LupusNobilis
/
sogo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix(saml): add XSRF-TOKEN cookie in valid SAML login

feature/ms-tnef
Francis Lachapelle 2021-08-04 12:54:38 -04:00
parent a1273f1097
commit 5f6cacc859
2 changed files with 27 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Documentation/SOGoInstallationGuide.asciidoc
View File

@ -1374,14 +1374,12 @@ connection properly.
Authenticating using SAML2
~~~~~~~~~~~~~~~~~~~~~~~~~~
SOGo natively supports SAML2 authentication. Please refer to the
documentation of your identity provider and the SAML2 configuration keys
that are listed above for proper setup. Make sure
_SOGoXSRFValidationEnabled_ is set to `NO`. Once a SOGo instance is
configured properly, the metadata for that instance can be retrieved
from `http://<hostname>/SOGo/saml2-metadata` for registration with the
identity provider. SOGo will dynamically generate the metadata based on
the SOGoSAML2CertificateLocation's content and the SOGo server name.
SOGo natively supports SAML2 authentication. Please refer to the documentation of your identity
provider and the SAML2 configuration keys that are listed above for proper setup. Once a SOGo
instance is configured properly, the metadata for that instance can be retrieved from
`http://<hostname>/SOGo/saml2-metadata` for registration with the identity provider. SOGo will
dynamically generate the metadata based on the SOGoSAML2CertificateLocation's content and the SOGo
server name.
When using https://simplesamlphp.org/[SimpleSAMLphp], make sure the
convert OID to names by modifying your
@ -3138,9 +3136,8 @@ current version of SOGo from the previous release.
[cols="100a"]
|=======================================================================
h|5.1.0
|The XSRF protection is now enabled by default in SOGo. If you use a single
sign-on mechanisim such as C.A.S. or SAML2, you need to disable XSRF by adding
`SOGoXSRFValidationEnabled = NO` to your configuration file.
|The XSRF protection is now enabled by default in SOGo. If you use the C.A.S. mechanisim, you need
to disable XSRF by adding `SOGoXSRFValidationEnabled = NO` to your configuration file.
h|5.0.0
|Peer is now verified for TLS connections (SMTP/IMAP/Sieve). If you enabled

24
UI/MainUI/SOGoSAML2Actions.m
View File

@ -1,6 +1,6 @@
/* SOGoSAML2Actions.m - this file is part of SOGo
*
* Copyright (C) 2012-2014 Inverse inc
* Copyright (C) 2012-2021 Inverse inc
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -28,6 +28,7 @@
#import <NGExtensions/NSCalendarDate+misc.h>
#import <NGExtensions/NSString+misc.h>
#import <SOGo/NSString+Crypto.h>
#import <SOGo/SOGoCache.h>
#import <SOGo/SOGoSAML2Session.h>
#import <SOGo/SOGoSession.h>
@ -159,10 +160,14 @@
WOResponse *response;
SoApplication *application;
SOGoSAML2Session *newSession;
WOCookie *authCookie;
WOCookie *authCookie, *xsrfCookie;
NSArray *creds;
NSString *login, *oldLocation, *newLocation;
SOGoWebAuthenticator *auth;
response = [context response];
[response setHeader: @"text/plain; charset=utf-8"
forKey: @"content-type"];
rq = [context request];
if ([[rq method] isEqualToString: @"POST"])
{
@ -176,17 +181,26 @@
andPassword: [newSession identifier]
inContext: context];
// We prepare the XSRF protection cookie
creds = [auth parseCredentials: [authCookie value]];
xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
[xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
[response addCookie: xsrfCookie];
oldLocation = [[context clientObject] baseURLInContext: context];
newLocation = [NSString stringWithFormat: @"%@/%@",
oldLocation, [login stringByEscapingURL]];
response = [context response];
[response setStatus: 302];
[response setHeader: @"text/plain; charset=utf-8"
forKey: @"content-type"];
[response setHeader: newLocation forKey: @"location"];
[response addCookie: authCookie];
}
else
{
[response setStatus: 500];
[response appendContentString: @"Missing POST"];
}
return response;
}