Merge pull request #896 from Calpicow/audience_validate_fix

Validate audience with entityIssuer if present, use redirectURI otherwise

Merge pull request #896 from Calpicow/audience_validate_fix
53acaa9e · Eric Chiang · GitHub · 40f0265a · 47897f73 · 53acaa9e
Commit 53acaa9e authored 8 years ago by Eric Chiang Committed by GitHub 8 years ago
--- a/Documentation/saml-connector.md
+++ b/Documentation/saml-connector.md
@@ -40,6 +40,8 @@ connectors:
    # insecureSkipSignatureValidation: true
    # Optional: Issuer value for AuthnRequest
+    # Must be contained within the "AudienceRestriction" attribute in all responses
+    # If not set, redirectURI will be used for audience validation
    entityIssuer: https://dex.example.com/callback
    # Optional: Issuer value for SAML Response

--- a/connector/saml/saml.go
+++ b/connector/saml/saml.go
@@ -466,6 +466,10 @@ func (p *provider) validateConditions(assertion *assertion) error {
 		}
 	}
 	// Validates audience
+	audienceValue := p.entityIssuer
+	if audienceValue == "" {
+		audienceValue = p.redirectURI
+	}
 	audienceRestriction := conditions.AudienceRestriction
 	if audienceRestriction != nil {
 		audiences := audienceRestriction.Audiences
@@ -473,14 +477,14 @@ func (p *provider) validateConditions(assertion *assertion) error {
 			values := make([]string, len(audiences))
 			issuerInAudiences := false
 			for i, audience := range audiences {
-				if audience.Value == p.redirectURI {
+				if audience.Value == audienceValue {
 					issuerInAudiences = true
 					break
 				}
 				values[i] = audience.Value
 			}
 			if !issuerInAudiences {
-				return fmt.Errorf("required audience %s was not in Response audiences %s", p.redirectURI, values)
+				return fmt.Errorf("required audience %s was not in Response audiences %s", audienceValue, values)
 			}
 		}
 	}