lasso includes "Destination" attribute in SAML AuthnRequest populated with SP AssertionConsumerServiceURL when ECP workflow is used which leads to IdP-side errors

Bug #1833299 reported by Dmitrii Shcherbakov on 2019-06-18
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lasso (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Disco
Undecided
Unassigned

Bug Description

[Impact]

* Usage of ECP is not possible with mod_auth_mellon because the AuthnRequest message has the Destination attribute set incorrectly;
* https://dev.entrouvert.org/issues/34409;
* Blocks the enablement of a feature https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134;

Lasso is used by libapache2-mod-auth-mellon to create SAML messages. When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an AuthnRequest with the "Destination" attribute as follows:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_798F26F73776E684A463559CDB77D080" Version="2.0" IssueInstant="2019-06-18T16:54:25Z" Destination="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse">
    <saml:Issuer>https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

This triggers the Destination attribute validation logic relevant for "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

For example, Shibboleth IdP (samltest.id) errors out as follows as the Destination attribute was populated with an SP URL:

2019-06-18 16:54:25,435 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: SAML message intended destination endpoint 'https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse' did not match the recipient endpoint 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'

For ECP it makes sense to avoid inclusion of the "Destination" attribute to AuthnRequest (see https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/3).

[Test Case]

* Deploy an Identity Provider with PAOS binding and ECP handling support or use a publicly available one (e.g. samltest.id shibboleth instance);
* Deploy a Service Provider (e.g. Keystone) and protect its relevant URLs via mod_auth_mellon (e.g. via charm-keystone-mellon);
* Use an ECP client (openstack keystone client with v3samlpassword authentication plugin) to access the service provider (e.g. try to obtain a Keystone token);
* Validate that the IdP did not error our based on the request provided by the ECP client;
* Validate by the IdP logs that the Destination attribute of AuthnRequest was NOT present (unset).

[Regression Potential]

* The regression potential is minimal as the patch functionally adds a simple PAOS-related code branch to avoid including the Destination attribute.

Related branches

Dmitrii Shcherbakov (dmitriis) wrote :
description: updated

The attachment "0001-PAOS-Do-not-populate-Destination-attribute.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Dmitrii Shcherbakov (dmitriis) wrote :

I have suggested a patch upstream which then got merged: https://dev.entrouvert.org/issues/34409#note-10

The branches related to this bug apply the patch to different distro versions.

Changed in lasso (Ubuntu):
status: New → Confirmed

Hi,
I reviewed the MPs and they are (aside some potential polishing of the changelog) ok to me.
You'll need an SRU template for these to be kicked off later on.
Thanks for driving the change upstream, that will help to one day be able to drop the Delta.

IMHO Eoan one could sponsor right away, please let me know if you want me to do so now or if there are any last minute changes.

Download full text (3.5 KiB)

Hi Christian,

Thanks, please do, no last minute changes from my side.

On Thu., Jul. 11, 2019, 06:27 Christian Ehrhardt , <
<email address hidden>> wrote:

> Hi,
> I reviewed the MPs and they are (aside some potential polishing of the
> changelog) ok to me.
> You'll need an SRU template for these to be kicked off later on.
> Thanks for driving the change upstream, that will help to one day be able
> to drop the Delta.
>
> IMHO Eoan one could sponsor right away, please let me know if you want
> me to do so now or if there are any last minute changes.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1833299
>
> Title:
> lasso includes "Destination" attribute in SAML AuthnRequest populated
> with SP AssertionConsumerServiceURL when ECP workflow is used which
> leads to IdP-side errors
>
> Status in lasso package in Ubuntu:
> Confirmed
>
> Bug description:
> See comments on the bug:
> https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134
>
> Lasso is used by libapache2-mod-auth-mellon to create SAML messages.
> When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0
> /saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an
> AuthnRequest with the "Destination" attribute as follows:
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_798F26F73776E684A463559CDB77D080" Version="2.0"
> IssueInstant="2019-06-18T16:54:25Z" Destination="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0"
> SignMethod="0" ForceAuthn="false" IsPassive="false"
> AssertionConsumerServiceURL="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse
> ">
> <saml:Issuer>
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth
> </saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> This triggers the Destination attribute validation logic relevant for
> "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections
> 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
> http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
>
> For example, Shibboleth IdP (samltest.id) errors out as follows as the
> Destination attribute was populated with an SP URL:
>
> 2019-06-18 16:54:25,435 - ERROR
>
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?]
> - Message Handler: SAML message intended destination endpoint
> 'https://keystone.maas:5000/v3/OS-
>
> FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse'
> did not match the recipient endpoint
> 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
>
> For ECP it makes sense to avoid inclusion of the "Destination"
> attribute to AuthnRequest (see https://bugs.launchpad.net/charm-
> keystone-saml-mellon/+bug/1833134/comments...

Read more...

Dmitrii Shcherbakov (dmitriis) wrote :

Christian,

I updated the description based on the SRU template and also modified the changelogs and commit messages.

description: updated

Thank Dmitrii,
it looks ready for uploads now - Eoan at first and once complete there into the SRU queue.
For now I sponsored the Eoan upload.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.6.0-2ubuntu1

---------------
lasso (2.6.0-2ubuntu1) eoan; urgency=high

  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
    "Destination" attribute (LP: #1833299)

 -- Dmitrii Shcherbakov <email address hidden> Thu, 04 Jul 2019 18:42:56 -0500

Changed in lasso (Ubuntu):
status: Confirmed → Fix Released

All test builds completed and the Eoan transition is done.
I added B/D tasks and sponsored your upload to the -unapproved queue of these releases.

Changed in lasso (Ubuntu Bionic):
status: New → In Progress
Changed in lasso (Ubuntu Disco):
status: New → In Progress

Hello Dmitrii, or anyone else affected,

Accepted lasso into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lasso/2.6.0-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in lasso (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Brian Murray (brian-murray) wrote :

Hello Dmitrii, or anyone else affected,

Accepted lasso into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lasso/2.5.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in lasso (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic

@Dmitriis - I'd expect this testing and verification is on you as you have done so before, so give it a go once you have some time.

Download full text (4.1 KiB)

Will do.

On Wed., Jul. 17, 2019, 01:35 Christian Ehrhardt , <
<email address hidden>> wrote:

> @Dmitriis - I'd expect this testing and verification is on you as you
> have done so before, so give it a go once you have some time.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1833299
>
> Title:
> lasso includes "Destination" attribute in SAML AuthnRequest populated
> with SP AssertionConsumerServiceURL when ECP workflow is used which
> leads to IdP-side errors
>
> Status in lasso package in Ubuntu:
> Fix Released
> Status in lasso source package in Bionic:
> Fix Committed
> Status in lasso source package in Disco:
> Fix Committed
>
> Bug description:
> [Impact]
>
> * Usage of ECP is not possible with mod_auth_mellon because the
> AuthnRequest message has the Destination attribute set incorrectly;
> * https://dev.entrouvert.org/issues/34409;
> * Blocks the enablement of a feature
> https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134;
>
> Lasso is used by libapache2-mod-auth-mellon to create SAML messages.
> When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0
> /saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an
> AuthnRequest with the "Destination" attribute as follows:
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_798F26F73776E684A463559CDB77D080" Version="2.0"
> IssueInstant="2019-06-18T16:54:25Z" Destination="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0"
> SignMethod="0" ForceAuthn="false" IsPassive="false"
> AssertionConsumerServiceURL="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse
> ">
> <saml:Issuer>
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth
> </saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> This triggers the Destination attribute validation logic relevant for
> "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections
> 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
> http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
>
> For example, Shibboleth IdP (samltest.id) errors out as follows as the
> Destination attribute was populated with an SP URL:
>
> 2019-06-18 16:54:25,435 - ERROR
>
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?]
> - Message Handler: SAML message intended destination endpoint
> 'https://keystone.maas:5000/v3/OS-
>
> FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse'
> did not match the recipient endpoint
> 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
>
> For ECP it makes sense to avoid inclusion of the "Destination"
> attribute to AuthnRequest (see https://bugs.launchpad.net/charm-
> keystone-saml-mellon/+bug/18331...

Read more...

Dmitrii Shcherbakov (dmitriis) wrote :
Download full text (20.7 KiB)

Bionic verification:

apt policy liblasso3
liblasso3:
  Installed: 2.5.1-0ubuntu1.1
  Candidate: 2.5.1-0ubuntu1.1
  Version table:
 *** 2.5.1-0ubuntu1.1 1000
        400 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.5.1-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

 env | grep OS_
OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP
OS_AUTH_URL=https://keystone.maas:5000/v3
OS_PROTOCOL=saml2
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=scooper@samltest.id_project
OS_PROJECT_DOMAIN_NAME=samltestid
OS_IDENTITY_API_VERSION=3
OS_AUTH_TYPE=v3samlpassword
OS_IDENTITY_PROVIDER=samltestid
OS_INTERFACE=internal
OS_PASSWORD=<redacted>
OS_USERNAME=sheldon
OS_CACERT=/home/ubuntu/bundles/vault-ca.crt

openstack token issue -v --debug
START with options: token issue -v --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_type='v3samlpassword', auth_url='https://keystone.maas:5000/v3', cacert='/home/ubuntu/bundles/vault-ca.crt', cert='', client_id='', client_secret='***', cloud='', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='samltestid', identity_provider_url='https://samltest.id/idp/profile/SAML2/SOAP/ECP', insecure=None, interface='internal', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', project_domain_id='', project_domain_name='samltestid', project_id='', project_name='scooper@samltest.id_project', protocol='saml2', redirect_uri='', region_name='RegionOne', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='sheldon', verbose_level=3, verify=None)
Auth plugin v3samlpassword selected
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': '/home/ubuntu/bundles/vault-ca.crt', 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'internal', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'project_domain_name': 'samltestid', 'project_name': 'scooper@samltest.id_project'}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'regio...

Dmitrii Shcherbakov (dmitriis) wrote :
Download full text (20.7 KiB)

Disco verification:

 apt policy liblasso3
liblasso3:
  Installed: 2.6.0-2ubuntu0.1
  Candidate: 2.6.0-2ubuntu0.1
  Version table:
 *** 2.6.0-2ubuntu0.1 1000
        399 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.0-2build1 400
        400 http://archive.ubuntu.com/ubuntu disco/main amd64 Packages

env | grep OS_
OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP
OS_AUTH_URL=https://keystone.maas:5000/v3
OS_PROTOCOL=saml2
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=scooper@samltest.id_project
OS_PROJECT_DOMAIN_NAME=samltestid
OS_IDENTITY_API_VERSION=3
OS_AUTH_TYPE=v3samlpassword
OS_IDENTITY_PROVIDER=samltestid
OS_INTERFACE=internal
OS_PASSWORD=bazinga
OS_USERNAME=<redacted>
OS_CACERT=/home/ubuntu/bundles/vault-ca.crt

openstack token issue -v --debug
START with options: token issue -v --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_type='v3samlpassword', auth_url='https://keystone.maas:5000/v3', cacert='/home/ubuntu/bundles/vault-ca.crt', cert='', client_id='', client_secret='***', cloud='', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='samltestid', identity_provider_url='https://samltest.id/idp/profile/SAML2/SOAP/ECP', insecure=None, interface='internal', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', project_domain_id='', project_domain_name='samltestid', project_id='', project_name='scooper@samltest.id_project', protocol='saml2', redirect_uri='', region_name='RegionOne', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='sheldon', verbose_level=3, verify=None)
Auth plugin v3samlpassword selected
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': '/home/ubuntu/bundles/vault-ca.crt', 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'internal', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'project_domain_name': 'samltestid', 'project_name': 'scooper@samltest.id_project'}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_nam...

tags: added: verification-done verification-done-bionic verification-done-disco
removed: verification-needed verification-needed-bionic verification-needed-disco
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.5.1-0ubuntu1.1

---------------
lasso (2.5.1-0ubuntu1.1) bionic; urgency=high

  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
    "Destination" attribute (LP: #1833299)

 -- Dmitrii Shcherbakov <email address hidden> Thu, 04 Jul 2019 18:42:56 -0500

Changed in lasso (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lasso has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.6.0-2ubuntu0.1

---------------
lasso (2.6.0-2ubuntu0.1) disco; urgency=high

  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
    "Destination" attribute (LP: #1833299)

 -- Dmitrii Shcherbakov <email address hidden> Thu, 04 Jul 2019 18:42:56 -0500

Changed in lasso (Ubuntu Disco):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.