| 2019-06-18 20:42:26 |
Dmitrii Shcherbakov |
bug |
|
|
added bug |
| 2019-06-18 20:42:26 |
Dmitrii Shcherbakov |
attachment added |
|
18-06-2019-lasso-ECP-patch.diff https://bugs.launchpad.net/bugs/1833299/+attachment/5271469/+files/18-06-2019-lasso-ECP-patch.diff |
|
| 2019-06-27 23:21:05 |
Dmitrii Shcherbakov |
description |
See comments on the bug:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134
Lasso is used by libapache2-mod-auth-mellon to create SAML messages. When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an AuthnRequest with the "Destination" attribute as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_798F26F73776E684A463559CDB77D080" Version="2.0" IssueInstant="2019-06-18T16:54:25Z" Destination="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse">
<saml:Issuer>https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
This triggers the Destination attribute validation logic relevant for "HTTP Redirect Binding" only (per the spec, section 3.4.5.2), not SOAP or PAOS bindings (sections before 3.4).
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
For example, Shibboleth IdP (samltest.id) errors out as follows as the Destination attribute was populated with an SP URL:
2019-06-18 16:54:25,435 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: SAML message intended destination endpoint 'https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse' did not match the recipient endpoint 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
For ECP it makes sense to avoid inclusion of the "Destination" attribute to AuthnRequest (see https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/3).
The attached patch is merely an illustration that not using Destination with ECP results in a successful authentication:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/2 |
See comments on the bug:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134
Lasso is used by libapache2-mod-auth-mellon to create SAML messages. When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an AuthnRequest with the "Destination" attribute as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_798F26F73776E684A463559CDB77D080" Version="2.0" IssueInstant="2019-06-18T16:54:25Z" Destination="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse">
<saml:Issuer>https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
This triggers the Destination attribute validation logic relevant for "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
For example, Shibboleth IdP (samltest.id) errors out as follows as the Destination attribute was populated with an SP URL:
2019-06-18 16:54:25,435 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: SAML message intended destination endpoint 'https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse' did not match the recipient endpoint 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
For ECP it makes sense to avoid inclusion of the "Destination" attribute to AuthnRequest (see https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/3).
The attached patch is merely an illustration that not using Destination with ECP results in a successful authentication:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/2 |
|
| 2019-06-28 00:23:22 |
Dmitrii Shcherbakov |
bug watch added |
|
https://dev.entrouvert.org/issues/34409 |
|
| 2019-06-28 00:23:22 |
Dmitrii Shcherbakov |
attachment added |
|
0001-PAOS-Do-not-populate-Destination-attribute.patch https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1833299/+attachment/5273832/+files/0001-PAOS-Do-not-populate-Destination-attribute.patch |
|
| 2019-06-28 00:29:57 |
Ubuntu Foundations Team Bug Bot |
tags |
cpe-onsite |
cpe-onsite patch |
|
| 2019-06-28 00:30:16 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2019-07-04 23:50:14 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~dmitriis/ubuntu/+source/lasso/+git/lasso/+merge/369735 |
|
| 2019-07-05 00:23:34 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~dmitriis/ubuntu/+source/lasso/+git/lasso/+merge/369736 |
|
| 2019-07-05 00:26:35 |
Dmitrii Shcherbakov |
merge proposal linked |
|
https://code.launchpad.net/~dmitriis/ubuntu/+source/lasso/+git/lasso/+merge/369737 |
|
| 2019-07-05 00:26:48 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~dmitriis/ubuntu/+source/lasso/+git/lasso/+merge/369738 |
|
| 2019-07-05 00:31:49 |
Dmitrii Shcherbakov |
lasso (Ubuntu): status |
New |
Confirmed |
|
| 2019-07-11 10:54:37 |
Christian Ehrhardt |
bug |
|
|
added subscriber Christian Ehrhardt |
| 2019-07-11 21:22:15 |
Dmitrii Shcherbakov |
description |
See comments on the bug:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134
Lasso is used by libapache2-mod-auth-mellon to create SAML messages. When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an AuthnRequest with the "Destination" attribute as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_798F26F73776E684A463559CDB77D080" Version="2.0" IssueInstant="2019-06-18T16:54:25Z" Destination="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse">
<saml:Issuer>https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
This triggers the Destination attribute validation logic relevant for "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
For example, Shibboleth IdP (samltest.id) errors out as follows as the Destination attribute was populated with an SP URL:
2019-06-18 16:54:25,435 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: SAML message intended destination endpoint 'https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse' did not match the recipient endpoint 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
For ECP it makes sense to avoid inclusion of the "Destination" attribute to AuthnRequest (see https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/3).
The attached patch is merely an illustration that not using Destination with ECP results in a successful authentication:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/2 |
[Impact]
* Usage of ECP is not possible with mod_auth_mellon because the AuthnRequest message has the Destination attribute set incorrectly;
* https://dev.entrouvert.org/issues/34409;
* Blocks the enablement of a feature https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134;
Lasso is used by libapache2-mod-auth-mellon to create SAML messages. When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an AuthnRequest with the "Destination" attribute as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_798F26F73776E684A463559CDB77D080" Version="2.0" IssueInstant="2019-06-18T16:54:25Z" Destination="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse">
<saml:Issuer>https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
This triggers the Destination attribute validation logic relevant for "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
For example, Shibboleth IdP (samltest.id) errors out as follows as the Destination attribute was populated with an SP URL:
2019-06-18 16:54:25,435 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: SAML message intended destination endpoint 'https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse' did not match the recipient endpoint 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
For ECP it makes sense to avoid inclusion of the "Destination" attribute to AuthnRequest (see https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134/comments/3).
[Test Case]
* Deploy an Identity Provider with PAOS binding and ECP handling support or use a publicly available one (e.g. samltest.id shibboleth instance);
* Deploy a Service Provider (e.g. Keystone) and protect its relevant URLs via mod_auth_mellon (e.g. via charm-keystone-mellon);
* Use an ECP client (openstack keystone client with v3samlpassword authentication plugin) to access the service provider (e.g. try to obtain a Keystone token);
* Validate that the IdP did not error our based on the request provided by the ECP client;
* Validate by the IdP logs that the Destination attribute of AuthnRequest was NOT present (unset).
[Regression Potential]
* The regression potential is minimal as the patch functionally adds a simple PAOS-related code branch to avoid including the Destination attribute. |
|
| 2019-07-15 07:16:30 |
Launchpad Janitor |
lasso (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2019-07-15 07:44:36 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Disco |
|
| 2019-07-15 07:44:36 |
Christian Ehrhardt |
bug task added |
|
lasso (Ubuntu Disco) |
|
| 2019-07-15 07:44:36 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-07-15 07:44:36 |
Christian Ehrhardt |
bug task added |
|
lasso (Ubuntu Bionic) |
|
| 2019-07-15 07:46:31 |
Christian Ehrhardt |
lasso (Ubuntu Bionic): status |
New |
In Progress |
|
| 2019-07-15 07:46:33 |
Christian Ehrhardt |
lasso (Ubuntu Disco): status |
New |
In Progress |
|
| 2019-07-16 16:30:19 |
Brian Murray |
lasso (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
| 2019-07-16 16:30:22 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-07-16 16:30:23 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2019-07-16 16:30:28 |
Brian Murray |
tags |
cpe-onsite patch |
cpe-onsite patch verification-needed verification-needed-disco |
|
| 2019-07-16 16:36:57 |
Brian Murray |
lasso (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2019-07-16 16:38:09 |
Brian Murray |
tags |
cpe-onsite patch verification-needed verification-needed-disco |
cpe-onsite patch verification-needed verification-needed-bionic verification-needed-disco |
|
| 2019-07-19 06:10:50 |
Dmitrii Shcherbakov |
tags |
cpe-onsite patch verification-needed verification-needed-bionic verification-needed-disco |
cpe-onsite patch verification-done verification-done-bionic verification-done-disco |
|
| 2019-07-24 15:55:42 |
Launchpad Janitor |
lasso (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-07-24 15:55:52 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2019-07-24 15:56:20 |
Launchpad Janitor |
lasso (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
