Error when multiple attributes have the same name in SAML response.
oturcot opened this issue · 2 comments
Hi,
I found a bug where the Service Provider (pfsense-saml2-auth) can't see the multiple "Role" in the SAML response sent by my identity provider (Keycloak in my case).
This is the error I got from pfsense-saml2-auth.
Fatal error: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819 Stack trace: #0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name') #1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes() #2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL) #3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs() #4 {main} thrown in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php on line 819 PHP ERROR: Type: 1, File: /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php, Line: 819, Message: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819 Stack trace: #0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name') #1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes() #2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL) #3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs() #4 {main} thrown
It was also creating this crash report in pfSense:
[24-Jan-2022 03:00:43 America/MyTimeZone] PHP Fatal error: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819
Stack trace:
#0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name')
#1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes()
#2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL)
#3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs()
#4 {main}
thrown in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php on line 819
Here is the "AttributeStatement" section in my SAML response. As you can see, it accepts multiple groups because there is a single "Attribute" and multiple "AttributeValue". The "Role" are sent individually and not all in the same "Attribute".
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Groups membership mapper"
Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>/admins</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>/test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>default-roles-perso</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-account</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>view-profile</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>pfSense</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>offline_access</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-account-links</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>uma_authorization</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
I tried with a user without any role and I didn't get any error, so I believe this was causing the issue.
Thanks,
Olivier Turcot
Looks like you are dealing with an error caused by the upstream used OneLogin-php implementation.
i would suggest also posting this issue over there https://github.com/onelogin/php-saml
in my case ( with a Microfocus AccessManager v4.5.3) i see that in the assertion there is just the one refrence regarding roles:
<saml:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:AttributeValue xsi:type="xs:string">pfSense Admins</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">authenticated</saml:AttributeValue> </saml:Attribute>
Can you elaborate more as to how you have setup the SAML connection ?
i'm trying to understand why your IDP is sending the assertion in separate 'roles' -attributes.
- Glowsome