Description
EntraID (formerly Azure) sends a LogoutRequest via GET method in the form of /logout?SAMLRequest=...&Signature=...&SigAlg=... (respectively, LogoutResponse in the format of /logout?SAMLResponse=...&Signature=...&SigAlg=...). The function parse_logout_request can be utilized to parse and validate the request, including its signature, using the sigalg and signature parameters. The issue arises because the parameters are URL encoded, and the signature is computed after encoding. EntraID encodes in lowercase, for instance: http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256. However, verify_redirect_signature in pysaml2 uses parse.urlencode, which encodes in uppercase regardless of the input. Consequently, _do_redirect_sig_check fails and raises IncorrectlySigned("Request was not signed correctly"). I found no solution within pysaml2, so I replicated the code in our application (similar to here, for example: https://stackoverflow.com/questions/56277719/python-url-encoding-with-lowercase-letters). A solution would be for pysaml2 to utilize the encoding found in the input.
Code Version
Version: 7.1.2 in production, but I am reviewing using tag v7.5.0, from Jan 30 2024.
Expected Behavior
parse_logout_request should succeed.
Current Behavior
Instead it throws IncorrectlySigned("Request was not signed correctly").
Possible Solution
Check the case in the input URL encoding, by example: re.compile(r'%([a-f]\d|\d[a-f])').search(url).
Steps to Reproduce
- Make an EntraID enterprise application.
- Configure SAML.
- Login, than logout from https://portal.microsoft.com/
- process the received
/logout?SAMLRequest=...&Signature=...&SigAlg=...withparse_logout_request.