SAML Config Issue in 1.17.0 #20
Description
Bug Report: Kasm incorrectly validates <saml:Issuer> in SAML Response
Summary
Kasm currently rejects SAML responses if the <saml:Issuer> in the <samlp:Response> does not match its own SP EntityID. This behavior is incorrect per the SAML 2.0 Core Specification.
Steps to Reproduce
-
Configure Kasm as a SAML Service Provider with this SP EntityID:
https://kasm.apps.ABC.org/api/metadata/?id=... -
Configure a standards-compliant Identity Provider (e.g., Keycloak) that issues SAML responses with this issuer:
<saml:Issuer>https://keycloak.apps.ABC.org/realms/ABC_Users</saml:Issuer>
-
Attempt to authenticate via SSO.
-
Kasm returns:
invalid_response: Invalid issuer in the Assertion/Response
Expected Behavior
Kasm should validate the <saml:Issuer> in the SAML Response against the configured IdP EntityID, not against its own SP EntityID.
The Response Issuer should be allowed to differ from the SP's entity ID, as long as it matches the known IdP metadata.
Relevant Specification References
-
SAML 2.0 Core §2.2.5 - Issuer:
The element... provides information about the issuer of a SAML assertion or protocol message...
If no Format value is provided, then the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity is in effect.
(i.e., the Issuer should identify the sender of the message.) -
SAML 2.0 Core §8.3.6 - Entity Identifier:
Used in the
<Issuer>element to identify the sender of a request, response, or assertion...
It is RECOMMENDED that a system entity use a URL containing its own domain name.
Impact
- Breaks compatibility with compliant IdPs such as Keycloak, ADFS, and Okta.
- Forces administrators to implement non-standard hacks (e.g., patching issuer output) just to pass validation.
- Prevents interoperability in mixed SSO environments.
Proposed Fix
- Validate
<saml:Issuer>in the Response against the configured IdP EntityID. - Allow it to differ from the SP EntityID.
- Alternatively:
Add a configuration option to override the expected<saml:Issuer>in the UI or config file.