Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"wsa" namespace appearing on EndpointReference causing XML parsing to fail #19

Open
benalavi opened this issue Jul 1, 2015 · 2 comments
Open

"wsa" namespace appearing on EndpointReference causing XML parsing to fail #19

benalavi opened this issue Jul 1, 2015 · 2 comments

Comments

@benalavi
Copy link

benalavi commented Jul 1, 2015

I get this error when I get the response back from the ACS:

app error: undefined method `text' for nil:NilClass (NoMethodError)
    /app/vendor/bundle/ruby/2.2.0/gems/omniauth-wsfed-0.2.3/lib/omniauth/strategies/wsfed/auth_callback.rb:40:in `audience'

The parsing fails because in the response I am getting there is a wsa namespace applied to the EndpointReference and Address nodes:

<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
  <wsa:Address>...</wsa:Address>
</wsa:EndpointReference>

I am using a WS-Federation identity provider connected to Azure AD. This is just a development setup so I can run my own AD. Oddly, I have a live setup (not managed by me) that sends almost the exact same response but without the wsa namespace on that one section of XML. I've verified that they're both using SAML 2.0 tokens, and in fact everything else about the response structure is exactly the same.

So I'm curious if it's possible that something about my configuration is causing the wsa namespace to be applied, or perhaps different setups cause slightly different responses (in which case I assume a patch to support either with-or-without the namespace would be appropriate?).

I am using version 0.2.3 of the gem but I did check the development and beta branches to see if this had already been addressed. Adding the wsa namespace fixes the issue for my development AD and the request completes.

I also noticed that the SAML 1.0 token handler explicitly does use the wsa namespace when finding the audience.

I'm new to Azure/WSFed so if there is any other information I can provide please let me know.
@benalavi
Copy link
Author

benalavi commented Jul 1, 2015

This monkey-patch fixed the issue in my environment:

  class OmniAuth::Strategies::WSFed::AuthCallback
    def audience
      @audience ||= begin
        applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
        (REXML::XPath.first(applies_to, '//EndpointReference/Address') || REXML::XPath.first(applies_to, '//wsa:EndpointReference/wsa:Address')).text
      end
    end
  end

...what I don't know is if that would be useful to apply to the gem or if it's a misconfiguration on my end?

@pandamouse
Copy link

This is the monkey patch I used as the above didn't quite worked for us. But we did encountered the same problem.

class OmniAuth::Strategies::WSFed::SAML2Token
  def audience
    applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => OmniAuth::Strategies::WSFed::WS_TRUST, 'wsp' => OmniAuth::Strategies::WSFed::WS_POLICY })
    (REXML::XPath.first(applies_to, '//EndpointReference/Address') || REXML::XPath.first(applies_to, '//wsa:EndpointReference/wsa:Address')).text
  end
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benalavi @pandamouse