pysaml2
pysaml2 copied to clipboard
IdentityPython
Response with Abstent or Unspecified Status
If a SAML2 Response comes with a unspecified Status statement, like the following
[...]
</ds:Signature>
<samlp:Status/>
<saml:Assertion ID="_4504adae-2752-4b29-8826-58684982f9ff" IssueInstant="2021-01-24T00:20:19Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
[...]
we have this exception:
saml2/response.py", line 361, in status_ok
if not status or status.status_code.value == samlp.STATUS_SUCCESS:
AttributeError: 'NoneType' object has no attribute 'value'
however, currently in pySAML2 the absence of Status or its possible malformation would still allow a positive outcome of the authentication on the SP. The code to be inspected is here:
https://github.com/IdentityPython/pysaml2/blob/7f1119737838ad0e9cf0c2e8ac2d34f9d66a1ab9/src/saml2/response.py#L358
again, in case of absent Status value, as the following example:
<samlp:Status>
<samlp:StatusCode Value=""/>
</samlp:Status>
we get this exception:
saml2/validate.py", line 362, in valid_instance
raise MustValueError("Class '%s' instance: %s" % (class_name, txt))
saml2.validate.MustValueError: Class 'StatusCode' instance: Required value on property 'value' missing
from what I understand this kind of cases must be managed, exactly as it happens and with success when the value of StatusCode is malformed, in fact, in the following hypothesis:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:statuscodenonvalido"/>
</samlp:Status>
we would successfully get the following exception:
saml2/response.py", line 380, in status_ok
raise err_cls(msg)
saml2.response.StatusError: Unsuccessful operation: <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:statuscodenonvalido" /></samlp:Status>
Unknown error from None
Hi! We have the same error in our production environment. How did u solve this problem? Thanks in advance!
