First Last Prev Next    This bug is not in your last search results.
Bug 55229 - fix SAML LogoutResponse via HTTP POST SAML binding
fix SAML LogoutResponse via HTTP POST SAML binding
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-2-errata
Assigned To: Florian Best
Johannes Lohmer
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-27 11:15 CEST by Florian Best
Modified: 2022-09-29 12:38 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2022-09-27 11:15:27 CEST 
The UMC-Webserver SAML service provider support the HTTP-POST binding for Single Logout responses but handles it wrong.

```
$ curl -s -k https://demo.univention.de/univention/saml/metadata  | xmllint --pretty 1 - | grep SingleLogout
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://master.demo.univention.de/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.0.0.164/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.0.0.164/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.0.0.164/univention/saml/slo/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.0.0.164/univention/saml/slo/"/>
```

But this is handled wrong as it's expected to always get the HTTP-Redirect binding request, which is DEFLATED.
→ we have to support requests which aren't compressed.
Comment 3 Florian Best univentionstaff 2022-09-27 14:24:21 CEST 
Now both HTTP-Redirect and HTTP-POST is supported. Fixed with:

univention-management-console.yaml
adbfdbd00a65 | Bug #55229: fix SAML logout via HTTP-POST binding

univention-management-console (12.0.13-2)
adbfdbd00a65 | Bug #55229: fix SAML logout via HTTP-POST binding
Comment 4 Johannes Lohmer univentionstaff 2022-09-27 14:55:11 CEST 
OK: Code, no regressions found
OK: Changelog
OK: Yaml
OK: Package Built
OK: Regular logout via SAML is still working
First Last Prev Next    This bug is not in your last search results.