awsume icon indicating copy to clipboard operation
awsume copied to clipboard

Published 20 hours ago verified publisher icon trek10inc

Saml assertion parsing not working with adfs due to namespaces

Open faridnsh opened this issue 5 years ago • 3 comments

I'm trying to create a saml plugin with adfs, and here's the saml response looks like:

<samlp:Response ID="..." Version="2.0" IssueInstant="2019-12-05T12:52:34.802Z"
                Destination="https://signin.aws.amazon.com/saml"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://example.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="..." IssueInstant="2019-12-05T12:52:34.802Z" Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://example.com/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
        <Subject>....</Subject>
        <Conditions NotBefore="2019-12-05T12:52:34.568Z" NotOnOrAfter="2019-12-05T13:52:34.568Z">....</Conditions>
        <AttributeStatement>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
                <AttributeValue>neshat</AttributeValue>
            </Attribute>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
                <AttributeValue>
                    arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/saml/ADFS/Admin
                </AttributeValue>
            </Attribute>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
                <AttributeValue>43200</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2019-12-05T12:35:27.355Z" SessionIndex="...">....</AuthnStatement>
    </Assertion>
</samlp:Response>

As you can see the Attribute element that our code looks for and Attribute element and it's parent in my example don't have any explicit namespace.

Best way to do this is to ignore the namespaces, but well xml2dict doesn't have that feature, although someone made a pr but that project haven't had any activity since September, so I don't think it'd be merged anytime soon.

faridnsh avatar Dec 05 '19 15:12 faridnsh

Meanwhile, this is how aws-adfs project does the same thing: https://github.com/venth/aws-adfs/blob/master/aws_adfs/roles_assertion_extractor.py#L33-L39

I would be happy to make a pr, copy pasting that code!

faridnsh avatar Dec 05 '19 16:12 faridnsh

Hi @alFReD-NSH , apologies for the delay in getting back to you.

If you're still willing to make a PR, that would be great! I've lost some bandwidth to work on awsume recently

mbarneyjr avatar Jan 17 '20 03:01 mbarneyjr

Just realised I raised a duplicate of this as #147 - sorry about that! The good news is I also raised a fix for it #148.

Tantalon avatar May 12 '21 01:05 Tantalon

Closed By #148 , thanks again @Tantalon!

lhendrick-t10 avatar Aug 03 '23 18:08 lhendrick-t10