Potential issue in Android client when using step-up authentication with simpleSAMLphp #12
Comments
|
Can you please confirm that this bug exists in Android client. Also can you tell me which class is responsible for validating step up authentication messages in Android client so I can look it up myself. (and save some time) Thanks in advance. |
|
We expect a fix for this this week. New versions of the apps will be submitted early January, but the fix will be available on github as soon as we have it. |
ghost
assigned
|
Is this issue fixed in the current Android code? I see you have published a new iOS client, any news on releasing Android client that would fix this bug? |
|
Hi Safar, safar wrote:
It should be, yes. My colleague Joost (on cc) can send you an APK of the Cheers, Roland -- Roland M. van Rijswijk - Deij |
|
Can you please send me the APK of the new version with implemented bug fix? Cheers, Dario On 19 June 2013 10:03, Roland van Rijswijk [email protected] wrote:
|
|
A beta is available at: First unzip - our wordpress doesn't allow us to upload .apk files. Cheers,Joost On Jun 19, 2013, at 1:20 PM, safar [email protected] wrote:
|
When using tiqr in step-up scenario, with simpleSAMLphp 1.9.2, Android client cannot authenticate users that have '@' symbol in theirs userID.
Android client gives "Unknown identity for service, please enroll first." error when the user that has already enrolled tries to log in.
I have already tried to debug this issue with Ivo Jansch so here's what I have collected thus far:
I have setup a normal login without step-up and it works fine even on Android devices.
The problem still persists when I enable step-up authentication.
I have collected some data which I used for debugging with QR scanning app.
QR content from normal authentication and step up:
Enroll normal:
tiqrenroll://http://dev4.srce.hr/tiqr_simplesaml/module.php/authTiqr/metadata.php?key=3b4e8f84c2e1912d7909567c0a7bb4f9Login normal:
tiqrauth://dev4.srce.hr/a1c0b826c7621113bf39f4bf7b885bb9/e68746f63a/dev4.srce.hrEnroll step-up:
tiqrenroll://http://dev4.srce.hr/tiqr_simplesaml/module.php/authTiqr/metadata.php?key=5c3663218bb5722069e53dba7eb03a75Login step-up:
tiqrauth://randomaccount%[email protected]/dbc6a17d1a88ff0dc741c52fd65ebe7d/18675041be/dev4.srce.hrThe only difference is that step-up login QR code contains
randomaccount%[email protected].Could it be that '%40' is unescaped too early in tiqr Android client? I'm guessing that '@' symbol is used as a delimiter of userID and serviceID, so if it gets two '@' symbols in received QR it could delimit it incorrectly and the client would assume that enrollment hasn't been done as the identifier is incorrect.
Unfortunately all our userIDs contain '@' symbol so I cannot test the scenario where userID doesn't contain '@' symbol.
Note:
iOS client works normally so it could be a good starting point to see iOS's code and spot the difference in logic used during step-up authentication and interpreting QR data.
The text was updated successfully, but these errors were encountered: