[jira] [Commented] (FEDIZ-232) 'wctx' parameter mandatory but protocol does not require

Tue, 13 Nov 2018 08:03:49 -0800 


    [ 
https://issues.apache.org/jira/browse/FEDIZ-232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685411#comment-16685411
 ] 

Colm O hEigeartaigh commented on FEDIZ-232:
-------------------------------------------

# This is not really a bug as such but probably a limitation. The "Issuer" in 
the Fediz configuration is used as the address of the IdP. It isn't really 
suitable to use this to compare against the Issuer of the Response though, 
which is why it uses the realm for this. If this is an issue for you please 
create another Jira outlining the issue, we can add a new configuration option 
specific to SAML SSO to use for this value instead.
 # I'm not really sure what you mean here. The STS uses WS-Trust whereas Fediz 
uses SAML SSO. How is the STS supposed to be able to process the SAML Request?

> 'wctx' parameter mandatory but protocol does not require
> --------------------------------------------------------
>
>                 Key: FEDIZ-232
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-232
>             Project: CXF-Fediz
>          Issue Type: Bug
>            Reporter: Christian Fischer
>            Priority: Major
>
> For logins which are not initiated by a valid session on the RP side the user 
> cannot be authenticated because the wctx parameter is missing or has the 
> wrong value.
> There are at least two scenarios in which this causes a unwanted behaviour of 
> the system.
>  * First is if the IDP/login page is bookmarked and returns only later after 
> the session on the RP is timed out. 
>  * Second is something similar to a IDP initiated login flow. It's not in the 
> WS federation protocol specification but according to our tests fediz could 
> easily allow that if the 'wctx' check is removed. 
> In the protocol specification the 'wctx' parameter is also only optional, 
> where fediz expects it to be always present. There is a comment with respect 
> to CSRF prevention but our security team didn't see the case for this since 
> there is no passive way of authentication is used. In fact it's the actual 
> authentication request that is supposed to be protected, but we don't see the 
> need.
>  
> One option (if the CSRF case is valid) would be to at least disable the 
> 'wctx' state validation by setting a flag.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to