sources/saml: update handling statusmessage (#19739)

* sources/saml: update handling statusmessage

* add tests

* Catch ValueError properly

Author: PeshekDotDev

authentik/common/saml/constants.py

@@ -28,6 +28,8 @@
 SAML_BINDING_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 SAML_BINDING_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
+SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+
 DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 # https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.2

authentik/sources/saml/processors/response.py

@@ -23,6 +23,7 @@
     SAML_NAME_ID_FORMAT_TRANSIENT,
     SAML_NAME_ID_FORMAT_WINDOWS,
     SAML_NAME_ID_FORMAT_X509,
+    SAML_STATUS_SUCCESS,
 )
 from authentik.core.models import (
     USER_ATTRIBUTE_DELETE_ON_LOGOUT,
@@ -186,9 +187,19 @@ def _verify_status(self):
         status = self._root.find(f"{{{NS_SAML_PROTOCOL}}}Status")
         if status is None:
             return
+        status_code = status.find(f"{{{NS_SAML_PROTOCOL}}}StatusCode")
         message = status.find(f"{{{NS_SAML_PROTOCOL}}}StatusMessage")
-        if message is not None:
-            raise ValueError(message.text)
+        message_text = message.text if message is not None else None
+        detail = status.find(f"{{{NS_SAML_PROTOCOL}}}StatusDetail")
+        detail_text = etree.tostring(detail, encoding="unicode") if detail is not None else None
+        if status_code.attrib.get("Value") != SAML_STATUS_SUCCESS:
+            if detail_text and message_text:
+                raise ValueError(f"{message_text}: {detail_text}")
+            raise ValueError(
+                detail_text or message_text or f"SAML Status: {status_code.attrib.get('Value')}"
+            )
+        if message_text or detail_text:
+            LOGGER.debug("SAML Status message", message=message_text, detail=detail_text)
 
     def _handle_name_id_transient(self) -> SourceFlowManager:
         """Handle a NameID with the Format of Transient. This is a bit more complex than other

authentik/sources/saml/tests/fixtures/response_error_with_detail.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://127.0.0.1:9443/source/saml/google/acs/" ID="_ee7a8865ac457e7b22cb4f16b39ceca9" IssueInstant="2022-10-14T13:52:04.479Z" Version="2.0">
+    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=</saml2:Issuer>
+    <saml2p:Status>
+        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
+            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"></saml2p:StatusCode>
+        </saml2p:StatusCode>
+        <saml2p:StatusMessage>Authentication failed</saml2p:StatusMessage>
+        <saml2p:StatusDetail>
+            <Cause>User account is disabled</Cause>
+        </saml2p:StatusDetail>
+    </saml2p:Status>
+</saml2p:Response>

authentik/sources/saml/tests/fixtures/response_success_with_message.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://127.0.0.1:9443/source/saml/google/acs/" ID="_1e17063957f10819a5a8e147971fec22" IssueInstant="2022-10-14T14:11:49.590Z" Version="2.0">
+    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=</saml2:Issuer>
+    <saml2p:Status>
+        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
+        <saml2p:StatusMessage>Login successful</saml2p:StatusMessage>
+        <saml2p:StatusDetail>
+            <Detail>Additional info from IdP</Detail>
+        </saml2p:StatusDetail>
+    </saml2p:Status>
+    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_346001c5708ffd118c40edbc0c72fc60" IssueInstant="2022-10-14T14:11:49.590Z" Version="2.0">
+        <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=</saml2:Issuer>
+        <saml2:Subject>
+            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jens@goauthentik.io</saml2:NameID>
+            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml2:SubjectConfirmationData NotOnOrAfter="2022-10-14T14:16:49.590Z" Recipient="https://127.0.0.1:9443/source/saml/google/acs/"></saml2:SubjectConfirmationData>
+            </saml2:SubjectConfirmation>
+        </saml2:Subject>
+        <saml2:Conditions NotBefore="2022-10-14T14:06:49.590Z" NotOnOrAfter="2022-10-14T14:16:49.590Z">
+            <saml2:AudienceRestriction>
+                <saml2:Audience>https://accounts.google.com/o/saml2?idpid=</saml2:Audience>
+            </saml2:AudienceRestriction>
+        </saml2:Conditions>
+        <saml2:AttributeStatement>
+            <saml2:Attribute Name="name">
+                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
+                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">foo</saml2:AttributeValue>
+            </saml2:Attribute>
+            <saml2:Attribute Name="sn">
+                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
+                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">bar</saml2:AttributeValue>
+            </saml2:Attribute>
+            <saml2:Attribute Name="email">
+                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
+                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">foo@bar.baz</saml2:AttributeValue>
+            </saml2:Attribute>
+        </saml2:AttributeStatement>
+        <saml2:AuthnStatement AuthnInstant="2022-10-14T12:16:21.000Z" SessionIndex="_346001c5708ffd118c40edbc0c72fc60">
+            <saml2:AuthnContext>
+                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
+            </saml2:AuthnContext>
+        </saml2:AuthnStatement>
+    </saml2:Assertion>
+</saml2p:Response>

authentik/sources/saml/tests/test_response.py

@@ -72,6 +72,39 @@ def test_success(self):
             },
         )
 
+    def test_success_with_status_message_and_detail(self):
+        """Test success with StatusMessage and StatusDetail present (should not raise error)"""
+        request = self.factory.post(
+            "/",
+            data={
+                "SAMLResponse": b64encode(
+                    load_fixture("fixtures/response_success_with_message.xml").encode()
+                ).decode()
+            },
+        )
+
+        parser = ResponseProcessor(self.source, request)
+        parser.parse()
+        sfm = parser.prepare_flow_manager()
+        self.assertEqual(sfm.user_properties["username"], "jens@goauthentik.io")
+
+    def test_error_with_message_and_detail(self):
+        """Test error status with StatusMessage and StatusDetail includes both in error"""
+        request = self.factory.post(
+            "/",
+            data={
+                "SAMLResponse": b64encode(
+                    load_fixture("fixtures/response_error_with_detail.xml").encode()
+                ).decode()
+            },
+        )
+
+        with self.assertRaises(ValueError) as ctx:
+            ResponseProcessor(self.source, request).parse()
+        # Should contain both detail and message
+        self.assertIn("User account is disabled", str(ctx.exception))
+        self.assertIn("Authentication failed", str(ctx.exception))
+
     def test_encrypted_correct(self):
         """Test encrypted"""
         key = load_fixture("fixtures/encrypted-key.pem")

authentik/sources/saml/views.py

@@ -156,7 +156,7 @@ def post(self, request: HttpRequest, source_slug: str) -> HttpResponse:
         processor = ResponseProcessor(source, request)
         try:
             processor.parse()
-        except (InvalidSignature, MissingSAMLResponse, VerificationError) as exc:
+        except (InvalidSignature, MissingSAMLResponse, VerificationError, ValueError) as exc:
             return bad_request_message(request, str(exc))
 
         try: