From 71232263ad8dcb4966cb5b9c8ff58dd58a51cf3e Mon Sep 17 00:00:00 2001 From: Russell Jones Date: Thu, 7 Apr 2022 17:54:08 +0000 Subject: [PATCH] Added support for JumpCloud. JumpCloud uses the same canonicalization algorithm as ADFS. Add provider switch for JumpCloud to use a C14N10 exclusive canonicalizer. --- constants.go | 2 ++ lib/services/saml.go | 12 +++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/constants.go b/constants.go index dff78d33681d8..f6c0ba3736fc2 100644 --- a/constants.go +++ b/constants.go @@ -455,6 +455,8 @@ const ( Ping = "ping" // Okta should be used for Okta OIDC providers. Okta = "okta" + // JumpCloud is an identity provider. + JumpCloud = "jumpcloud" ) const ( diff --git a/lib/services/saml.go b/lib/services/saml.go index 4a360f9fe553a..09f2963a2c893 100644 --- a/lib/services/saml.go +++ b/lib/services/saml.go @@ -211,16 +211,18 @@ func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*sam NameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", } - // adfs specific settings - if sc.GetProvider() == teleport.ADFS { + // Provider specific settings for ADFS and JumpCloud. Specifically these + // providers do not support C14N11, which means a C14N10 canonicalizer has to + // be used. + switch sc.GetProvider() { + case teleport.ADFS, teleport.JumpCloud: log.WithFields(log.Fields{ trace.Component: teleport.ComponentSAML, - }).Debug("Setting ADFS values.") + }).Debug("Setting ADFS/JumpCloud values.") if sp.SignAuthnRequests { - // adfs does not support C14N11, we have to use the C14N10 canonicalizer sp.SignAuthnRequestsCanonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList(dsig.DefaultPrefix) - // at a minimum we require password protected transport + // At a minimum we require password protected transport. sp.RequestedAuthnContext = &saml2.RequestedAuthnContext{ Comparison: "minimum", Contexts: []string{"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"},