pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard
verified publisher icon IdentityPython

The verification rule on address within SubjectConfirmationData is too strict

Open Littlefisher619 opened this issue 3 years ago • 4 comments

Code Version

I'm using djangosaml2 which depend on pysaml2==7.1.0

Expected Behavior

The verification rule is too strict! The address format like "ip:port" can't be think as malformed. The idp sent client's address within the SubjectConfirmationData section, but the address may not always a ip address only, it may contains port which determine by the implemention of idp. SO, Expected Behavior is the verifaction returns True.

Current Behavior

I got a saml2.validate.ShouldValueError: Not an IPv4 or IPv6 address while idp connecting to my service provider.

image

Possible Solution

More rules to support different types of address field.

Steps to Reproduce

Sent address like "ip:port" in the section as below:

image

Littlefisher619 avatar Jan 18 '22 13:01 Littlefisher619

Hi, The SAML 2.0 Core specification explicitly defines the SubjectLocality Address attribute (on page 28) as:

The network address of the system from which the principal identified by the subject was authenticated. IPv4 addresses SHOULD be represented in dotted-decimal format (e.g., "1.2.3.4"). IPv6 addresses SHOULD be represented as defined by Section 2.2 of IETF RFC 3513 [RFC 3513] (e.g., "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210").

I think the code correctly implements the specification.

Cheers, Vlad

vladimir-mencl-eresearch avatar Jan 18 '22 20:01 vladimir-mencl-eresearch

Hi, The SAML 2.0 Core specification explicitly defines the SubjectLocality Address attribute (on page 28) as:

The network address of the system from which the principal identified by the subject was authenticated. IPv4 addresses SHOULD be represented in dotted-decimal format (e.g., "1.2.3.4"). IPv6 addresses SHOULD be represented as defined by Section 2.2 of IETF RFC 3513 [RFC 3513] (e.g., "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210").

I think the code correctly implements the specification.

Cheers, Vlad

Hi, @vladimir-mencl-eresearch

The standard SAML 2.0 Core specification is NOT always suitable for all environement.

Maybe the client(the User) is behind a NAT gateway, and the address is not the real ip address.

Thus a single ip address without port can NOT be used for the verifactions.

If you do not agree with the modifcation of the verify function, I hope I can toggle off the verifaction in config.

Littlefisher619 avatar Jan 19 '22 07:01 Littlefisher619

I agree, would love to have a config option for this.

AndrewChau avatar Jan 21 '24 10:01 AndrewChau