TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-04 23:45:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(SAML): check on empty nameID (#8714)

Browse Source 
# Which Problems Are Solved

If a SAML IdP did not send a `NameID` (even though required by the
specification), ZITADEL would crash.

# How the Problems Are Solved

- Check specifically if the `Subject` and its `NameID` is passed

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8654
This commit is contained in:
Livio Spring 2024-10-03 10:17:33 +02:00 committed by GitHub
parent be53caafea
commit 18499274dd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 58 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/idp/providers/saml/session.go
View File

@ -70,6 +70,10 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
return nil, zerrors.ThrowInvalidArgument(err, "SAML-nuo0vphhh9", "Errors.Intent.ResponseInvalid")
}
// nameID is required, but at least in ADFS it will not be sent unless explicitly configured
if s.Assertion.Subject == nil || s.Assertion.Subject.NameID == nil {
return nil, zerrors.ThrowInvalidArgument(err, "SAML-EFG32", "Errors.Intent.ResponseInvalid")
}
nameID := s.Assertion.Subject.NameID
userMapper := NewUser()
// use the nameID as default mapping id

58
internal/idp/providers/saml/session_test.go
View File

File diff suppressed because one or more lines are too long