Add ssoIssuer to fix Response issuer checking

Rename issuer to entityIssuer

connector/saml/saml.go

@@ -81,7 +81,8 @@ type Config struct {
 	//
 	// https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf
 
-	Issuer string `json:"issuer"`
+	EntityIssuer string `json:"entityIssuer"`
+	SSOIssuer    string `json:"ssoIssuer"`
 	SSOURL       string `json:"ssoURL"`
 
 	// X509 CA file or raw data to verify XML signatures.
@@ -154,7 +155,8 @@ func (c *Config) openConnector(logger logrus.FieldLogger) (*provider, error) {
 	}
 
 	p := &provider{
-		issuer:       c.Issuer,
+		entityIssuer: c.EntityIssuer,
+		ssoIssuer:    c.SSOIssuer,
 		ssoURL:       c.SSOURL,
 		now:          time.Now,
 		usernameAttr: c.UsernameAttr,
@@ -217,7 +219,8 @@ func (c *Config) openConnector(logger logrus.FieldLogger) (*provider, error) {
 }
 
 type provider struct {
-	issuer string
+	entityIssuer string
+	ssoIssuer    string
 	ssoURL       string
 
 	now func() time.Time
@@ -251,10 +254,10 @@ func (p *provider) POSTData(s connector.Scopes, id string) (action, value string
 		},
 		AssertionConsumerServiceURL: p.redirectURI,
 	}
-	if p.issuer != "" {
+	if p.entityIssuer != "" {
 		// Issuer for the request is optional. For example, okta always ignores
 		// this value.
-		r.Issuer = &issuer{Issuer: p.issuer}
+		r.Issuer = &issuer{Issuer: p.entityIssuer}
 	}
 
 	data, err := xml.MarshalIndent(r, "", "  ")
@@ -287,8 +290,8 @@ func (p *provider) HandlePOST(s connector.Scopes, samlResponse, inResponseTo str
 	}
 
 	if rootElementSigned {
-		if p.issuer != "" && resp.Issuer != nil && resp.Issuer.Issuer != p.issuer {
-			return ident, fmt.Errorf("expected Issuer value %s, got %s", p.issuer, resp.Issuer.Issuer)
+		if p.ssoIssuer != "" && resp.Issuer != nil && resp.Issuer.Issuer != p.ssoIssuer {
+			return ident, fmt.Errorf("expected Issuer value %s, got %s", p.entityIssuer, resp.Issuer.Issuer)
 		}
 
 		// Verify InResponseTo value matches the expected ID associated with

connector/saml/saml_test.go

@@ -278,14 +278,14 @@ func (r responseTest) run(t *testing.T) {
 }
 
 const (
-	defaultIssuer      = "http://www.okta.com/exk91cb99lKkKSYoy0h7"
+	defaultSSOIssuer   = "http://www.okta.com/exk91cb99lKkKSYoy0h7"
 	defaultRedirectURI = "http://localhost:5556/dex/callback"
 
 	// Response ID embedded in our testdata.
 	testDataResponseID = "_fd1b3ef9-ec09-44a7-a66b-0d39c250f6a0"
 )
 
-// Depricated: Use testing framework established above.
+// Deprecated: Use testing framework established above.
 func runVerify(t *testing.T, ca string, resp string, shouldSucceed bool) {
 	cert, err := loadCert(ca)
 	if err != nil {
@@ -311,10 +311,10 @@ func runVerify(t *testing.T, ca string, resp string, shouldSucceed bool) {
 	}
 }
 
-// Depricated: Use testing framework established above.
-func newProvider(issuer string, redirectURI string) *provider {
-	if issuer == "" {
-		issuer = defaultIssuer
+// Deprecated: Use testing framework established above.
+func newProvider(ssoIssuer string, redirectURI string) *provider {
+	if ssoIssuer == "" {
+		ssoIssuer = defaultSSOIssuer
 	}
 	if redirectURI == "" {
 		redirectURI = defaultRedirectURI
@@ -322,7 +322,7 @@ func newProvider(issuer string, redirectURI string) *provider {
 	now, _ := time.Parse(time.RFC3339, "2017-01-24T20:48:41Z")
 	timeFunc := func() time.Time { return now }
 	return &provider{
-		issuer:       issuer,
+		ssoIssuer:    ssoIssuer,
 		ssoURL:       "http://idp.org/saml/sso",
 		now:          timeFunc,
 		usernameAttr: "user",