Commit `42730b8`

mo <mo.khan@gmail.com>

2017-11-20 00:39:23

pass the raw params for signature verification.

The HTTP Redirect binding demands that the unescaped values are used for signature verification. Rails unescapes the params before passing it to the application code which is useful in most cases except for this one. https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf The relying party MUST therefore perform the verification step using the original URL-encoded values it received on the query string. It is not sufficient to re-encode the parameters after they have been processed by software because the resulting encoding may not match the signer's encoding.

main

1 parent 9699680

Changed files (1)

app

controllers

sessions_controller.rb

@@ -43,7 +43,7 @@ class SessionsController < ApplicationController
   end
 
   def load_saml_request
-    @saml_request = request_binding_for(request).deserialize(params)
+    @saml_request = request_binding_for(request).deserialize(raw_params_for(request))
     raise ActiveRecord::RecordInvalid.new(@saml_request) if @saml_request.invalid?
     @saml_request
   end
@@ -56,4 +56,12 @@ class SessionsController < ApplicationController
     target_binding = request.post? ? :post : :http_redirect
     idp.single_sign_on_service_for(binding: target_binding)
   end
+
+  def raw_params_for(request)
+    if request.post?
+      request.params
+    else
+      Hash[request.query_string.split("&").map { |x| x.split("=", 2) }]
+    end
+  end
 end

Commit 42730b8

Commit `42730b8`