omniauth-wsfed icon indicating copy to clipboard operation
omniauth-wsfed copied to clipboard

Published 20 hours ago verified publisher icon kbeckman

"wsa" namespace appearing on EndpointReference causing XML parsing to fail

Open benalavi opened this issue 9 years ago • 2 comments

I get this error when I get the response back from the ACS:

app error: undefined method `text' for nil:NilClass (NoMethodError)
    /app/vendor/bundle/ruby/2.2.0/gems/omniauth-wsfed-0.2.3/lib/omniauth/strategies/wsfed/auth_callback.rb:40:in `audience'

The parsing fails because in the response I am getting there is a wsa namespace applied to the EndpointReference and Address nodes:

<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
  <wsa:Address>...</wsa:Address>
</wsa:EndpointReference>

I am using a WS-Federation identity provider connected to Azure AD. This is just a development setup so I can run my own AD. Oddly, I have a live setup (not managed by me) that sends almost the exact same response but without the wsa namespace on that one section of XML. I've verified that they're both using SAML 2.0 tokens, and in fact everything else about the response structure is exactly the same.

So I'm curious if it's possible that something about my configuration is causing the wsa namespace to be applied, or perhaps different setups cause slightly different responses (in which case I assume a patch to support either with-or-without the namespace would be appropriate?).

I am using version 0.2.3 of the gem but I did check the development and beta branches to see if this had already been addressed. Adding the wsa namespace fixes the issue for my development AD and the request completes.

I also noticed that the SAML 1.0 token handler explicitly does use the wsa namespace when finding the audience.

I'm new to Azure/WSFed so if there is any other information I can provide please let me know.

benalavi avatar Jul 01 '15 01:07 benalavi

This monkey-patch fixed the issue in my environment:

  class OmniAuth::Strategies::WSFed::AuthCallback
    def audience
      @audience ||= begin
        applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
        (REXML::XPath.first(applies_to, '//EndpointReference/Address') || REXML::XPath.first(applies_to, '//wsa:EndpointReference/wsa:Address')).text
      end
    end
  end

...what I don't know is if that would be useful to apply to the gem or if it's a misconfiguration on my end?

benalavi avatar Jul 01 '15 01:07 benalavi

This is the monkey patch I used as the above didn't quite worked for us. But we did encountered the same problem.

class OmniAuth::Strategies::WSFed::SAML2Token
  def audience
    applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => OmniAuth::Strategies::WSFed::WS_TRUST, 'wsp' => OmniAuth::Strategies::WSFed::WS_POLICY })
    (REXML::XPath.first(applies_to, '//EndpointReference/Address') || REXML::XPath.first(applies_to, '//wsa:EndpointReference/wsa:Address')).text
  end
end

pandamouse avatar Jun 07 '16 03:06 pandamouse