This repository was archived by the owner on Jul 11, 2018. It is now read-only.
This repository was archived by the owner on Jul 11, 2018. It is now read-only.
Incorrect SAML2 usage for AuthnRequest #14
Description
API appears to use HTTP-POST to post it's (signed) AuthnRequest to EngineBlock (odd but may be necessary due to it's size).
However it also appears to send the following unnecessary keys: Signature, SigAlg and KeyInfo. These are part of HTTP-Redirect but not HTTP-POST.
Example:
RelayState=%2Fv1%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3Dhttps%3A%2F%2Ftestsp.surfconext.nl%2Fshibboleth%26scope%3Dread%26redirect_uri%3Dhttps%3A%2F%2Fapi.demo.openconext.org%2Fv1%2Ftest%2Foauth-callback.shtml&SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL2FwaS5kZW1vLm9wZW5jb25leHQub3JnL3YxL2Fzc2VydGlvbkNvbnN1bWVyIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9lbmdpbmUuZGVtby5vcGVuY29uZXh0Lm9yZy9hdXRoZW50aWNhdGlvbi9pZHAvc2luZ2xlLXNpZ24tb24iIElEPSI3Y2ZjOWIyYy1mOGI0LTRmODQtYWVjZC1hYjU2OWUyM2RkNGQiIElzc3VlSW5zdGFudD0iMjAxNC0xMi0wNVQxNDo0NjozOC4xNzBaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwczovL2FwaS5kZW1vLm9wZW5jb25leHQub3JnLzwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjN2NmYzliMmMtZjhiNC00Zjg0LWFlY2QtYWI1NjllMjNkZDRkIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5wS09oQTREYTdmY2diT251YmZ5c0htOG1PYk09PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPlFyaW1jRS9TS3JiVG0vY1RueHVEYXo2UkVwSlZEYVAvcEVtQ2N2blQ0TlJNM0daOHp2amEvYm83YVpvTzZ5RVlqRXl5elJsZFF2QkVzc1UxVW4vRkZiMXE3Mm5wUVhGQ1hlUkJ3Qmx5eTVsclFqenhvWFZWaDZ4L1ZzVWhzRXRuV0JnNjREcXdJT1kyWXhGb2k3dlhGM3hsMkQ4L1BZNGZLa1pTZjJqMHVFV3A3ejdkMDFqVER4c0UxVkVlNkZ4eS90eVBIVWlMaFRhRnVyZGdGSTZTcUxMZjJ2UzAzU2xJd0l4WFYvVnZJNUZjNVlZVlVUUHVxQkNVaThXZkJiVDRwS0VlaWMyQ1BrbjhGQkdwOUVCdForUmx5Ly9YSHFjek5UZFVYOXJ5alMyTGs0eUF5UlhJTnc3MnBob2ZHN3RKU0dEd3k0WTdhc2NrZFNGTFJmMFFnMDkzUFRsc1FJUU9ROFk1RGlyK0NIUjJzRGJNc3h4Q2c0cVNBMkhYc21xRkYyWGtSUVMva3g0c3VHVDRKbkFydlp0U2lud0JoMFNMTGJlaTJ4TDEyZTcxejdMMllmUTl1aktaR1I2Mkp1UmtyMklPMXl4aWdjTEgvUy9xcUlNTnExYWVHNUFROVJXaFRKKy9oZXg1Ui9BWEU4bGpOaC94cjRTOWFiRWlBWjBGUjRNUXRMV3RLM2JqUEpHSVNQcHl0am90TEtlUzJXUEo2MzgvdkNqTFRSSlQ4alVJRWZjRE9KOC9ld29Qa213c3IzNE5vRHBXclY1UnRQVkg1VXloWUFvS1NCaE5QOFI2SjFiUHFoeGhJaTNYVFdTaEp5TjBTYXZqOFJZdW1RRDcrOXVQMS9sY3BlR1ZzYUQvSVRybEwrYXhHZVRjTzBQWGhGbzhlLzF3Mk5vPTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRXdUQ0NBcWtDQVFBd0RRWUpLb1pJaHZjTkFRRUxCUUF3R0RFV01CUUdBMVVFQ2hNTlQzQmxia052Ym1WNGRDQkRRVEFlRncweApOREV4TVRReE1EQTNNemhhRncweE9URXhNVE14TURBM016aGFNRFV4RXpBUkJnTlZCQW9UQ2s5d1pXNURiMjVsZUhReEhqQWNCZ05WCkJBTVVGU291WkdWdGJ5NXZjR1Z1WTI5dVpYaDBMbTl5WnpDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUIKQU5jTDlteklsZmdvdENKYUtEL1gxcVM3NWJqOFMxU08yNS8wbk5TcmpsaTIwNW5xYk9FcFVKQXBKczJzcGNiNk8rcU12cUNJc0JXcworQjEvKzFEWm5pRGZ5bVUvV0pzUjcxSTk3OHNLWml5NjJTYzU2UElzdFFJVVJKTTgvSHBGTkVSNEo0N0pER2xFVjB6VVJqdUxPcWlUCmx3cDlhMEtFZExHRHN6UlpsTW8xTnR6TFNYdHlmYkU3cHNvZ3dGZ2ZERzV6ZXBYOERPaGpXWTdhbWdTTnQyalB5ZU9GTDZveGdpZ1kKbFpDNUM4TWVzanpka0dYem9kZTdiUE40N2pkLzhUcFhBQ3dYeXhhaTN2NVJ6VE93VEcrUTBjZXgxb0xCYkg2VlB3YU5tbGRFSURCagpKaitSUTVMbmhtVmUvSUdRYjYydGhic1U4U21Fc0JnSkF2dkxQbUZDQlBQWS9Tc21NK2RLd2x0ZGkrcFdpTXNxSDU3QjBHdFA0aWVyCi9qVHFOWXd0SzVudW9hVFd4VzE4aXM3MmtFTUI5MWVmQUZ4VkluTGQ5WkoyZWtOT3lZM0gya2Z2YnoxbEtwcGJ0VVNMakk1Y3hkbVkKN09ZcVV4a3htTi9WY3NkMjM0UkRadXRKQXh0YlBSR1RBNFpNajFjRHNOY2QwSFIwQ1k0QVN6WmVLbm1TM2FSbzcyRXJmM3paV0E4KwpIWHl6enFzc01UYnVTLzdVT1ZmUHZKWDc0UlBrWjhOU2ljd2tqM3pmU0hEVFlXbFVJOEd1WkU1YTB1UDMxMDNxbTZtSDJrTm9iNUVuCklsVi9EZWowdmZJTU90azF5UmY1SEF6a2J5RGtaR2pIODdmMU0xeGM5VHM3SjhqSnJQeVJxeE45ZXRtRjg0NWxTMzBPcFNWSFhyVy8KQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBSlVLWVlvZ1lpUmdqNkJ1KzRhUjg4bHpKS2dmeVVGZ2dFb2pOdWk5eExTWgpzY2ZONE9SV1Z1WDM1SHQxbFF2TmxiRFFYZ3cxTWhNU3J1TEV6VG1aRFRlaXY1V1JSQ3l3T1hVQ2VHeHdKNDJNMGhKN2s4dTNaZU5tCi9vWGZCd1JWb1ByRzNnQU5QUTBJeE9HQWNrR3I2K1ZuRHRiR0F5UUlQd01xMUFWb3FyZExrc0N5MHRHMVpGTTVuRFo1OEtpUGp3Tm8KYkZvOGxQUzV0L2xoZ0ljSXNLekVhSCtUTmcwdldUWVg3bXA1UTlOZVU1a1FkdkVJMnNUNG9OUkpuelhMUmVtZDJCYzh0dDRoTzBKVwpmTm1uT25pcXdzSFJFTzIzcGltYllhaENwOTZmdUc0dmNIQTZYM3gwK2RyMXdtSXpseWY0STgyZFNGaEpFaGwybU0wOHJxc2tTN0dWCmQ4RTZIeWdoZjZCT1dSaXp1SVhMQU5ZanhDZDRDVXVoV05jaFpQTWl6QUFPMDNJcXlFLzU5TGhyYkMrV1k0MmZDdzF0RTU2VUhpT2cKS3k0bGc3aEd5c2grTHpLcHNGUnJoWDE0LzlxUU1vNjBocWxmZWdRLzh2eHlIUWVaOVI4d1o1OUVvdHdKVDhzNkhaRFVNbVV6ckxNOApzbXVyaHdxOXc0NnhiK3BtOGRReEFxdjRMRm91YzFWdXZZZDBBdUNDb3Q0WHNYWW4rYlQxNVArc3oycmZSWnJBeGtqZ1dQUEIrTFhjCnFvSGhRQWpPTG9ELzlWdzB4OGdlcFhCVVVxa0dtRG9ZWXlPSEhZREJpR0xpWmVLSGVjbTI3YVFGSnozNXdnS1pFNlJlNHlRdm1nTGoKOGp5TnlMRGVyV1labTJsWUJRTTRNajhONWtnajdNbjg8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOlNjb3Bpbmc%2BPHNhbWwycDpSZXF1ZXN0ZXJJRD5odHRwOi8vbG9jYWxob3N0L3NpbXBsZXNhbWwvbW9kdWxlLnBocC9zYW1sL3NwL21ldGFkYXRhLnBocC9waWV0ZXItbG9jYWwtdGVzdC1zcDwvc2FtbDJwOlJlcXVlc3RlcklEPjwvc2FtbDJwOlNjb3Bpbmc%2BPC9zYW1sMnA6QXV0aG5SZXF1ZXN0Pg%3D%3D&Signature=m7ODorIFcNZ2hzXk89Cm2Kt8x09%2BDmRO8pvTWPLA5nZ8W2UV%2B0l94yp36qqaEFGnWR2kq4pn3QFnrz4Sh%2Fx3u19SCFuep0nJj4FSEeOW%2FnqrFH37RMaEzg368yZd8oCm%2Bq83nsYnNoMQ9uG2CAWhBxzfG2x6aYJ0g88fVgPhtZuj7z9fzDwwYyQIy405dedqwOfEi5%2FJSahrQGpADaTT8tn%2FDdOo6a2z6cIzNaWKzj2zjQmzDm3lKmvbhV5tl93%2FfBUUfJ2ZxIttJHIIp8UT0v2XioOyJM69wKMLuQS3M0dQ1OIDnLxfwMP5jFgstjIFRqThHtr3ZlZqTFjrYoK1lC8HdcSBeCJk4%2BmvWugOw%2F%2FEpTXx3sXZ%2F9QvGrLNyLtpyXWlN99%2BLnS%2B7WltfGzcFcKQ178vcb4JilLy2f6uRTegLCVutyFAyAj9iiLo6UJN9pSB9Ju9aCNZhH4S0VHuGO2aqyC%2FRV7e%2BLFrF3oJR0GNXd%2F5YzRQ3aOvrdJm5fy4FgIkfd9lhk0Zov%2BgF9hPRcCKmhKmYuiVDe0U0dw%2BGE9o86HVGMrDrkWAm5r1BtmVCFOEZBBt6oKYCW4d5FQ6i10rJkRdxpkX9sSt8PV8evuLPYY9wGHzHGx6Ux0CzSKI3TSDzWRgny3JNrbNnzQ6szceleRfYTeB0nvDxtRtUVc%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&KeyInfo=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48ZHM6S2V5SW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRXdUQ0NBcWtDQVFBd0RRWUpLb1pJaHZjTkFRRUxCUUF3R0RFV01CUUdBMVVFQ2hNTlQzQmxia052Ym1WNGRDQkRRVEFlRncweApOREV4TVRReE1EQTNNemhhRncweE9URXhNVE14TURBM016aGFNRFV4RXpBUkJnTlZCQW9UQ2s5d1pXNURiMjVsZUhReEhqQWNCZ05WCkJBTVVGU291WkdWdGJ5NXZjR1Z1WTI5dVpYaDBMbTl5WnpDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUIKQU5jTDlteklsZmdvdENKYUtEL1gxcVM3NWJqOFMxU08yNS8wbk5TcmpsaTIwNW5xYk9FcFVKQXBKczJzcGNiNk8rcU12cUNJc0JXcworQjEvKzFEWm5pRGZ5bVUvV0pzUjcxSTk3OHNLWml5NjJTYzU2UElzdFFJVVJKTTgvSHBGTkVSNEo0N0pER2xFVjB6VVJqdUxPcWlUCmx3cDlhMEtFZExHRHN6UlpsTW8xTnR6TFNYdHlmYkU3cHNvZ3dGZ2ZERzV6ZXBYOERPaGpXWTdhbWdTTnQyalB5ZU9GTDZveGdpZ1kKbFpDNUM4TWVzanpka0dYem9kZTdiUE40N2pkLzhUcFhBQ3dYeXhhaTN2NVJ6VE93VEcrUTBjZXgxb0xCYkg2VlB3YU5tbGRFSURCagpKaitSUTVMbmhtVmUvSUdRYjYydGhic1U4U21Fc0JnSkF2dkxQbUZDQlBQWS9Tc21NK2RLd2x0ZGkrcFdpTXNxSDU3QjBHdFA0aWVyCi9qVHFOWXd0SzVudW9hVFd4VzE4aXM3MmtFTUI5MWVmQUZ4VkluTGQ5WkoyZWtOT3lZM0gya2Z2YnoxbEtwcGJ0VVNMakk1Y3hkbVkKN09ZcVV4a3htTi9WY3NkMjM0UkRadXRKQXh0YlBSR1RBNFpNajFjRHNOY2QwSFIwQ1k0QVN6WmVLbm1TM2FSbzcyRXJmM3paV0E4KwpIWHl6enFzc01UYnVTLzdVT1ZmUHZKWDc0UlBrWjhOU2ljd2tqM3pmU0hEVFlXbFVJOEd1WkU1YTB1UDMxMDNxbTZtSDJrTm9iNUVuCklsVi9EZWowdmZJTU90azF5UmY1SEF6a2J5RGtaR2pIODdmMU0xeGM5VHM3SjhqSnJQeVJxeE45ZXRtRjg0NWxTMzBPcFNWSFhyVy8KQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBSlVLWVlvZ1lpUmdqNkJ1KzRhUjg4bHpKS2dmeVVGZ2dFb2pOdWk5eExTWgpzY2ZONE9SV1Z1WDM1SHQxbFF2TmxiRFFYZ3cxTWhNU3J1TEV6VG1aRFRlaXY1V1JSQ3l3T1hVQ2VHeHdKNDJNMGhKN2s4dTNaZU5tCi9vWGZCd1JWb1ByRzNnQU5QUTBJeE9HQWNrR3I2K1ZuRHRiR0F5UUlQd01xMUFWb3FyZExrc0N5MHRHMVpGTTVuRFo1OEtpUGp3Tm8KYkZvOGxQUzV0L2xoZ0ljSXNLekVhSCtUTmcwdldUWVg3bXA1UTlOZVU1a1FkdkVJMnNUNG9OUkpuelhMUmVtZDJCYzh0dDRoTzBKVwpmTm1uT25pcXdzSFJFTzIzcGltYllhaENwOTZmdUc0dmNIQTZYM3gwK2RyMXdtSXpseWY0STgyZFNGaEpFaGwybU0wOHJxc2tTN0dWCmQ4RTZIeWdoZjZCT1dSaXp1SVhMQU5ZanhDZDRDVXVoV05jaFpQTWl6QUFPMDNJcXlFLzU5TGhyYkMrV1k0MmZDdzF0RTU2VUhpT2cKS3k0bGc3aEd5c2grTHpLcHNGUnJoWDE0LzlxUU1vNjBocWxmZWdRLzh2eHlIUWVaOVI4d1o1OUVvdHdKVDhzNkhaRFVNbVV6ckxNOApzbXVyaHdxOXc0NnhiK3BtOGRReEFxdjRMRm91YzFWdXZZZDBBdUNDb3Q0WHNYWW4rYlQxNVArc3oycmZSWnJBeGtqZ1dQUEIrTFhjCnFvSGhRQWpPTG9ELzlWdzB4OGdlcFhCVVVxa0dtRG9ZWXlPSEhZREJpR0xpWmVLSGVjbTI3YVFGSnozNXdnS1pFNlJlNHlRdm1nTGoKOGp5TnlMRGVyV1labTJsWUJRTTRNajhONWtnajdNbjg8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz4%3D