Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-92

MCAS integration - SAMLRequest parameter encoding question

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 4.1.5
    • SSO

      We are working with Microsoft to setup MCAS proxy to our Data Center Atlassian tools. Microsoft said there is an issue with the SP (Atlassian SSO Data Center app) when crafting the SAMLRequest parameter.  We are not so sure this is an issue on your side, but wanted to run it by you. This is Microsoft's explanation:

      The Sign on URL itself is correct to have the "&", ie. the SAML URL configured for the app should look like:

      https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Fl...*&*mcastenant=xxxxx

      This is where the syntax error is: the SP creates this "SAMLRequest" XML, then encodes it and sends it to the SAML Proxy URL via POST request. However, the original XML crafted by the SP contains the unescaped "&" character, which must be encoded for the XML to be valid, and for this parameter to properly be processed. So the correct XML (before encoding) for that "SAMLRequest" parameter should look like:

      <samlp:AuthnRequest [...] Destination=[https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Flo...*&*mcastenant=xxxxx</samlp:AuthnRequest>

      Again, we think it would be on mcas side, but wanted to get your thoughts.

            [SAMLDC-92] MCAS integration - SAMLRequest parameter encoding question

            Patryk added a comment -

            Hello Leann,

            This indeed is a problem on the SP side - the generated SAMLRequest XML should be a valid XML. I've updated the issue type to "Bug" and put it on our backlog.

            Regards,

            Patryk

            Patryk added a comment - Hello Leann, This indeed is a problem on the SP side - the generated SAMLRequest XML should be a valid XML. I've updated the issue type to "Bug" and put it on our backlog. Regards, Patryk

            Leann Adams added a comment -

            Has anyone looked at this yet? 

            Leann Adams added a comment - Has anyone looked at this yet? 

            Leann Adams added a comment - - edited

            For some reason, the URLs didn't get saved correctly:

            The Sign on URL itself is correct to have the "&", ie. the SAML URL configured for the app should look like:

            https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Fl...&mcastenant=xxxxx

            This is where the syntax error is: the SP creates this "SAMLRequest" XML, then encodes it and sends it to the SAML Proxy URL via POST request. However, the original XML crafted by the SP contains the unescaped "&" character, which must be encoded for the XML to be valid, and for this parameter to properly be processed. So the correct XML (before encoding) for that "SAMLRequest" parameter should look like:

            <samlp:AuthnRequest [...] Destination=https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Flo...&amp;mcastenant=xxxxx</samlp:AuthnRequest>

            Leann Adams added a comment - - edited For some reason, the URLs didn't get saved correctly: The Sign on URL itself is correct to have the " & ", ie. the SAML URL configured for the app should look like: https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Fl...&mcastenant=xxxxx This is where the syntax error is: the SP creates this "SAMLRequest" XML, then encodes it and sends it to the SAML Proxy URL via POST request. However, the original XML crafted by the SP contains the unescaped " & " character, which must be encoded for the XML to be valid, and for this parameter to properly be processed. So the correct XML (before encoding) for that "SAMLRequest" parameter should look like: <samlp:AuthnRequest  [...]  Destination= https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Flo...&amp;mcastenant=xxxxx </samlp:AuthnRequest>

              Unassigned Unassigned
              b998ebe3cf7c Leann Adams
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated: