Verification of SubjectLocality by the SAML extension

Printable View

Feb 4th, 2011, 09:22 AM
mpr

Verification of SubjectLocality by the SAML extension

I'am using the SAML Extension in our web application and it's usually working very well.

A few days ago we had to authenticate against a new Shibboleth Identity Provider that is externally provided.

This provider sends an AuthnStatement including a SubjectLocality like

Code:

<saml2:AuthnStatement AuthnInstant="2011-02-01T11:05:56.628Z" SessionIndex="..." xmlns:saml2="ur n:oasis:names:tc:SAML:2.0:assertion"> <saml2:SubjectLocality Address="10.10.0.30"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Pass wordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement>

In this case the authentication did not work because the WebSSOProfileConsumerImpl.verifyAuthenticationStat ement() fails in

Code:

if (auth.getSubjectLocality() != null) { HTTPInTransport httpInTransport = (HTTPInTransport) context.getInboundMessageTransport(); if (auth.getSubjectLocality().getAddress() != null) { if (!httpInTransport.getPeerAddress().equals(auth.getSubjectLocality().getAddress())) { throw new BadCredentialsException("User is accessing the service from invalid address"); } } }

In my case auth.getSubjectLocality().getAddress() = 10.10.0.30 and httpInTransport.getPeerAddress() = <IP of my client pc> and these two IP's are not equal. 10.10.0.30 seems to be a private address in the system of the IDP and the other address is from my client PC. These two can never match.

I wonder if the IDP has a faulty setup or if the validation function of the SAML library makes a wrong assumption.

Unfortunately the oasis documentation only has a very brief description for the SubjectLocality and it does not tell me what address should be used here.

I would appreciate any comment on this matter.
Feb 4th, 2011, 01:51 PM
ScottCantor

Address checking is optional in SAML SSO, because of NATs and proxies, so SP implementations either don't check addresses, or they have options to bypass the check.
Feb 4th, 2011, 07:35 PM
jamescox

I am not overly familiar with the SAML Extension. But, if the extension is trying to validate the address of the client, it should be using the Address attribute of the SubjectConfirmationData as outlined in 4.1.4.3 of saml-profiles.
Feb 4th, 2011, 08:05 PM
ScottCantor

Quote:

Originally Posted by jamescox

I am not overly familiar with the SAML Extension. But, if the extension is trying to validate the address of the client, it should be using the Address attribute of the SubjectConfirmationData as outlined in 4.1.4.3 of saml-profiles.

Yes, that's true. Same issue would apply, though, and if the extension can't be told to skip the check, it will be unusable in these scenarios.
Feb 5th, 2011, 03:33 AM
mpr

Thanks for your feedback.

I also thought that the checking should be optional, but I wanted to get some opinions before creating an issue in the tracker.

Encouraged by your posts I will do this now.
Feb 7th, 2011, 12:45 PM
vsch

You're right Martin, in this case the values can never match. In my opinion the server is sending a wrong value, the field should contain "IP address for the system from which the assertion subject was authenticated" which I so far interpreted as "IP of the client computer".

But anyway, the SubjectLocality is just an advisory field and Scott is absolutely right that the value can be wrong due to other reasons. I'll remove the check/make it optional in the next release.

And thanks for opening the Jira issue.
Apr 19th, 2011, 07:29 AM
robmoore

I can't find the JIRA referenced in this thread. I'd appreciate the issue ID if anyone knows it. Thanks!
Apr 19th, 2011, 07:34 AM
vsch

It's SES-66 - https://jira.springsource.org/browse/SES-66

-- Vladimír