Skip to content

SAML Config Issue in 1.17.0 #20

Open
Open
SAML Config Issue in 1.17.0#20
@jogalt

Description

@jogalt
jogalt
opened on Jul 28, 2025

Bug Report: Kasm incorrectly validates <saml:Issuer> in SAML Response

Summary

Kasm currently rejects SAML responses if the <saml:Issuer> in the <samlp:Response> does not match its own SP EntityID. This behavior is incorrect per the SAML 2.0 Core Specification.

Steps to Reproduce

  1. Configure Kasm as a SAML Service Provider with this SP EntityID:

    https://kasm.apps.ABC.org/api/metadata/?id=...

  2. Configure a standards-compliant Identity Provider (e.g., Keycloak) that issues SAML responses with this issuer:

    <saml:Issuer>https://keycloak.apps.ABC.org/realms/ABC_Users</saml:Issuer>

  3. Attempt to authenticate via SSO.

  4. Kasm returns:

    invalid_response: Invalid issuer in the Assertion/Response

Expected Behavior

Kasm should validate the <saml:Issuer> in the SAML Response against the configured IdP EntityID, not against its own SP EntityID.

The Response Issuer should be allowed to differ from the SP's entity ID, as long as it matches the known IdP metadata.

Relevant Specification References

  • SAML 2.0 Core §2.2.5 - Issuer:

    The element... provides information about the issuer of a SAML assertion or protocol message...
    If no Format value is provided, then the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity is in effect.
    (i.e., the Issuer should identify the sender of the message.)

  • SAML 2.0 Core §8.3.6 - Entity Identifier:

    Used in the <Issuer> element to identify the sender of a request, response, or assertion...
    It is RECOMMENDED that a system entity use a URL containing its own domain name.

Impact

  • Breaks compatibility with compliant IdPs such as Keycloak, ADFS, and Okta.
  • Forces administrators to implement non-standard hacks (e.g., patching issuer output) just to pass validation.
  • Prevents interoperability in mixed SSO environments.

Proposed Fix

  • Validate <saml:Issuer> in the Response against the configured IdP EntityID.
  • Allow it to differ from the SP EntityID.
  • Alternatively:
    Add a configuration option to override the expected <saml:Issuer> in the UI or config file.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions