fix(request): add protocol binding to auth message (#104)

Allow the protocol binding to be supplied to the authn messsage request
to work with IdPs that only support one kind of protocol such as Entra.
This continues to default to HTTP-Redirect so it is not a breaking
change to the library.

Release as version 4.1.0

Author: edpaget

VERSION.txt

@@ -1 +1 @@
-4.0.0
+4.1.0

docker-compose.yml

@@ -25,6 +25,7 @@ services:
       - 3001:3001
     volumes:
       - ./src:/app/src
+      - ./test:/app/test
       - ./e2e:/app/e2e
 
   selenium:

src/saml20_clj/sp/request.clj

@@ -26,6 +26,14 @@
 
 (def ^:private -sig-alg "http://www.w3.org/2000/09/xmldsig#rsa-sha1")
 
+(defn- keyword->protocol-binding
+  [binding-kw]
+  (condp = binding-kw
+    :post SAMLConstants/SAML2_POST_BINDING_URI
+    :redirect SAMLConstants/SAML2_REDIRECT_BINDING_URI
+    (throw (ex-info "Unsupported protocol binding argument" {:arg binding-kw
+                                                             :allowed [:redirect :post]}))))
+
 (defn- setup-message-context
   [message credential sig-alg idp-url]
   (let [msgctx (doto (MessageContext.) (.setMessage message))]
@@ -49,12 +57,12 @@
     msgctx))
 
 (defn- build-authn-obj
-  ^AuthnRequest [request-id instant sp-name idp-url acs-url issuer]
+  ^AuthnRequest [request-id instant sp-name idp-url acs-url issuer protocol-binding]
   (doto (.buildObject (AuthnRequestBuilder.))
     (.setID request-id)
     (.setIssueInstant instant)
     (.setDestination idp-url)
-    (.setProtocolBinding SAMLConstants/SAML2_REDIRECT_BINDING_URI)
+    (.setProtocolBinding (keyword->protocol-binding protocol-binding))
     (.setIsPassive false)
     (.setProviderName sp-name)
     (.setAssertionConsumerServiceURL acs-url)
@@ -73,8 +81,9 @@
                    state-manager
                    credential
                    sig-alg
-                   instant]
-  (let [request (build-authn-obj request-id instant sp-name idp-url acs-url issuer)]
+                   instant
+                   protocol-binding]
+  (let [request (build-authn-obj request-id instant sp-name idp-url acs-url issuer protocol-binding)]
     (when state-manager
       (state/record-request! state-manager (.getID request)))
     (setup-message-context request credential sig-alg idp-url)))
@@ -143,14 +152,18 @@
            sig-alg
            ;; relay-state argument that will be returned by the provider
            relay-state
+           ;; protocol binding specifying if IdP should use HTTP-Post or HTTP-Redirect to respond
+           protocol-binding
            instant]
     :or   {instant (t/instant)
            request-id (random-request-id)
-           sig-alg -sig-alg}}]
+           sig-alg -sig-alg
+           protocol-binding :redirect}}]
   (assert (non-blank-string? acs-url) "acs-url is required")
   (assert (non-blank-string? idp-url) "idp-url is required")
   (assert (non-blank-string? sp-name) "sp-name is required")
   (assert (non-blank-string? issuer) "issuer is required")
+  (assert (keyword? protocol-binding) "protocol binding must be a keyword")
   (redirect-response (authn-request request-id
                                     sp-name
                                     acs-url
@@ -159,7 +172,8 @@
                                     state-manager
                                     credential
                                     sig-alg
-                                    instant)
+                                    instant
+                                    protocol-binding)
                      relay-state))
 
 (defn idp-logout-redirect-response

test/saml20_clj/sp/request_test.clj

@@ -69,6 +69,40 @@
                              "tPvTgWDbY7Io5ENEElvsa8eJziZz3TYtFJa1AUDtO2c6BQX627"
                              "LA7Y0gCvhj035rxJZPPh8ucdTCjNA0roYFpdlQiKQZnUJmJgX2"
                              "QvB9Zr7WTIEPXMNkb%2B0%3D")}}
+               (request/idp-redirect-response request)))))
+    (testing "with a signature and http post binding"
+      (let [request {:request-id      "ONELOGIN_809707f0030a5d00620c9d9df97f627afe9dcc24"
+                     :sp-name         "SP test"
+                     :acs-url         "http://sp.example.com/demo1/index.php?acs"
+                     :idp-url         "http://idp.example.com/SSOService.php"
+                     :issuer          "http://sp.example.com/demo1/metadata.php"
+                     :credential      test/sp-private-key
+                     :relay-state     target-uri
+                     :protocl-binding :post}]
+        (is (= {:status 302,
+                :body "",
+                :headers
+                {"Cache-control" "no-cache, no-store"
+                 "Pragma" "no-cache"
+                 "location" (str "http://idp.example.com/SSOService.php?SAMLRequest="
+                                 "fVLLbtswEPwVgndJFPNwRFg2nLppDbi2YDk59FIw5KomIJEqlz"
+                                 "Lcv4%2BsKEFyiK%2B7OzuzMzudn5qaHMGjcTanacwoAaucNvZv"
+                                 "Th%2F3D9Ednc%2BmKJuat2LRhYPdwb8OMJAeaFG8dnLaeSucRI"
+                                 "PCygZQBCXKxa%2B14DETrXfBKVdTskAEH3qqb85i14AvwR%2BN"
+                                 "gsfdOqeHEFqRJNjGcJJNW0OsXJNoaFyaGKvhFLeHdi4VUrLsBR"
+                                 "grwyB6xBn9GViW23H7GUfJapnT7eb7evtjtflzx7IJm1SMXTF5"
+                                 "oxm75UxlOtNVNqlu%2BURWkGml%2BHUPw0IimiPktJI1wrmCHa"
+                                 "wsBmlDTjnjLGJZxK%2F3nIubVDAWM8Z%2BU1KMZ9%2F34gc7L3"
+                                 "n0%2FDqE4ud%2BX0Q70MaDCsOSo9HgNz0ip2VBQn86JU9vifVY"
+                                 "OuYjBmH%2BYzCXOeVbGnR2yfsGgtQyyLON0%2BQj1ftjnNWtlo"
+                                 "WrjfpPHpxvZPiaOo3ToWJ0VA2jorPYgjKVAU2T2cjx%2Bd1mLw"
+                                 "%3D%3D&RelayState=http%3A%2F%2Fsp.example.com%2Fde"
+                                 "mo1%2Findex.php%3Facs&SigAlg=http%3A%2F%2Fwww.w3.o"
+                                 "rg%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=KJSj"
+                                 "oD6Mg7OH%2F2pCd6qEDmqSxqWZqOmBePLC5RemNjmLE2ElfnO0"
+                                 "tPvTgWDbY7Io5ENEElvsa8eJziZz3TYtFJa1AUDtO2c6BQX627"
+                                 "LA7Y0gCvhj035rxJZPPh8ucdTCjNA0roYFpdlQiKQZnUJmJgX2"
+                                 "QvB9Zr7WTIEPXMNkb%2B0%3D")}}
                (request/idp-redirect-response request)))))))
 
 (deftest idp-logout-redirect-response-test