55229 – fix SAML LogoutResponse via HTTP POST SAML binding

Bug 55229 - fix SAML LogoutResponse via HTTP POST SAML binding

Summary: fix SAML LogoutResponse via HTTP POST SAML binding

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.0-2-errata
Assignee:	Florian Best
QA Contact:	Johannes Lohmer

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:

Reported:	2022-09-27 11:15 CEST by Florian Best
Modified:	2024-12-17 11:48 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2022-09-27 11:15:27 CEST

The UMC-Webserver SAML service provider support the HTTP-POST binding for Single Logout responses but handles it wrong.

```
$ curl -s -k https://demo.univention.de/univention/saml/metadata  | xmllint --pretty 1 - | grep SingleLogout
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.0.0.164/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.0.0.164/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.0.0.164/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.0.0.164/univention/saml/slo/"/>
```

But this is handled wrong as it's expected to always get the HTTP-Redirect binding request, which is DEFLATED.
→ we have to support requests which aren't compressed.

Comment 1 Florian Best

2022-09-27 11:17:33 CEST

Patch: https://git.knut.univention.de/univention/ucs/-/merge_requests/519

Comment 2 Florian Best

2022-09-27 12:07:03 CEST

https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf

Comment 3 Florian Best

2022-09-27 14:24:21 CEST

Now both HTTP-Redirect and HTTP-POST is supported. Fixed with:

univention-management-console.yaml
adbfdbd00a65 | Bug #55229: fix SAML logout via HTTP-POST binding

univention-management-console (12.0.13-2)
adbfdbd00a65 | Bug #55229: fix SAML logout via HTTP-POST binding

Comment 4 Johannes Lohmer

2022-09-27 14:55:11 CEST

OK: Code, no regressions found
OK: Changelog
OK: Yaml
OK: Package Built
OK: Regular logout via SAML is still working

Comment 5 Erik Damrose

2022-09-29 12:38:56 CEST

<https://errata.software-univention.de/#/?erratum=5.0x440>