Check incoming SAML Requests for old IssueDates

[baszoetekouw]

New Feature Request

Summary

users sometimes bookmark/save a url somewhere in the middle of an authentication flow. This is an easy mistake to make for regular user, in particular for Services that redirect the users right away, without requiring a press on a login button.

The reason that this sometimes does work is that the WAYF screen includes the full SAMLRequest in the URL, e.g., https://engine.dev.openconext.org/authentication/idp/single-sign-on/key:20230403?SAMLRequest=jVLJTsMwFPyVyPfEiVMCtZpKhR6oxFLRwoELcsyjtXCeg5%2FD8ve4LUuREOJqz6KZeSNSre3kpA9rvIKnHigkr61FktuPmvUepVNkSKJqgWTQcjE5P5Miy2XnXXDaWZZMiMAH4%2FDEIfUt%2BAX4Z6Ph%2BuqsZusQOpKctwrVCrIQPURGvX%2FQDuE1ZGj5Ym2axlkI64zI8Y2D4PPLxZIl0wg3qDbi31KAK4O%2FS6kYBTAYvaVwc99xMriykJJZYRqfHuFNilyU%2BSAvWTKb1uyuGqih0g0c6hyGZSGgGWg4qIqqVMPhUSEijKiHGVJQGGoW6VWal2lRLPMjeSCkqG5ZMv%2Fo49jgfbT8u7xmByJ5ulzO013WG%2FC0zRkBbDzaTCC3xn5vlL9l1ecSbPyP3umr9xHfc9tZd%2FIiys%2Bmc2eNfksm1rqXEw8qQM0Kxsc7ys%2FjGb8D&RelayState=ss%3Amem%3Abc586a8a0abe67b673ed2899a2de3653f170bad31acc186e10091ef258be7609
For Engineblock, this is totally fine, and it will let the user log in correctly, but some SPs (in particular Shib) refuse to process these unsolicited messages and show confusing error messages.

It would be nice to either prevent this, or catch this error in another way and show a helpful error message, because not all Services support this, and this often leads to hard-to-debug issues.

Easy way to reproduce this is by using Manage:

• go to manage, save the URL in the WAYF
• remove the manage cookies in your browser
• try to use your saved url to login to manage.
• Manage will show an opensaml::SecurityPolicyException

Proposed Solution

There are multiple possible ways to solve this:

• Add a check to EB for the IssueInstant date in the request. If it's too old, show an error. But what is "too old"?
• Make it harder to bookmark the WAYF url:
  • either add an internal redirect to remove the GET parameter (yet an other redirect int he flow might be undesirable)
  • or use javascript to rewrite the url that is visible in the browser (possibly breaks back/forward navigation, but maybe that's a positive point)

Is there a way for SPs to signal (in metadata) that they do support unsolicited SSO?

[thijskh]

Would definititely advise to add logging for this first to see if by any chance there are SPs which send these requests with old dates themselves (where chance might be 1).