spring-projects
OpenSaml4AuthenticationProvider should include secondary statusCode messages on error
Expected Behavior
Two cases:
-
When the
isPassiveflag is set totrue, and the request is sent to an IdP that doesn't support passive mode, the expected statusCode isurn:oasis:names:tc:SAML:2.0:status:NoPassive: -
Similarly, with the
isPassiveflag, is set totrue, and the request is sent to an IdP that supports passive mode, but the user doesn't have a session yet with the IdP, the expected statusCode isurn:oasis:names:tc:SAML:2.0:status:NoPassive
Current Behavior
In the createDefaultResponseValidator method, when the request goes through case 1, the samlResponse looks like this:
However, the createDefaultResponseValidator uses the outer statusCode urn:oasis:names:tc:SAML:2.0:status:Responder:
Similarly, in case 2, the samlResponse looks like this:
and output from createDefaultResponseValidator is urn:oasis:names:tc:SAML:2.0:status:Requester:
Context
How has this issue affected you?
I can't tell if the source of the error is NoPassive or something else to decide how to proceed with the sign-in flow.
What are you trying to accomplish?
I'm implementing a dynamic passive value for multi-tenants, and when the IdP doesn't support passive, or there's no session at the IdP, I'm detecting the error and using the redirectStrategy to send the user back to the main page. It's a public page that tries to passively log the user in if there's a session with the IdP.
What other alternatives have you considered?
None.
Are you aware of any workarounds?
No.
Thanks, @kha1989led, I think it makes sense to add this extra detail.
Given that a top-level status code may have many secondary status codes, I think we should make sure to include each as an individual error message.
Are you able to provide a PR to add this behavior?
@jzheaux I can take stab at it. Is there a deadline for when I should provide the PR?
Hi, @kha1989led, if you are still available, a PR would be most appreciated!
