fix(saml): parse xsd:duration format correctly (#9098)

# Which Problems Are Solved SAML IdPs exposing an `EntitiesDescriptor` using an `xsd:duration` time format for the `cacheDuration` property (e.g. `PT5H`) failed parsing. # How the Problems Are Solved Handle the unmarshalling for `EntitiesDescriptor` specifically. [crewjam/saml](bbccb7933d/metadata.go (L88-L103)) already did this for `EntitiyDescriptor` the same way. # Additional Changes None # Additional Context - reported by a customer - needs to be backported to current cloud version (2.66.x) (cherry picked from commit bcf416d4cf)
2025-08-23 13:07:54 +00:00 · 2024-12-20 17:03:06 +01:00
parent 74479bd085
commit f9eb3414f5
2 changed files with 50 additions and 1 deletions
--- a/internal/idp/providers/saml/saml_test.go
+++ b/internal/idp/providers/saml/saml_test.go
@@ -3,6 +3,7 @@ package saml
 import (
 	"encoding/xml"
 	"testing"
+	"time"

 	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/samlsp"
@@ -271,6 +272,31 @@ func TestParseMetadata(t *testing.T) {
 			},
 			nil,
 		},
+		{
+			"valid entities using xsd duration descriptor",
+			args{
+				metadata: []byte(`<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT5H"><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/metadata" cacheDuration="PT5H"><IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/sso"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor></EntitiesDescriptor>`),
+			},
+			&saml.EntityDescriptor{
+				EntityID:      "http://localhost:8000/metadata",
+				CacheDuration: 5 * time.Hour,
+				IDPSSODescriptors: []saml.IDPSSODescriptor{
+					{
+						XMLName: xml.Name{
+							Space: "urn:oasis:names:tc:SAML:2.0:metadata",
+							Local: "IDPSSODescriptor",
+						},
+						SingleSignOnServices: []saml.Endpoint{
+							{
+								Binding:  saml.HTTPRedirectBinding,
+								Location: "http://localhost:8000/sso",
+							},
+						},
+					},
+				},
+			},
+			nil,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {