Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Query string not preserved in SAML HTTP Redirect binding

Tags:

java

spring-saml

saml-2.0

We use the Spring SAML Security Extension to implement SAML in our application. We now have the following problem:

One of our customers is providing a URL for their identity provider that contains a parameter. The metadata looks like this (heavily abbreviated for brevity):

<EntityDescriptor>
  <IDPSSODescriptor>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="https://idp.example.com/login?parameter=value"/>
  </IDPSSODescriptor>
</EntityDescriptor>

As can be seen, there is a parameter named "parameter" with a value "value". This parameter is not present in the generated redirect URL. I debugged a bit and found out that SAMLProcessorImpl gets the MessageEncoder from the binding (which is HTTPRedirectDeflateEncoder for HTTP redirect) and delegates encoding the message. The encoder in turn does the following in its buildRedirectURL method:

// endpointURL is https://idp.example.com/login?parameter=value here
URLBuilder urlBuilder = new URLBuilder(endpointURL);

List<Pair<String, String>> queryParams = urlBuilder.getQueryParams();
queryParams.clear(); // whoops

So for some reason, the parameters are stripped intentionally and unconditionally.

Why is this the case and how can I fix this in the most efficient way?

like image 418
musiKk Avatar asked Jun 30 '15 08:06

musiKk

1 Answers

SAML Authentication Request should be only sent by trusted entities and with parameters which cannot be tampered with. Adding a parameter in addition to SAMLAuthnRequest encoded according to HTTP-Redirect binding will mean that a potential attacker can change the value as he/she pleases and IDP will not be able to detect such change - as the parameter will not be covered by digital signature.

SAML provides a mechanism for delivery of secured content in addition to request itself called relayState - and you can set it using WebSSOProfileOptions of Spring SAML.

The above is reason the parameters are cleared (at least I believe so, this logic comes from OpenSAML library which is not written by me), but of course in case you don't mind the security implications, the approach you found is just fine.

like image 145
Vladimír Schäfer Avatar answered Oct 12 '22 20:10

Vladimír Schäfer
Sign in to Comment

Related questions

SonarQube catch 22 with serializable lists
Changing the colour of text (string) when sending an email
Gracefully ignore unknown class in Jackson JSON deserialization with type info?
Risks of volatile-mutable fields in single-threaded contexts?
Can we use Spring-cloud-netflix and Hystrix to retry failed exectuion
Socket best practices in Java
org.hibernate.exception.ConstraintViolationException: could not execute statement
how to keep server side Java and client side JS DTO properties consistent
Getting integer data from txt file in Java
How can I fetch specific nodes from XML using XPath in Java?
Can't connect from JAVA to Mongo SSL Replica Set
Cloud Dataflow - Increase JVM Xmx Value
migrating java classes to use generics [duplicate]
AngularJS - Java EE REST security
Swagger UI causing HTTP 406 Not Acceptable response for operations producing content types other than json
Can I filter a Stream<T> by element's class an get a Stream<U> in one step? [duplicate]
Custom Jackson JSON serialization based on parent context
Spring MVC Role and Permission to Admin
LWJGL 3 - Rendering Text [closed]
When is the memory allocated for a static variable in java?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!