Univention Bugzilla – Bug 55229
fix SAML LogoutResponse via HTTP POST SAML binding
Last modified: 2022-09-29 12:38:56 CEST
The UMC-Webserver SAML service provider support the HTTP-POST binding for Single Logout responses but handles it wrong. ``` $ curl -s -k https://demo.univention.de/univention/saml/metadata | xmllint --pretty 1 - | grep SingleLogout <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://master.demo.univention.de/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://master.demo.univention.de/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://master.demo.univention.de/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://master.demo.univention.de/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.0.0.164/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.0.0.164/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.0.0.164/univention/saml/slo/"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.0.0.164/univention/saml/slo/"/> ``` But this is handled wrong as it's expected to always get the HTTP-Redirect binding request, which is DEFLATED. → we have to support requests which aren't compressed.
Patch: https://git.knut.univention.de/univention/ucs/-/merge_requests/519
https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf
Now both HTTP-Redirect and HTTP-POST is supported. Fixed with: univention-management-console.yaml adbfdbd00a65 | Bug #55229: fix SAML logout via HTTP-POST binding univention-management-console (12.0.13-2) adbfdbd00a65 | Bug #55229: fix SAML logout via HTTP-POST binding
OK: Code, no regressions found OK: Changelog OK: Yaml OK: Package Built OK: Regular logout via SAML is still working
<https://errata.software-univention.de/#/?erratum=5.0x440>