Fun SAML issue. Everything is going swimmingly, un...
# cfml-generalj
Jim Partin
09/22/2022, 2:16 PMFun SAML issue. Everything is going swimmingly, until I use processSAMLResponse(). It throws an error The response was received at https://foo/SSO/index.cfm instead of https://foo/SSO/index.cfm?ssoid=12345.
The IdP and SP are both configured properly, it's just that processSAMLResponse() is not taking the query string into account during verification. (apparently it uses getPageContext().getRequest().getRequestURL() ) Is there a way I can have it take the querystring into consideration? The query string is needed to determine which IdP/SP configurations to use.
w
websolete
09/22/2022, 2:30 PMcan you not just use cgi.query_string in your evaluation?
websolete
09/22/2022, 2:31 PMcgi.http_url will give you the stub and query string as well
j
Jim Partin
09/22/2022, 2:32 PMThe ACS url contains the query string with the ssoid so that the IdP can tell my process which profile to use
Jim Partin
09/22/2022, 2:33 PMprocessSAMLResponse() takes a par of preconfigured IdP and SP alias as arguments, under the hood it's using the getPageContext().getRequest().getRequestURL(), so it's not a value I can pass in
w
websolete
09/22/2022, 2:36 PMi haven't used processSAMLResponse, so i guess i won't be of much help, sorry
b
Brian
09/22/2022, 6:07 PMIf you already have a response, isn't the idp/sp config a moot point?
Brian
09/22/2022, 6:39 PMI should have asked, are you on CF2021?
j
Jim Partin
09/22/2022, 7:05 PMcf2021. While I have the response, and can manually decode(and potentially inflate) the samlresponse and parse it manually for the attribute, the IdP/SP config is necessary to use processSAMLResponse, which performs a bunch of security checks, and extracts attributes into a simple struct. I've got my own system to do much of this, but the goal was to use CF2021's built-in capabilites
f
foundeo
09/22/2022, 7:10 PM
@Jim Partin it has been a while since I looked at the details of the SAML libraries, but I think that check is done in the java-saml library, so it probably cannot be changed easily (even by Adobe). You could try doing
onMissingTemplate()/SSO/12345.cfmb
Brian
09/22/2022, 7:10 PMI don't know if this will help, but could you use the relaystate attribute of the SAML request/response to pass the config identifier? If so, then you can just access that through dot notation (response.relaystate) to give you the config variable, ssoid=12345.
f
foundeo
09/22/2022, 7:13 PM
relay state could work… but it could also be a chicken/egg scenario if it is encrypted you need to decrypt it with the correct config first, and you don’t know which config to use until it is decrypted
j
Jim Partin
09/22/2022, 7:19 PMrelaystate isn't an option as the IdP contains the ssoid as part of the ACS url.
In the meanwhile, I did a workaround using rest such that /rest/SSOService/SAML/12345/ become the ACS url. Now that it's part of the path, there is no longer a problem from the function's point of view, but it's still a bit of an awkward solution
b
Brian
09/22/2022, 7:42 PMIs the ssoid configured at the idp or is it passed as part of the request?
j
Jim Partin
09/22/2022, 7:49 PMat the IdP. Each IdP is assigned their own ssoid
3 Views