auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

SAML SSO fails when SAML response elements inherit a parent's default namespace

Open payerset-ag opened this issue 11 months ago • 0 comments

Bug report

  • [X] I confirm this is a bug with Supabase, not with my own application.
  • [X] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The Supabase auth library uses the crewjam/saml library for SAML SSO support.

This library has a documented bug that prevents it from correctly propagating a default namespace applied at a parent element (such as <Response> ) that does not use a prefix.

  • https://github.com/crewjam/saml/issues/527
  • https://github.com/crewjam/saml/issues/578

For example:

<?xml version="1.0" encoding="UTF-8"?>
<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ...>
  ...
  <Assertion ID="*redacted*" IssueInstant="*redacted*" Version="2.0">
  ...

As a result, identity providers that return a (valid) SAML response in this format cause a Supabase SSO authentication request to fail with the following type of error:

{
    "component": "api",
    "error": "expected element \u003cAssertion\u003e in name space urn:oasis:names:tc:SAML:2.0:assertion but have no name space",
    "level": "info",
    "method": "POST",
    "msg": "400: SAML Assertion is not valid",
    "path": "/sso/saml/acs",
    "referer": "*redacted*",
    "remote_addr": "*redacted*",
    "request_id": "*redacted*",
    "time": "*redacted*"
}

There is an active pull request from November 2024 with a fix for this issue in the referenced library, but outside of a lone cryptography update from July 2024, the library has not seen master branch updates since October 2023.

Open PR to fix: https://github.com/crewjam/saml/pull/580

A specific commercial IdAM platform impacted by this issue and relevant to an active use case is FusionAuth, which the above response sample is sourced from.

To Reproduce

  1. Configure a Supabase project for SAML SSO
  2. Configure an Identity Provider that formats a response in this fashion for the Supabase project as an SP, such as FusionAuth (free trial available)
  3. Attempt to perform a SAML login using a web client and the Javascript SSO login
  4. Review the Supabase Auth logs for the request

Expected behavior

Supabase (via the crewjam/saml library) should interpret the valid SAML response correctly and complete the login flow.

System information

  • OS: Windows (tested on, using latest js library)
  • Supabase Pro plan

payerset-ag avatar Jan 23 '25 01:01 payerset-ag