[IdP] Bug/feature with SLO and SAML2 issuer tag

[IdP] Bug/feature with SLO and SAML2 issuer tag

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

Hi,

We are using (custom) IdP with Azure AD, no problems there. Just letting you know that current Forge version for IdP fails to do Single Log-Out whenever Azure app is configured with an App ID without URI scheme. This App ID is something what you will find on Outsystems end configured to IdP's "SP Issuer (SP Entity ID)" field.

In the long run, I'm sure someone else will bump to this same issue and I'd like to see this change implemented to Forge component as well.

Current C# implementation at SAML_Utils extension / MssSAML_CreateLogoutRequest() throws an exception whenever input parameter ssIssuer does not have scheme in it.

example: "https://app.domain.com" works, but "app.domain.com" doesn't.

To overcome this situation:

  1. option is to change Azure AD App configuration and reflect these changes to IdP configuration.
  2. option is to change the extension. I did not have option 1 available, so I changed:

req.Issuer = new Uri(ssIssuer);

to

req.Issuer = new Uri(ssIssuer, UriKind.RelativeOrAbsolute); 

It's still not perfect, as SAML2 xsd spec allows the content for <Issuer> tag to be any string without any checks.

Helpful links:

cheers,

-Mikko(N)

Hi Mikko,

Thanks. Will have that in mind in the next version.

Regards