fix(saml): add XSRF-TOKEN cookie in valid SAML login
parent
a1273f1097
commit
5f6cacc859
|
@ -1374,14 +1374,12 @@ connection properly.
|
|||
Authenticating using SAML2
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
SOGo natively supports SAML2 authentication. Please refer to the
|
||||
documentation of your identity provider and the SAML2 configuration keys
|
||||
that are listed above for proper setup. Make sure
|
||||
_SOGoXSRFValidationEnabled_ is set to `NO`. Once a SOGo instance is
|
||||
configured properly, the metadata for that instance can be retrieved
|
||||
from `http://<hostname>/SOGo/saml2-metadata` for registration with the
|
||||
identity provider. SOGo will dynamically generate the metadata based on
|
||||
the SOGoSAML2CertificateLocation's content and the SOGo server name.
|
||||
SOGo natively supports SAML2 authentication. Please refer to the documentation of your identity
|
||||
provider and the SAML2 configuration keys that are listed above for proper setup. Once a SOGo
|
||||
instance is configured properly, the metadata for that instance can be retrieved from
|
||||
`http://<hostname>/SOGo/saml2-metadata` for registration with the identity provider. SOGo will
|
||||
dynamically generate the metadata based on the SOGoSAML2CertificateLocation's content and the SOGo
|
||||
server name.
|
||||
|
||||
When using https://simplesamlphp.org/[SimpleSAMLphp], make sure the
|
||||
convert OID to names by modifying your
|
||||
|
@ -3138,9 +3136,8 @@ current version of SOGo from the previous release.
|
|||
[cols="100a"]
|
||||
|=======================================================================
|
||||
h|5.1.0
|
||||
|The XSRF protection is now enabled by default in SOGo. If you use a single
|
||||
sign-on mechanisim such as C.A.S. or SAML2, you need to disable XSRF by adding
|
||||
`SOGoXSRFValidationEnabled = NO` to your configuration file.
|
||||
|The XSRF protection is now enabled by default in SOGo. If you use the C.A.S. mechanisim, you need
|
||||
to disable XSRF by adding `SOGoXSRFValidationEnabled = NO` to your configuration file.
|
||||
|
||||
h|5.0.0
|
||||
|Peer is now verified for TLS connections (SMTP/IMAP/Sieve). If you enabled
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* SOGoSAML2Actions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2012-2014 Inverse inc
|
||||
* Copyright (C) 2012-2021 Inverse inc
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -28,6 +28,7 @@
|
|||
#import <NGExtensions/NSCalendarDate+misc.h>
|
||||
#import <NGExtensions/NSString+misc.h>
|
||||
|
||||
#import <SOGo/NSString+Crypto.h>
|
||||
#import <SOGo/SOGoCache.h>
|
||||
#import <SOGo/SOGoSAML2Session.h>
|
||||
#import <SOGo/SOGoSession.h>
|
||||
|
@ -159,10 +160,14 @@
|
|||
WOResponse *response;
|
||||
SoApplication *application;
|
||||
SOGoSAML2Session *newSession;
|
||||
WOCookie *authCookie;
|
||||
WOCookie *authCookie, *xsrfCookie;
|
||||
NSArray *creds;
|
||||
NSString *login, *oldLocation, *newLocation;
|
||||
SOGoWebAuthenticator *auth;
|
||||
|
||||
response = [context response];
|
||||
[response setHeader: @"text/plain; charset=utf-8"
|
||||
forKey: @"content-type"];
|
||||
rq = [context request];
|
||||
if ([[rq method] isEqualToString: @"POST"])
|
||||
{
|
||||
|
@ -176,17 +181,26 @@
|
|||
andPassword: [newSession identifier]
|
||||
inContext: context];
|
||||
|
||||
// We prepare the XSRF protection cookie
|
||||
creds = [auth parseCredentials: [authCookie value]];
|
||||
xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
|
||||
value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
|
||||
[xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
|
||||
[response addCookie: xsrfCookie];
|
||||
|
||||
oldLocation = [[context clientObject] baseURLInContext: context];
|
||||
newLocation = [NSString stringWithFormat: @"%@/%@",
|
||||
oldLocation, [login stringByEscapingURL]];
|
||||
|
||||
response = [context response];
|
||||
[response setStatus: 302];
|
||||
[response setHeader: @"text/plain; charset=utf-8"
|
||||
forKey: @"content-type"];
|
||||
[response setHeader: newLocation forKey: @"location"];
|
||||
[response addCookie: authCookie];
|
||||
}
|
||||
else
|
||||
{
|
||||
[response setStatus: 500];
|
||||
[response appendContentString: @"Missing POST"];
|
||||
}
|
||||
|
||||
return response;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue