[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAMLCore errors in mandating some second-level status codes
There are three places in SAMLCore
that are currently mandating the return of second-level <StatusCode>
elements, which I contend should not be done. We specifically state in section 3.2.2.2 Element
<StatusCode> lines 1646-1648: “Note that responders MAY omit
subordinate status codes in order to prevent attacks that seek to probe for additional
information by intentionally presenting erroneous requests.” There are a number of places
where specific second-level status codes are discussed and correctly identify
their use through “MAY” normative language. However, the
following 3 items are mandating the second-level codes through MUST language… First, in Section 3.3.2.2.1
Element <RequestedAuthnContext>, lines 1817-1819 state that “If none of the specified classes
or declarations can be satisfied in accordance with the rules below, then the
responder MUST return a <Response>
message with a second-level
<StatusCode>
of urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.”.
Note that this code text was updated in E45, although this specific issue was
not addressed. IMO, the text should be something like: “If
none of the specified classes or declarations can be satisfied in accordance
with the rules below, then the responder MUST return a <Response> message with a top-level <StatusCode>
value of urn:oasis:names:tc:SAML:2.0:status:Responder
and MAY return a second-level
<StatusCode>
value of urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.” Next,
in 3.4.1.5.1 Proxy processing rules, lines 2282-2285 state: “The identity provider MUST return an error <Status> containing a second-level <StatusCode> value of urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded, unless it can directly authenticate
the presenter.”
IMO, this should be changed to something like: “Unless the identity provider can directly authenticate the
presenter, it MUST return a <Response> message with a top-level <StatusCode> value of urn:oasis:names:tc:SAML:2.0:status:Responder
and MAY return a second-level
<StatusCode>
value of urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded.” The third case is in section 3.7.3.2 Session
Authority Rules. Lines 2641-2645 state: “In the event that not all session participants
successfully respond to these <LogoutRequest> messages (or if not all participants can be contacted),
then the session authority MUST include in its <LogoutResponse> message a second-level status code
of urn:oasis:names:tc:SAML:2.0:status:PartialLogout
to indicate that not
all other session participants successfully responded with confirmation of the
logout.” I believe this should be changed to something like: “In the event that not all session participants
successfully respond to these <LogoutRequest> messages (or if not all participants can be contacted),
then the session authority MUST return a <LogoutResponse> message to the requester with a
top-level <StatusCode> of urn:oasis:names:tc:SAML:2.0:status:Responder and MAY
return a second-level
<StatusCode>
value urn:oasis:names:tc:SAML:2.0:status:PartialLogout
to indicate that not
all other session participants successfully responded with confirmation of the
logout.” Rob Philpott RSA, The
Security Division of EMC |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]