Describe the bug
When having a SAML application that supports redirect to multiple Location with the same Binding, we are always redirected to the default or the first entry. The SAML spec allows multiple AssertionConsumerService with the same Binding and different locations using indexes.
Our use-case is the AWS Client VPN, where we want to support users to login to the VPN using the AWS Client VPN self-service portal, as well as authentication via the AWS Client VPN desktop application. Below is our SAML metadata xml.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:amazon:webservices:clientvpn">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml" index="1" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://127.0.0.1:35001" index="2" />
</md:SPSSODescriptor>
</md:EntityDescriptor>To Reproduce
Steps to reproduce the behavior:
- Configure the AWS Client VPN with SAML to Zitadel
- Apply the above metadata XML to the SAML application in Zitadel
- Access the AWS Client VPN self-service portal, login through Zitadel – works!
- Apply the ovpn profile in the AWS Client VPN application, connect – fails!
Expected behavior
It should be possible to support both authentication scenarios, both through only browser and through the AWS Client VPN desktop application.
Screenshots
N/A
Desktop (please complete the following information):
- OS: macOS
- Browser: Firefox
- Version: 140.0.4
Smartphone (please complete the following information):
N/A
Additional context
We have identified the problematic code and will provide a PR with changes that successfully solves this issues, and in addition adds support for the less commonly used AssertionConsumerServiceIndex (bonus!)
Describe the bug
When having a SAML application that supports redirect to multiple Location with the same Binding, we are always redirected to the default or the first entry. The SAML spec allows multiple AssertionConsumerService with the same Binding and different locations using indexes.
Our use-case is the AWS Client VPN, where we want to support users to login to the VPN using the AWS Client VPN self-service portal, as well as authentication via the AWS Client VPN desktop application. Below is our SAML metadata xml.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
It should be possible to support both authentication scenarios, both through only browser and through the AWS Client VPN desktop application.
Screenshots
N/A
Desktop (please complete the following information):
Smartphone (please complete the following information):
N/A
Additional context
We have identified the problematic code and will provide a PR with changes that successfully solves this issues, and in addition adds support for the less commonly used
AssertionConsumerServiceIndex(bonus!)