Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic metadata, not tied to an IdP #176

Open
JEphron opened this issue Jan 7, 2020 · 4 comments
Open

Generic metadata, not tied to an IdP #176

JEphron opened this issue Jan 7, 2020 · 4 comments
Labels
informative question resolved

Comments

@JEphron
Copy link
Contributor

JEphron commented Jan 7, 2020

Consider a situation where python3-saml is being used to service many SAML-enabled users across multiple IdPs. As the library requires a complete Settings object to generate the metadata, every organization with an IdP configuration needs their own distinct metadata endpoint (possibly distinguished by just a query parameter, but still we need to load up their IdP configuration before we can return the metadata). Is this a fundamental restriction of SAML, or could this library support a "one-size-fits-all" metadata endpoint to be shared by customers regardless of their IdP?
@pitbulk
Copy link
Contributor

pitbulk commented Jan 7, 2020

There are ways to handle the approach of 1 unique SP serving multiple IdPs.

  1. Discover IdP by a Parameter. The SP endpoints will have an extra parameter 'idp' with a number that identifies the registered IdP, so when a SP receive a SAMLResponse at the ACS URL, it will get the idp parameter, retrieve the idp metadata, build the settings and then process the SAMLResponse

  2. Read the Issuer from the SAMLResponse and see if it matches a registered IdP Entity ID.
    That method, in my opinion, is worst, but also does the trick.

@JEphron
Copy link
Contributor Author

JEphron commented Jan 7, 2020

Sure, those are reasonable options for the auth endpoints. I'm asking specifically about the metadata endpoint. Do you 100% need the IdP configuration in order to generate the metadata?

@coler-j
Copy link

coler-j commented Sep 9, 2021

Read the Issuer from the SAMLResponse and see if it matches a registered IdP Entity ID.
That method, in my opinion, is worst, but also does the trick.

@pitbulk resurrecting old issue, but why do you think this is the worst way to do things? I am just looking at implementing this at the moment. Just wondering what the pitfalls were. I have a recollection of some IdPs not having different Issuer URIs across tenants (maybe WS-Federation?)... but have not gotten that far yet.

@pitbulk
Copy link
Contributor

pitbulk commented Sep 9, 2021

Method 2 will require you to:

  1. Inspect the SAMLResponse first in order to extract the Audience value element.
  2. Loop over all the registered IdP settings and verify that one matches such Audience value.

In addition, you will need to implement something in order to avoid tenant A registering the IdP Entity ID of tenant B in order to try to impersonate it. Is important to isolate properly tenants, see for example this severe bug Office 365 experienced:
https://bratec.si/security/2016/04/27/road-to-hell-paved-with-saml-assertions.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
informative question resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pitbulk @JEphron @coler-j