Skip to content

SAML SSO fails when SAML response elements inherit a parent's default namespace #1925

New issue
New issue
Open
#2001
Open
SAML SSO fails when SAML response elements inherit a parent's default namespace#1925
#2001
Labels
bugSomething isn't working
@payerset-ag

Description

@payerset-ag
payerset-ag
opened on Jan 23, 2025

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The Supabase auth library uses the crewjam/saml library for SAML SSO support.

This library has a documented bug that prevents it from correctly propagating a default namespace applied at a parent element (such as <Response> ) that does not use a prefix.

For example:

<?xml version="1.0" encoding="UTF-8"?> <ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ...> ... <Assertion ID="*redacted*" IssueInstant="*redacted*" Version="2.0"> ...

As a result, identity providers that return a (valid) SAML response in this format cause a Supabase SSO authentication request to fail with the following type of error:

{ "component": "api", "error": "expected element \u003cAssertion\u003e in name space urn:oasis:names:tc:SAML:2.0:assertion but have no name space", "level": "info", "method": "POST", "msg": "400: SAML Assertion is not valid", "path": "/sso/saml/acs", "referer": "*redacted*", "remote_addr": "*redacted*", "request_id": "*redacted*", "time": "*redacted*" }

There is an active pull request from November 2024 with a fix for this issue in the referenced library, but outside of a lone cryptography update from July 2024, the library has not seen master branch updates since October 2023.

Open PR to fix: crewjam/saml#580

A specific commercial IdAM platform impacted by this issue and relevant to an active use case is FusionAuth, which the above response sample is sourced from.

To Reproduce

  1. Configure a Supabase project for SAML SSO
  2. Configure an Identity Provider that formats a response in this fashion for the Supabase project as an SP, such as FusionAuth (free trial available)
  3. Attempt to perform a SAML login using a web client and the Javascript SSO login
  4. Review the Supabase Auth logs for the request

Expected behavior

Supabase (via the crewjam/saml library) should interpret the valid SAML response correctly and complete the login flow.

System information

  • OS: Windows (tested on, using latest js library)
  • Supabase Pro plan

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions