Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML SSO fails when SAML response elements inherit a parent's default namespace #1925

Open
2 tasks done
payerset-ag opened this issue Jan 23, 2025 · 0 comments
Open
2 tasks done

SAML SSO fails when SAML response elements inherit a parent's default namespace #1925

payerset-ag opened this issue Jan 23, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@payerset-ag
Copy link

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The Supabase auth library uses the crewjam/saml library for SAML SSO support.

This library has a documented bug that prevents it from correctly propagating a default namespace applied at a parent element (such as <Response> ) that does not use a prefix.

For example:

<?xml version="1.0" encoding="UTF-8"?>
<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ...>
  ...
  <Assertion ID="*redacted*" IssueInstant="*redacted*" Version="2.0">
  ...

As a result, identity providers that return a (valid) SAML response in this format cause a Supabase SSO authentication request to fail with the following type of error:

{
    "component": "api",
    "error": "expected element \u003cAssertion\u003e in name space urn:oasis:names:tc:SAML:2.0:assertion but have no name space",
    "level": "info",
    "method": "POST",
    "msg": "400: SAML Assertion is not valid",
    "path": "/sso/saml/acs",
    "referer": "*redacted*",
    "remote_addr": "*redacted*",
    "request_id": "*redacted*",
    "time": "*redacted*"
}

There is an active pull request from November 2024 with a fix for this issue in the referenced library, but outside of a lone cryptography update from July 2024, the library has not seen master branch updates since October 2023.

Open PR to fix: crewjam/saml#580

A specific commercial IdAM platform impacted by this issue and relevant to an active use case is FusionAuth, which the above response sample is sourced from.

To Reproduce

  1. Configure a Supabase project for SAML SSO
  2. Configure an Identity Provider that formats a response in this fashion for the Supabase project as an SP, such as FusionAuth (free trial available)
  3. Attempt to perform a SAML login using a web client and the Javascript SSO login
  4. Review the Supabase Auth logs for the request

Expected behavior

Supabase (via the crewjam/saml library) should interpret the valid SAML response correctly and complete the login flow.

System information

  • OS: Windows (tested on, using latest js library)
  • Supabase Pro plan
@payerset-ag payerset-ag added the bug Something isn't working label Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@payerset-ag