pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard
verified publisher icon IdentityPython

Missing saml:AuthnStatement from Response should raise error

Open peppelinux opened this issue 4 years ago • 1 comments

A normal SAML2 Response would have a clear AuthnStatement like the following example

        <saml:AuthnStatement AuthnInstant="2021-01-24T13:41:04Z" SessionIndex="_dc2ad814-cb14-40d3-8e7f-d823193fd6a2">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>

a pySAML2 SP with a Responses with unvalued AuthStatement:

        <saml:AuthnStatement AuthnInstant="2021-01-24T13:43:22Z" SessionIndex="_af1a9ca2-8279-4c6b-8442-1bd6dfd66617">
        </saml:AuthnStatement>

Make the Authentication flow work SP side, this would be prevented.

With this, otherwise, we have an exception (quite good)

       <!-- no AuthnStamentent at all ! -->

exception

ValueError: Invalid number of AuthnStatement found in Response: 0

peppelinux avatar Jan 24 '21 13:01 peppelinux

Let's differentiate between things; we have (at least) the following:

  • Per the core specification (line 628):

2.3.3 Element <Assertion>

... Zero or more of the following statement elements: ...

<AuthnStatement>

An authentication statement. ...

and the related .xsd (line 669):

<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
  <sequence>
    <element ref="saml:Issuer"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="saml:Subject" minOccurs="0"/>
    <element ref="saml:Conditions" minOccurs="0"/>
    <element ref="saml:Advice" minOccurs="0"/>
    <choice minOccurs="0" maxOccurs="unbounded">          *** zero or more
      <element ref="saml:Statement"/>
      <element ref="saml:AuthnStatement"/>                *** of type saml:AuthnStatement
      <element ref="saml:AuthzDecisionStatement"/>
      <element ref="saml:AttributeStatement"/>
    </choice>
  </sequence>
  <attribute name="Version" type="string" use="required"/>
  <attribute name="ID" type="ID" use="required"/>
  <attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>
  • Per the SSO specification (line 627):

4.1.4.2 <Response> Usage

... The set of one or more bearer assertions MUST contain at least one <AuthnStatement> that reflects the authentication of the principal to the identity provider. Multiple <AuthnStatement> elements MAY be included, but the semantics of multiple statements is not defined by this profile.

  • Per saml2int:

Response Content

[SDP-IDP10] Successful responses MUST contain exactly one SAML assertion. The assertion MUST contain exactly one <saml:AuthnStatement> element and MUST contain zero or one <saml:AttributeStatement> elements. The assertion within the response MAY be directly signed.

Even though the core spec is loose and allows the AuthnStatement to be missing, I think in practice it should always be there. So, this should be fixed.

c00kiemon5ter avatar May 17 '22 11:05 c00kiemon5ter