[SAML] - Incorrect namespace for EntityDescriptor in Microsoft Azure Active Directory SSO metadata

[wrabit]

The OneLogin_Saml2_IdPMetadataParser.parse() that this package uses to identify the nodes in the xml has a fixed xpath selector //md:EntityDescriptor

The XML that comes back from the metadata endpoint at Azure Active Directory (now known as Entra ID) is not namespaced with 'md':

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="xxx" entityID="https://sts.windows.net/xxx/"> mentioned here

So it returns nothing, preventing anything meaningful from happening.

I could handpick the values and declare them in settings.py but having any changes from their side automatically propagate to our implementation is more desirable.

[pennersr]

The code that you linked to is not fixed, it accepts a entity_id param, which is passed here:

https://github.com/pennersr/django-allauth/blob/main/allauth/socialaccount/providers/saml/utils.py#L79

[wrabit]

Ok that's the parse_remote method which fetches the metadata and calls parse method which has this:

        entity_desc_path = '//md:EntityDescriptor'
        if entity_id:
            entity_desc_path += "[@entityID='%s']" % entity_id
        entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, entity_desc_path)

https://github.com/SAML-Toolkits/python3-saml/blob/master/src/onelogin/saml2/idp_metadata_parser.py#L142-L147

So the namespace is still in the xpath selector whether entity_id is provided or not, so if the metadata xml has <EntityDescriptor>'s without the md namespace, it will find nothing.

[pennersr]

You are right -- I overlooked the +=.

[pennersr]

Related: spring-projects/spring-security#11283

I am not sure if there is anything that can be done on this end. Perhaps this is best filed as an issue over at https://github.com/SAML-Toolkits/python3-saml/ ?