You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
EntraID (formerly Azure) sends a LogoutRequest via GET method in the form of /logout?SAMLRequest=...&Signature=...&SigAlg=... (respectively, LogoutResponse in the format of /logout?SAMLResponse=...&Signature=...&SigAlg=...). The function parse_logout_request can be utilized to parse and validate the request, including its signature, using the sigalg and signature parameters. The issue arises because the parameters are URL encoded, and the signature is computed after encoding. EntraID encodes in lowercase, for instance: http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256. However, verify_redirect_signature in pysaml2 uses parse.urlencode, which encodes in uppercase regardless of the input. Consequently, _do_redirect_sig_check fails and raises IncorrectlySigned("Request was not signed correctly"). I found no solution within pysaml2, so I replicated the code in our application (similar to here, for example: https://stackoverflow.com/questions/56277719/python-url-encoding-with-lowercase-letters). A solution would be for pysaml2 to utilize the encoding found in the input.
Code Version
Version: 7.1.2 in production, but I am reviewing using tag v7.5.0, from Jan 30 2024.
Expected Behavior
parse_logout_request should succeed.
Current Behavior
Instead it throws IncorrectlySigned("Request was not signed correctly").
Possible Solution
Check the case in the input URL encoding, by example: re.compile(r'%([a-f]\d|\d[a-f])').search(url).
process the received /logout?SAMLRequest=...&Signature=...&SigAlg=... with parse_logout_request.
The text was updated successfully, but these errors were encountered:
landron
changed the title
Lowercase URL encoding in IdP response or request
Lowercase URL encoding in IdP response or request results in an IncorrectlySigned error.
Apr 3, 2024
EntraID (formerly Azure) sends a LogoutRequest via GET method in the form of /logout?SAMLRequest=...&Signature=...&SigAlg=... (respectively, LogoutResponse in the format of /logout?SAMLResponse=...&Signature=...&SigAlg=...). The function
parse_logout_request
can be utilized to parse and validate the request, including its signature, using thesigalg
andsignature
parameters. The issue arises because the parameters are URL encoded, and the signature is computed after encoding. EntraID encodes in lowercase, for instance: http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256. However,verify_redirect_signature
inpysaml2
usesparse.urlencode
, which encodes in uppercase regardless of the input. Consequently,_do_redirect_sig_check
fails and raisesIncorrectlySigned("Request was not signed correctly")
. I found no solution withinpysaml2
, so I replicated the code in our application (similar to here, for example: https://stackoverflow.com/questions/56277719/python-url-encoding-with-lowercase-letters). A solution would be forpysaml2
to utilize the encoding found in the input.Code Version
Version: 7.1.2 in production, but I am reviewing using tag v7.5.0, from Jan 30 2024.
Expected Behavior
parse_logout_request
should succeed.Current Behavior
Instead it throws
IncorrectlySigned("Request was not signed correctly")
.Possible Solution
Check the case in the input URL encoding, by example:
re.compile(r'%([a-f]\d|\d[a-f])').search(url)
.Steps to Reproduce
/logout?SAMLRequest=...&Signature=...&SigAlg=...
withparse_logout_request
.The text was updated successfully, but these errors were encountered: