Force escape downcasing for Azure SLO#627
Merged
pitbulk merged 5 commits intoSAML-Toolkits:masterfrom Jan 31, 2022
Merged
Conversation
Collaborator
|
In php-saml we named this setting: lowercaseUrlencoding Can you:
|
Contributor
Author
|
@pitbulk about your request:
added as
I guess you meant to change the opposite method where the signature is unescaped, right? irb(main):008:0> CGI.unescape('%c3%a1sdf')
=> "ásdf"
irb(main):009:0> CGI.unescape('%C3%A1sdf')
=> "ásdf" |
pitbulk
approved these changes
Jan 31, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I followed the Single Log Out guide for my Azure AD integration and it worked all good until implementing that
idp_logout_requestmethod where I received requests from Azure to log out a user.The requests come signed and trying to validate the signature it was failing, then I realised that the problem is that they are encoding the request parameters with downcase encoding characters (like using
%2finstead of%2F) and they use the parameters downcased to generate the signature, therefore in validation time, when signed parameters are restored withCGI.escapethey were different than the originals sent by Azure (all upcased).To solve this problem, I added a
force_escape_downcasingoption forOneLogin::RubySaml::SloLogoutrequest.new, so all the signature verification is done with downcased encoded parameters.I'm not sure where to add in the readme this option, specially because the SLO example I followed isn't verifying signed requests, but I'm open to suggestions.