How do you disable WSO2 Identity Server's Destination parameter check for samlp:AuthnRequest?

1
votes

Trying to get SAML setup between the wso2 Identity Server 5.0.0 + Service packs and a 3rd party Service provider. Facing a similar problem to another stack trace question Except that the SP is not able to add the Destination parameter to their samlp:AuthnRequest.

To be more specific. The samlp:AuthnRequest I receive looks like this:

<samlp:AuthnRequest
AssertionConsumerServiceURL='https://schoolname.academicworks.com/saml/callback'
ID='_388406f0-3581-0133-2bea-0610df7af2db'
IssueInstant='2015-09-04T22:21:32Z'
Version='2.0'
xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://schoolname.academicworks.com/saml-sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/>
</samlp:AuthnRequest>

This request is missing the Destination parameter. With this request, the wso2 identity server logs the following and the SAML login fails:

TID: [0] [IS] [2015-09-04 17:46:56,471]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Destination validation for Authentication Request failed. Received: [null]. Expected: [https://ourhostname.ourschool.edu:443/samlsso] {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}

I can not find anywhere in the SAML documentation that the Destination parameter is required, but the Identity Server certainly seems to think so. As the post I reference notes, this check can be found in the source in the 

public class AuthnRequestProcessor
<snip>
// Validate 'Destination'
String idpUrl = IdentityUtil.getProperty(IdentityConstants.ServerConfig.SSO_IDP_URL);
if (authnReqDTO.getDestination() == null
                    || !idpUrl.equals(authnReqDTO.getDestination())) {
                String msg = "Destination validation for Authentication Request failed. " +
                                    "Received: [" + authnReqDTO.getDestination() + "]." +
                                            " Expected: [" + idpUrl + "]";
                log.warn(msg);
                return buildErrorResponse(authnReqDTO.getId(),
                        SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
}

This is in the file: components/identity/org.wso2.carbon.identity.sso.saml/4.2.1/src/main/java/org/wso2/carbon/identity/sso/saml/processors/AuthnRequestProcessor.java

I could hack the source to remove the check for null, but then I would be maintaining this forever. Anyone run into this before? Any workarounds available? The service provider is unable to add this parameter.

Thanks in advance,

John

1
wso2is

1 Answers

6
votes

Duh, the answer is: If the samlp:AuthnRequest is not signed, make sure to uncheck the "Enable Signature Validation in Authentication Requests" checkbox on the Service Providers -> Inbound Authentication -> SAML2 Web SSO Configuration -> Service Provider page.

The error is deceptive, because you would think that it would bark over the missing signature, but I guess the missing Destination parameter is the first error it hits.

Hopefully posting this here will save someone else the grief.