Hi,
I was under the impression that part of the saml response validation included issuer validation.
Our application acts as a service provider and we’ll have many identity providers. I’ve implemented a configurationresolver to load up the different configurations per idp.
I initiate a service provider authenticate request and I get a response from the IdP however the PartnerIdentitiyProviderConfiguration name does not match the name I’m getting in the response yet the request goes through successfully.
Is there a need to even store the issuer on my end? Is this the correct behavior? If not what am I doing wrong?
Thanks
Edit:
I had seen this thread which led me to believe the issuer is supposed to match
https://www.componentspace.com/Forums/1400/The-SAML-message-issuer-does-not-match-the-expected-issuer
The issuer should match a known identity provider. The validation of the issuer field is performed by the ISamlConfigurationResolver implementation.
ISamlConfigurationResolver.GetPartnerIdentityProviderConfigurationAsync is called with the partnerName argument set to the issuer field value. This method should return the PartnerIdentityProviderConfiguration if it exists. If it doesn’t exist, it should throw an exception.
Therefore, if you don’t recognize the partnerName (ie issuer) your ISamlConfigurationResolver.GetPartnerIdentityProviderConfigurationAsync implementation should throw an exception.
Ok,
So it’s up to me to throw the exception if the partner name doesn’t match what comes back from the configuration.
I retrieve the configurations by the ID that gets passed into the route to my assertion consumer service.
this is what I do in the controller
await _samlServiceProvider.SetConfigurationIDAsync(configurationId);
var ssoResult = await _samlServiceProvider.ReceiveSsoAsync();
When SetConfigurationIDAsync is called, it looks like the partnerName is the one coming back from the IdP.
When ReceiveSsoAsync is called, it looks like the partnerName is what I have stored in the database for that partner.
So would the implementation be that if the partnername is not null (it’s null on the SP initiated SSO), and it doesn’t match what comes back from my own configuration, then it’s ok to throw an exception? I guess I’m a little confused about why the partnerName comes back correct when the ReceiveSsoAsync is called.
Thanks!
When _samlServiceProvider.ReceiveSsoAsync() is called we need to retrieve the partner identity provider configuration so we can process the SAML response. We extract the issuer field from the SAML response and call ISamlConfigurationResolver.GetPartnerIdentityProviderConfigurationAsync passing in the configurationID, set when you called SetConfigurationIDAsync, and the issuer field as the partnerName argument.
Your implementation should use the configurationID and partnerName to lookup the corresponding configuration and return a PartnerIdentityProviderConfiguration. If the partnerName is unknown you should throw an exception.
In the default ISamlConfigurationResolver that reads the SAML configuration from the appsettings.json etc, we use the partnerName to compare with the PartnerIdentityProviderConfiguration.Name. If we find a match we return that PartnerIdentityProviderConfiguration. If there’s no match we throw an exception.
In most implementations of ISamlConfigurationResolver I would expect the partnerName argument would be used to perform a direct match on the PartnerIdentityProviderConfiguration.Name.
The ISamlConfigurationResolver is responsible for returning the correct PartnerIdentityProviderConfiguration so we can process the SAML response. We have no direct knowledge of the SAML configuration other than what’s returned by the ISamlConfigurationResolver. Specifically, we don’t know if the issuer field is valid until after calling ISamlConfigurationResolver.GetPartnerIdentityProviderConfigurationAsync.