Broken SAML SSO plugin with malformed URL when authenticating against Google IdP #6427
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
SAML SSO plugin
CLOUDSTACK VERSION
LATEST -> https://github.com/apache/cloudstack/blame/main/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java#L153
CONFIGURATION
SAML SSO plugin activated.
OS / ENVIRONMENT
N/A
SUMMARY
Google's IdP URL already contains a query param, thus this line of code will create a malformed redirect URL.
https://github.com/apache/cloudstack/blame/main/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java#L153
Example of google's IdP URL: https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX
STEPS TO REPRODUCE
- Enable and configure SAML SSO plugin2 using Google as the IdP.
- Access the UI and attempt to login via Single Sign-On
You should now face an Invalid Request error.
EXPECTED RESULTS
Users should be redirected to Google's login portal thus completing the authentication flow.
ACTUAL RESULTS
Malformed URL:
https://accounts.google.com/o/saml2/idp?idpid=<ID>?SAMLRequest=<SAMLRequest>
Expected URL:
https://accounts.google.com/o/saml2/idp?idpid=<ID>&SAMLRequest=<SAMLRequest>