Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-18064

Missing NameID breaks Lasso interoperability on single logout

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: SAML 1.0.1
    • Fix Version/s: SAML 1.0.2
    • Component/s: SAML
    • Labels:
      None
    • Environment:
      Alfresco CS 5.2.0 with SAML module 1.0.1
      IdP tested is LemonLDAP::NG (based on liblasso3)

      Description

      When a Service Provider (e.g Share) initiate a SingleLogout request, the IdP has to check the principal requesting disconnection has a proper SAML session with the requesting party (here Share). This check is done using the nameID and SessionIndex provided in the logout request.
      Checking the nameID involves checking the value of the NameID xml element and related attributes.
      For example, the "Format" attribute in the NameID element of the logout request has to match the "Format" that was sent by the IdP in the authentication response.
      As an IdP LemonLDAP doesn't assume any format if none is specified and the verification fails.
      Alfresco-saml-module doesn't set the Format attribute at all, regardless of what was sent in the authnresponse.
      Ideally we should make sure to use the same Format that was used in authnresponse.
      The attached demonstrate specifying the nameID format fixes the issues but will break any confugration that is not working with the email nameid format.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs (Inactive)
                  Reporter:
                  achapellon Alexandre Chapellon
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 3 days, 1 hour
                    3d 1h

                      Structure Helper Panel