copy full SHA for b671544 - Browse repository at this point
Copy the full SHA b671544View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7947faf - Browse repository at this point
Copy the full SHA 7947fafView commit details -
Some directory servers require an explicit logout (especially if they don't honor the 'ForceAuthn' flag on AuthnRequest). Add support for this, including signing.
Configuration menu - View commit details
-
Copy full SHA for 0ae90e1 - Browse repository at this point
Copy the full SHA 0ae90e1View commit details
Commits on Jan 13, 2016
-
Switching these URLs was necessary for using our branch, but now the branch is being submitted for upstream inclusion, they should be returned to their original fork.
Configuration menu - View commit details
-
Copy full SHA for 661c9fa - Browse repository at this point
Copy the full SHA 661c9faView commit details
Commits on Mar 29, 2016
-
Add some XML bindings for Metadata
SAML configuration information is exchanged in this format; add support for reading and writing it.
Sam Vilain committedMar 29, 2016 Configuration menu - View commit details
-
Copy full SHA for 6ccbdcc - Browse repository at this point
Copy the full SHA 6ccbdccView commit details -
Configuration menu - View commit details
-
Copy full SHA for a218cc0 - Browse repository at this point
Copy the full SHA a218cc0View commit details
Commits on Jan 16, 2020
-
PA-22319: Created unit tests and add additional validation for signat…
…ure on response, assertion and encryptedassertion (#3)
Alex Valenzuela committedJan 16, 2020 Configuration menu - View commit details
-
Copy full SHA for b86f185 - Browse repository at this point
Copy the full SHA b86f185View commit details
Commits on Oct 25, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 9b443e1 - Browse repository at this point
Copy the full SHA 9b443e1View commit details -
Merge pull request #6 from parsable/ADMIN-2247-gitleaks-allowed-list
ADMIN-2247 - gitleaks allowed list
Configuration menu - View commit details
-
Copy full SHA for bddad8f - Browse repository at this point
Copy the full SHA bddad8fView commit details
Commits on Nov 13, 2023
-
Configuration menu - View commit details
-
Copy full SHA for fd8310a - Browse repository at this point
Copy the full SHA fd8310aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 93bb449 - Browse repository at this point
Copy the full SHA 93bb449View commit details
Commits on Nov 14, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 06bf1c9 - Browse repository at this point
Copy the full SHA 06bf1c9View commit details
Commits on Nov 15, 2023
-
Configuration menu - View commit details
-
Copy full SHA for be602a8 - Browse repository at this point
Copy the full SHA be602a8View commit details -
Merge pull request #7 from parsable/infra-2677-buid-gha-pipeline
INFRA-2677: GHA pipeline
Configuration menu - View commit details
-
Copy full SHA for c137aa2 - Browse repository at this point
Copy the full SHA c137aa2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5001401 - Browse repository at this point
Copy the full SHA 5001401View commit details -
Merge pull request #8 from parsable/infra-2677-build-gha-pipeline
INFRA-2677: fix build publish workflow
Configuration menu - View commit details
-
Copy full SHA for 715e1ba - Browse repository at this point
Copy the full SHA 715e1baView commit details