From 47897f73fa597696681e38b9939f4de586cce02e Mon Sep 17 00:00:00 2001 From: Phu Kieu Date: Thu, 6 Apr 2017 14:04:20 -0700 Subject: [PATCH] Validate audience with entityIssuer if present, use redirectURI otherwise --- Documentation/saml-connector.md | 2 ++ connector/saml/saml.go | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Documentation/saml-connector.md b/Documentation/saml-connector.md index dcaea405..b0fbadba 100644 --- a/Documentation/saml-connector.md +++ b/Documentation/saml-connector.md @@ -40,6 +40,8 @@ connectors: # insecureSkipSignatureValidation: true # Optional: Issuer value for AuthnRequest + # Must be contained within the "AudienceRestriction" attribute in all responses + # If not set, redirectURI will be used for audience validation entityIssuer: https://dex.example.com/callback # Optional: Issuer value for SAML Response diff --git a/connector/saml/saml.go b/connector/saml/saml.go index 7f93ba9e..83496265 100644 --- a/connector/saml/saml.go +++ b/connector/saml/saml.go @@ -466,6 +466,10 @@ func (p *provider) validateConditions(assertion *assertion) error { } } // Validates audience + audienceValue := p.entityIssuer + if audienceValue == "" { + audienceValue = p.redirectURI + } audienceRestriction := conditions.AudienceRestriction if audienceRestriction != nil { audiences := audienceRestriction.Audiences @@ -473,14 +477,14 @@ func (p *provider) validateConditions(assertion *assertion) error { values := make([]string, len(audiences)) issuerInAudiences := false for i, audience := range audiences { - if audience.Value == p.redirectURI { + if audience.Value == audienceValue { issuerInAudiences = true break } values[i] = audience.Value } if !issuerInAudiences { - return fmt.Errorf("required audience %s was not in Response audiences %s", p.redirectURI, values) + return fmt.Errorf("required audience %s was not in Response audiences %s", audienceValue, values) } } }