Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9851

[GSS] (7.0.z) SAML LogoutResponse includes invalid Responder status

XMLWordPrintable

    • Hide

      Reproducer notes:

      hit employee
      hit sales-post
      hit employee
      hit employe/?GLO=true

      View LogoutResponse sent from sales-post to idp:

      <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
      Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml"
      ID="ID_c3e91cee-65cb-4652-ad94-e97e69cddbda"
      InResponseTo="ID_a5aa1ad4-d131-4819-b38e-9534050fb722"
      IssueInstant="2017-03-08T17:40:13.119Z"
      Version="2.0"
      >
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post/</saml:Issuer>
      <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
      </samlp:StatusCode>
      </samlp:Status>
      </samlp:LogoutResponse>

      Notice the "Success" tag is inside the "Responder" tag.

      expected:

      <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
      Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml"
      ID="ID_8b350147-9a1c-4192-b95a-ef20b1d72f39"
      InResponseTo="ID_91bc6671-8f07-4cee-ac8e-9fa91ff941bc"
      IssueInstant="2017-03-08T17:50:48.238Z"
      Version="2.0"
      >
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post/</saml:Issuer>
      <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
      </samlp:Status>
      </samlp:LogoutResponse>

      Show
      Reproducer notes: hit employee hit sales-post hit employee hit employe/?GLO=true View LogoutResponse sent from sales-post to idp: <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml" ID="ID_c3e91cee-65cb-4652-ad94-e97e69cddbda" InResponseTo="ID_a5aa1ad4-d131-4819-b38e-9534050fb722" IssueInstant="2017-03-08T17:40:13.119Z" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> http://localhost:8080/sales-post/ </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:StatusCode> </samlp:Status> </samlp:LogoutResponse> Notice the "Success" tag is inside the "Responder" tag. expected: <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://10.10.178.29:8080/auth/realms/master/protocol/saml" ID="ID_8b350147-9a1c-4192-b95a-ef20b1d72f39" InResponseTo="ID_91bc6671-8f07-4cee-ac8e-9fa91ff941bc" IssueInstant="2017-03-08T17:50:48.238Z" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> http://localhost:8080/sales-post/ </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> </samlp:LogoutResponse>
    • EAP 7.0.6

      PicketLink bug:

      Upon a logoutRequest from an identity server a logoutResponse is generated by the picketlink client with our application that contains that contains a samlp:StatusCode inside a samlp:StatusCode:

      <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:StatusCode>
      </samlp:Status>

              rhn-support-dehort Derek Horton
              rnetuka@redhat.com Radovan Netuka
              Ivo Hradek Ivo Hradek (Inactive)
              Ivo Hradek Ivo Hradek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: