You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Christian Metzler <Ch...@abas.de> on 2013/11/26 14:25:05 UTC
SAML2 RACS for signed responses
Hi,
I am trying to implement a SAML Request Assertion Consumer Service
(RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a
keyInfo (which is defined optional in the SAML specification).This leads
to an exception when processing the response, because CXF tries to load
a DOM for the keyInfo.
|java.lang.NullPointerException
at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
|
I have a valid keystore.properties file as well as the certificate on my
RACS site, but this does not chage the behaviour. Is this a bug in CXF
or did I miss something to set up for my RACS?
That's my current configuration
<bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
<property name="stateProvider" ref="stateManager" />
<property name="enforceAssertionsSigned" value="false"/>
<property name="signaturePropertiesFile"
value="serviceKeystore.properties"/>
<property name="supportBase64Encoding" value="true" />
</bean>
And the response from my IDP is:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
IssueInstant="2013-11-26T09:46:48.020Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
IssueInstant="2013-11-26T09:46:48.008Z"
Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="127.0.0.1"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
NotOnOrAfter="2013-11-26T09:48:18.007Z"
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">guest</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:displayName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:givenName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">John Doe</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for your help.
--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
***********************************************************************
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
FYI:
https://issues.apache.org/jira/browse/CXF-5424
Sergey
On 27/11/13 11:01, Sergey Beryozkin wrote:
> Hi Christian
> On 27/11/13 10:45, Christian Metzler wrote:
>> Hi Sergey, hi Colm,
>>
>> Am 27.11.2013 11:31, schrieb Sergey Beryozkin:
>>> I can see that it is a bearer assertion, which is where KeyInfo is
>>> optional, right ?
>> That's not what I understand when reading the SAML2 Specification:
>>
>> http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>>
>> Page 70, Section 5.4.5 KeyInfo
>>
>> XML Signature defines usage of the <ds:KeyInfo> element. SAML does not
>> require the use of
>> <ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore,
>> <ds:KeyInfo> MAY be
>> absent.
>>
>> So IMHO the KeyInfo is completely optional.
>>
> Yes, true at the XML Signature level, but we need to bear in mind that
> in the WS space (which is where WSS4J is primarily used and this is also
> used under the hood by CXF RS right now), SAML assertions are not bearer
> tokens, they are holder-of-key or sender vouches, I can see
>
> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>
>
> mentions a bearer type, but I'm not sure it really ever features in WS
> exchanges, the fact that it is the first time we see this issue suggests
> it :-).
>
> So we can tackle it at the CXF (JAX-RS security) level only
>
> Cheers, Sergey
>
>> Regards,
>>
>> Christian
>>
>
>
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Christian
On 27/11/13 10:45, Christian Metzler wrote:
> Hi Sergey, hi Colm,
>
> Am 27.11.2013 11:31, schrieb Sergey Beryozkin:
>> I can see that it is a bearer assertion, which is where KeyInfo is
>> optional, right ?
> That's not what I understand when reading the SAML2 Specification:
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
> Page 70, Section 5.4.5 KeyInfo
>
> XML Signature defines usage of the <ds:KeyInfo> element. SAML does not
> require the use of
> <ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore,
> <ds:KeyInfo> MAY be
> absent.
>
> So IMHO the KeyInfo is completely optional.
>
Yes, true at the XML Signature level, but we need to bear in mind that
in the WS space (which is where WSS4J is primarily used and this is also
used under the hood by CXF RS right now), SAML assertions are not bearer
tokens, they are holder-of-key or sender vouches, I can see
https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
mentions a bearer type, but I'm not sure it really ever features in WS
exchanges, the fact that it is the first time we see this issue suggests
it :-).
So we can tackle it at the CXF (JAX-RS security) level only
Cheers, Sergey
> Regards,
>
> Christian
>
Re: SAML2 RACS for signed responses
Posted by Christian Metzler <Ch...@abas.de>.
Hi Sergey, hi Colm,
Am 27.11.2013 11:31, schrieb Sergey Beryozkin:
> I can see that it is a bearer assertion, which is where KeyInfo is
> optional, right ?
That's not what I understand when reading the SAML2 Specification:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Page 70, Section 5.4.5 KeyInfo
XML Signature defines usage of the <ds:KeyInfo> element. SAML does not
require the use of
<ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore,
<ds:KeyInfo> MAY be
absent.
So IMHO the KeyInfo is completely optional.
Regards,
Christian
--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
***********************************************************************
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Colm
I can see that it is a bearer assertion, which is where KeyInfo is
optional, right ?
I'm fine with the fix not being done at WSS4J level because WSS4J is
dedicated primarily to managing SAML (and other) assertions coming on
the WS path where no bearer assertions exist AFAIK so no need to relax
it there.
But we can def expect bearer SAML assertions on the RS path (the example
in http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile shows
no KeyInfo), and the bearer is expected in case of OAuth2 SAML2 grants.
IMHO we need to get it fixed in CXF RS code, I'll be happy to poke a bit
and offer it for the review once it is done
Thanks, Sergey
On 27/11/13 09:57, Colm O hEigeartaigh wrote:
> Hi Christian,
>
> I am not inclined to fix this issue in CXF/WSS4J, as it will involve
> changing how we use keystores for signature validation. It is quite unusual
> IMO to have a XML Signature without a KeyInfo pointing to the public key to
> use to validate the signature.
>
> For different IdPs, I have tested (successfully) against WSo2's Identity
> Server, Josso, Shibboleth, Picketlink and OpenAM.
>
> Colm.
>
>
> On Wed, Nov 27, 2013 at 8:52 AM, Christian Metzler <
> Christian.Metzler@abas.de> wrote:
>
>> Hi Sergey,
>>
>> thanks for your reply. The problem seems to be in the
>> SAMLProtocolResponseValidator class. Overriding the methods you suggested
>> would not be sufficient. Instead I would have to write my own
>> SAMLProtocolResponseValidator and intantiate it in the
>> RequestAssertionConsumerService.
>>
>> The method which fails is the private
>> validateResponseSignature(...)
>>
>> which will do the following:
>>
>> samlKeyInfo =
>> SAMLUtil.getCredentialFromKeyInfo(
>> keyInfo.getDOM(), requestData, docInfo,
>> requestData.getWssConfig().isWsiBSPCompliant()
>> );
>>
>>
>> Perhaps I should look for a different IDP implementation. I currently
>> tried to work with Mujina IDP for testing purposes.
>> Are there any suggestions, which IDP could work? I know your example works
>> with Shibboleth, but I think Shibboleth is hard to set up and configure for
>> testing purposes. Actually a IDP Mock would be really handsome... But I
>> could not find anything else than Mujina.
>>
>>
>> Kind regards,
>>
>> Christian
>>
>>
>>
>> Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
>>
>> Hi
>>>
>>> Thanks for reporting the issue, appears to be a bug in CXF or at the
>>> lower level. I guess the KeyInfo is typically available on the WS path
>>> hence the issue arises when it is not included.
>>>
>>> I can suggest a workaround for now, till the problem has been resolved:
>>>
>>> RequestAssertionConsumerService validateSamlResponseProtocol and
>>> validateSamlSSOResponse methods are protected: I wonder if you can override
>>> the method where the problem occurs and do the manual validation for now or
>>> simply ignore the validation for now to get the POC done.
>>>
>>>
>>>
>>> HTH
>>> Sergey
>>>
>>> On 26/11/13 13:25, Christian Metzler wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to implement a SAML Request Assertion Consumer Service
>>>> (RACS) with Apache CXF 2.7.7
>>>> Unfortunately the response of my Identity Provider does not include a
>>>> keyInfo (which is defined optional in the SAML specification).This leads
>>>> to an exception when processing the response, because CXF tries to load
>>>> a DOM for the keyInfo.
>>>>
>>>> |java.lang.NullPointerException
>>>> at
>>>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>>>
>>>>
>>>>
>>>> |
>>>>
>>>> I have a valid keystore.properties file as well as the certificate on my
>>>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>>>> or did I miss something to set up for my RACS?
>>>>
>>>> That's my current configuration
>>>>
>>>> <bean id="consumerService"
>>>> class="org.apache.cxf.rs.security.saml.sso.
>>>> RequestAssertionConsumerService">
>>>>
>>>> <property name="stateProvider" ref="stateManager" />
>>>> <property name="enforceAssertionsSigned" value="false"/>
>>>> <property name="signaturePropertiesFile"
>>>> value="serviceKeystore.properties"/>
>>>> <property name="supportBase64Encoding" value="true" />
>>>> </bean>
>>>>
>>>> And the response from my IDP is:
>>>>
>>>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>>>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>> IssueInstant="2013-11-26T09:46:48.020Z"
>>>> Version="2.0">
>>>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>>> http://mock-idp</saml2:Issuer>
>>>>
>>>> <saml2p:Status>
>>>> <saml2p:StatusCode
>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>>> </saml2p:Status>
>>>> <saml2:Assertion xmlns:saml2="urn:oasis:names:
>>>> tc:SAML:2.0:assertion"
>>>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>>>> IssueInstant="2013-11-26T09:46:48.008Z"
>>>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>>> <saml2:Issuer
>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>>> http://mock-idp</saml2:Issuer>
>>>>
>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>> <ds:SignedInfo>
>>>> <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>>> <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>>>> <ds:Reference URI="#176247f7-0559-400c-8e5b-
>>>> dafedbe5be4a">
>>>> <ds:Transforms>
>>>> <ds:Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>>> <ds:Transform
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>>> <ec:InclusiveNamespaces
>>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>>>> PrefixList="xs" />
>>>> </ds:Transform>
>>>> </ds:Transforms>
>>>> <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>>>> </ds:Reference>
>>>> </ds:SignedInfo>
>>>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTr
>>>> zVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+
>>>> oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>>>
>>>>
>>>> </ds:Signature>
>>>> <saml2:Subject>
>>>> <saml2:NameID
>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
>>>> unspecified">admin</saml2:NameID>
>>>>
>>>> <saml2:SubjectConfirmation
>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>>> <saml2:SubjectConfirmationData
>>>> Address="127.0.0.1"
>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>> NotOnOrAfter="2013-11-26T09:48:18.007Z"
>>>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>>>> </saml2:SubjectConfirmation>
>>>> </saml2:Subject>
>>>> <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
>>>> <saml2:AuthnContext>
>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:
>>>> ac:classes:Password</saml2:AuthnContextClassRef>
>>>>
>>>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>>>
>>>>
>>>> </saml2:AuthnContext>
>>>> </saml2:AuthnStatement>
>>>> <saml2:AttributeStatement>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">guest</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:displayName">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-
>>>> def:givenName">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">John</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">John Doe</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> </saml2:AttributeStatement>
>>>> </saml2:Assertion>
>>>> </saml2p:Response>
>>>>
>>>> Thanks for your help.
>>>>
>>>>
>>>
>>>
>>
>> --
>> ***********************************************************************
>> Christian Metzler * Software Developer
>> ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
>> Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
>> http://www.abas-software.com * http://www.abas.de
>> Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
>> Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
>> Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
>> Registered Office / Sitz der Gesellschaft: Karlsruhe
>> Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
>> ***********************************************************************
>>
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: SAML2 RACS for signed responses
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Christian,
I am not inclined to fix this issue in CXF/WSS4J, as it will involve
changing how we use keystores for signature validation. It is quite unusual
IMO to have a XML Signature without a KeyInfo pointing to the public key to
use to validate the signature.
For different IdPs, I have tested (successfully) against WSo2's Identity
Server, Josso, Shibboleth, Picketlink and OpenAM.
Colm.
On Wed, Nov 27, 2013 at 8:52 AM, Christian Metzler <
Christian.Metzler@abas.de> wrote:
> Hi Sergey,
>
> thanks for your reply. The problem seems to be in the
> SAMLProtocolResponseValidator class. Overriding the methods you suggested
> would not be sufficient. Instead I would have to write my own
> SAMLProtocolResponseValidator and intantiate it in the
> RequestAssertionConsumerService.
>
> The method which fails is the private
> validateResponseSignature(...)
>
> which will do the following:
>
> samlKeyInfo =
> SAMLUtil.getCredentialFromKeyInfo(
> keyInfo.getDOM(), requestData, docInfo,
> requestData.getWssConfig().isWsiBSPCompliant()
> );
>
>
> Perhaps I should look for a different IDP implementation. I currently
> tried to work with Mujina IDP for testing purposes.
> Are there any suggestions, which IDP could work? I know your example works
> with Shibboleth, but I think Shibboleth is hard to set up and configure for
> testing purposes. Actually a IDP Mock would be really handsome... But I
> could not find anything else than Mujina.
>
>
> Kind regards,
>
> Christian
>
>
>
> Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
>
> Hi
>>
>> Thanks for reporting the issue, appears to be a bug in CXF or at the
>> lower level. I guess the KeyInfo is typically available on the WS path
>> hence the issue arises when it is not included.
>>
>> I can suggest a workaround for now, till the problem has been resolved:
>>
>> RequestAssertionConsumerService validateSamlResponseProtocol and
>> validateSamlSSOResponse methods are protected: I wonder if you can override
>> the method where the problem occurs and do the manual validation for now or
>> simply ignore the validation for now to get the POC done.
>>
>>
>>
>> HTH
>> Sergey
>>
>> On 26/11/13 13:25, Christian Metzler wrote:
>>
>>> Hi,
>>>
>>> I am trying to implement a SAML Request Assertion Consumer Service
>>> (RACS) with Apache CXF 2.7.7
>>> Unfortunately the response of my Identity Provider does not include a
>>> keyInfo (which is defined optional in the SAML specification).This leads
>>> to an exception when processing the response, because CXF tries to load
>>> a DOM for the keyInfo.
>>>
>>> |java.lang.NullPointerException
>>> at
>>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>>
>>>
>>>
>>> |
>>>
>>> I have a valid keystore.properties file as well as the certificate on my
>>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>>> or did I miss something to set up for my RACS?
>>>
>>> That's my current configuration
>>>
>>> <bean id="consumerService"
>>> class="org.apache.cxf.rs.security.saml.sso.
>>> RequestAssertionConsumerService">
>>>
>>> <property name="stateProvider" ref="stateManager" />
>>> <property name="enforceAssertionsSigned" value="false"/>
>>> <property name="signaturePropertiesFile"
>>> value="serviceKeystore.properties"/>
>>> <property name="supportBase64Encoding" value="true" />
>>> </bean>
>>>
>>> And the response from my IDP is:
>>>
>>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>> IssueInstant="2013-11-26T09:46:48.020Z"
>>> Version="2.0">
>>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>> http://mock-idp</saml2:Issuer>
>>>
>>> <saml2p:Status>
>>> <saml2p:StatusCode
>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>> </saml2p:Status>
>>> <saml2:Assertion xmlns:saml2="urn:oasis:names:
>>> tc:SAML:2.0:assertion"
>>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>>> IssueInstant="2013-11-26T09:46:48.008Z"
>>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>> <saml2:Issuer
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>> http://mock-idp</saml2:Issuer>
>>>
>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>> <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>>> <ds:Reference URI="#176247f7-0559-400c-8e5b-
>>> dafedbe5be4a">
>>> <ds:Transforms>
>>> <ds:Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>> <ds:Transform
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>> <ec:InclusiveNamespaces
>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>>> PrefixList="xs" />
>>> </ds:Transform>
>>> </ds:Transforms>
>>> <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTr
>>> zVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+
>>> oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>>
>>>
>>> </ds:Signature>
>>> <saml2:Subject>
>>> <saml2:NameID
>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
>>> unspecified">admin</saml2:NameID>
>>>
>>> <saml2:SubjectConfirmation
>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>> <saml2:SubjectConfirmationData
>>> Address="127.0.0.1"
>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>> NotOnOrAfter="2013-11-26T09:48:18.007Z"
>>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>>> </saml2:SubjectConfirmation>
>>> </saml2:Subject>
>>> <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
>>> <saml2:AuthnContext>
>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:
>>> ac:classes:Password</saml2:AuthnContextClassRef>
>>>
>>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>>
>>>
>>> </saml2:AuthnContext>
>>> </saml2:AuthnStatement>
>>> <saml2:AttributeStatement>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">guest</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:dir:attribute-def:displayName">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-
>>> def:givenName">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">John</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">John Doe</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> </saml2:AttributeStatement>
>>> </saml2:Assertion>
>>> </saml2p:Response>
>>>
>>> Thanks for your help.
>>>
>>>
>>
>>
>
> --
> ***********************************************************************
> Christian Metzler * Software Developer
> ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
> Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
> http://www.abas-software.com * http://www.abas.de
> Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
> Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
> Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
> Registered Office / Sitz der Gesellschaft: Karlsruhe
> Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
> ***********************************************************************
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 27/11/13 12:29, Christian Metzler wrote:
> Am 27.11.2013 11:45, schrieb Sergey Beryozkin:
>> By the way, the other thing which may be worth trying, CXF Fediz also
>> offers SSO support, it is WS-Federation based but it should work
>> seamlessly, I stopped short of updating our demo to work with Fediz
>> too, will need to revisit it asap.
> That would be very helpful indeed, because I planned to use Fediz for my
> production environment. I need the ability to integrate our Database
> Backend - which is a propriatary solution - with the IDP and I think
> Fediz will offer the flexibility. Is there a way to get the SAML SSO
> profile working with Fediz? Unfortunately I could not get the Fediz
> Source Code imported to my Eclipse IDE, which stopped me to test Fediz
> as IDP.
>
Please see https://issues.apache.org/jira/browse/FEDIZ-7, please vote
for it,
Thanks, Sergey
>
Re: SAML2 RACS for signed responses
Posted by Christian Metzler <Ch...@abas.de>.
Am 27.11.2013 11:45, schrieb Sergey Beryozkin:
> By the way, the other thing which may be worth trying, CXF Fediz also
> offers SSO support, it is WS-Federation based but it should work
> seamlessly, I stopped short of updating our demo to work with Fediz
> too, will need to revisit it asap.
That would be very helpful indeed, because I planned to use Fediz for my
production environment. I need the ability to integrate our Database
Backend - which is a propriatary solution - with the IDP and I think
Fediz will offer the flexibility. Is there a way to get the SAML SSO
profile working with Fediz? Unfortunately I could not get the Fediz
Source Code imported to my Eclipse IDE, which stopped me to test Fediz
as IDP.
--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
***********************************************************************
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Christian
On 27/11/13 10:30, Christian Metzler wrote:
> Hi Sergey,
>
>
> Am 27.11.2013 11:20, schrieb Sergey Beryozkin:
>> I'm updating the code to make it provide custom
>> SAMLProtocolResponseValidator and override some of its specific
>> validation methods, where you can customize the signature validation
> ok, that would help. Anyway I will try to get Mujina send unsigned
> requests, which also would solve the problem.
>>
>>>
>>> Perhaps I should look for a different IDP implementation. I currently
>>> tried to work with Mujina IDP for testing purposes.
>>> Are there any suggestions, which IDP could work? I know your example
>>> works with Shibboleth, but I think Shibboleth is hard to set up and
>>> configure for testing purposes. Actually a IDP Mock would be really
>>> handsome... But I could not find anything else than Mujina.
>>>
>> Please check the providers which Colm has mentioned, I can also send
>> you some info on how to set up Shibboleth easily enough
> I got Shibboleth up and running now. I think I just have to add MetaData
> for my RelyingParty which is in that case my CxfOAuth Server. I think I
> will have a closer look on the example configuration you provided with
> the OAuth SSO example.
>>
Sounds good.
By the way, the other thing which may be worth trying, CXF Fediz also
offers SSO support, it is WS-Federation based but it should work
seamlessly, I stopped short of updating our demo to work with Fediz too,
will need to revisit it asap.
Having Fediz also supporting IDP Saml Web SSO would be cool too,
hopefully in time it can be done. It can also act as OpenIdConnect
server in time too, Fediz can cover all of the SSO space eventually :-)
Cheers, Sergey
>> Thanks, Sergey
>>>
>>> Kind regards,
>>>
>>> Christian
>>>
>>>
>>>
>>> Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
>>>> Hi
>>>>
>>>> Thanks for reporting the issue, appears to be a bug in CXF or at the
>>>> lower level. I guess the KeyInfo is typically available on the WS path
>>>> hence the issue arises when it is not included.
>>>>
>>>> I can suggest a workaround for now, till the problem has been resolved:
>>>>
>>>> RequestAssertionConsumerService validateSamlResponseProtocol and
>>>> validateSamlSSOResponse methods are protected: I wonder if you can
>>>> override the method where the problem occurs and do the manual
>>>> validation for now or simply ignore the validation for now to get the
>>>> POC done.
>>>>
>>>>
>>>>
>>>> HTH
>>>> Sergey
>>>>
>>>> On 26/11/13 13:25, Christian Metzler wrote:
>>>>> Hi,
>>>>>
>>>>> I am trying to implement a SAML Request Assertion Consumer Service
>>>>> (RACS) with Apache CXF 2.7.7
>>>>> Unfortunately the response of my Identity Provider does not include a
>>>>> keyInfo (which is defined optional in the SAML specification).This
>>>>> leads
>>>>> to an exception when processing the response, because CXF tries to
>>>>> load
>>>>> a DOM for the keyInfo.
>>>>>
>>>>> |java.lang.NullPointerException
>>>>> at
>>>>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> |
>>>>>
>>>>> I have a valid keystore.properties file as well as the certificate
>>>>> on my
>>>>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>>>>> or did I miss something to set up for my RACS?
>>>>>
>>>>> That's my current configuration
>>>>>
>>>>> <bean id="consumerService"
>>>>> class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
>>>>>
>>>>>
>>>>>
>>>>> <property name="stateProvider" ref="stateManager" />
>>>>> <property name="enforceAssertionsSigned" value="false"/>
>>>>> <property name="signaturePropertiesFile"
>>>>> value="serviceKeystore.properties"/>
>>>>> <property name="supportBase64Encoding" value="true" />
>>>>> </bean>
>>>>>
>>>>> And the response from my IDP is:
>>>>>
>>>>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>>>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>>>>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>>> IssueInstant="2013-11-26T09:46:48.020Z"
>>>>> Version="2.0">
>>>>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>>>>
>>>>>
>>>>>
>>>>> <saml2p:Status>
>>>>> <saml2p:StatusCode
>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>>>> </saml2p:Status>
>>>>> <saml2:Assertion
>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>>>>> IssueInstant="2013-11-26T09:46:48.008Z"
>>>>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>>>> <saml2:Issuer
>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>>>>
>>>>>
>>>>>
>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>>> <ds:SignedInfo>
>>>>> <ds:CanonicalizationMethod
>>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>>>> <ds:SignatureMethod
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>>>>> <ds:Reference
>>>>> URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
>>>>> <ds:Transforms>
>>>>> <ds:Transform
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>>>> <ds:Transform
>>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>>>> <ec:InclusiveNamespaces
>>>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>>>>> PrefixList="xs" />
>>>>> </ds:Transform>
>>>>> </ds:Transforms>
>>>>> <ds:DigestMethod
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>>>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>>>>> </ds:Reference>
>>>>> </ds:SignedInfo>
>>>>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>>>>
>>>>>
>>>>>
>>>>> </ds:Signature>
>>>>> <saml2:Subject>
>>>>> <saml2:NameID
>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>>>>>
>>>>>
>>>>>
>>>>> <saml2:SubjectConfirmation
>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>>>> <saml2:SubjectConfirmationData
>>>>> Address="127.0.0.1"
>>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>>> NotOnOrAfter="2013-11-26T09:48:18.007Z"
>>>>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>>>>> </saml2:SubjectConfirmation>
>>>>> </saml2:Subject>
>>>>> <saml2:AuthnStatement
>>>>> AuthnInstant="2013-11-26T09:46:47.989Z">
>>>>> <saml2:AuthnContext>
>>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>>>>>
>>>>>
>>>>>
>>>>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>>>>
>>>>>
>>>>>
>>>>> </saml2:AuthnContext>
>>>>> </saml2:AuthnStatement>
>>>>> <saml2:AttributeStatement>
>>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute
>>>>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">guest</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute
>>>>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute
>>>>> Name="urn:mace:dir:attribute-def:displayName">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute
>>>>> Name="urn:mace:dir:attribute-def:givenName">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">John</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute
>>>>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>>>>> <saml2:AttributeValue
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="xs:string">John
>>>>> Doe</saml2:AttributeValue>
>>>>> </saml2:Attribute>
>>>>> </saml2:AttributeStatement>
>>>>> </saml2:Assertion>
>>>>> </saml2p:Response>
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
Re: SAML2 RACS for signed responses
Posted by Christian Metzler <Ch...@abas.de>.
Hi Sergey,
Am 27.11.2013 11:20, schrieb Sergey Beryozkin:
> I'm updating the code to make it provide custom
> SAMLProtocolResponseValidator and override some of its specific
> validation methods, where you can customize the signature validation
ok, that would help. Anyway I will try to get Mujina send unsigned
requests, which also would solve the problem.
>
>>
>> Perhaps I should look for a different IDP implementation. I currently
>> tried to work with Mujina IDP for testing purposes.
>> Are there any suggestions, which IDP could work? I know your example
>> works with Shibboleth, but I think Shibboleth is hard to set up and
>> configure for testing purposes. Actually a IDP Mock would be really
>> handsome... But I could not find anything else than Mujina.
>>
> Please check the providers which Colm has mentioned, I can also send
> you some info on how to set up Shibboleth easily enough
I got Shibboleth up and running now. I think I just have to add MetaData
for my RelyingParty which is in that case my CxfOAuth Server. I think I
will have a closer look on the example configuration you provided with
the OAuth SSO example.
>
> Thanks, Sergey
>>
>> Kind regards,
>>
>> Christian
>>
>>
>>
>> Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
>>> Hi
>>>
>>> Thanks for reporting the issue, appears to be a bug in CXF or at the
>>> lower level. I guess the KeyInfo is typically available on the WS path
>>> hence the issue arises when it is not included.
>>>
>>> I can suggest a workaround for now, till the problem has been resolved:
>>>
>>> RequestAssertionConsumerService validateSamlResponseProtocol and
>>> validateSamlSSOResponse methods are protected: I wonder if you can
>>> override the method where the problem occurs and do the manual
>>> validation for now or simply ignore the validation for now to get the
>>> POC done.
>>>
>>>
>>>
>>> HTH
>>> Sergey
>>>
>>> On 26/11/13 13:25, Christian Metzler wrote:
>>>> Hi,
>>>>
>>>> I am trying to implement a SAML Request Assertion Consumer Service
>>>> (RACS) with Apache CXF 2.7.7
>>>> Unfortunately the response of my Identity Provider does not include a
>>>> keyInfo (which is defined optional in the SAML specification).This
>>>> leads
>>>> to an exception when processing the response, because CXF tries to
>>>> load
>>>> a DOM for the keyInfo.
>>>>
>>>> |java.lang.NullPointerException
>>>> at
>>>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>>>
>>>>
>>>>
>>>>
>>>> |
>>>>
>>>> I have a valid keystore.properties file as well as the certificate
>>>> on my
>>>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>>>> or did I miss something to set up for my RACS?
>>>>
>>>> That's my current configuration
>>>>
>>>> <bean id="consumerService"
>>>> class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
>>>>
>>>>
>>>>
>>>> <property name="stateProvider" ref="stateManager" />
>>>> <property name="enforceAssertionsSigned" value="false"/>
>>>> <property name="signaturePropertiesFile"
>>>> value="serviceKeystore.properties"/>
>>>> <property name="supportBase64Encoding" value="true" />
>>>> </bean>
>>>>
>>>> And the response from my IDP is:
>>>>
>>>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>>>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>> IssueInstant="2013-11-26T09:46:48.020Z"
>>>> Version="2.0">
>>>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>>>
>>>>
>>>>
>>>> <saml2p:Status>
>>>> <saml2p:StatusCode
>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>>> </saml2p:Status>
>>>> <saml2:Assertion
>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>>>> IssueInstant="2013-11-26T09:46:48.008Z"
>>>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>>> <saml2:Issuer
>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>>>
>>>>
>>>>
>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>> <ds:SignedInfo>
>>>> <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>>> <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>>>> <ds:Reference
>>>> URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
>>>> <ds:Transforms>
>>>> <ds:Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>>> <ds:Transform
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>>> <ec:InclusiveNamespaces
>>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>>>> PrefixList="xs" />
>>>> </ds:Transform>
>>>> </ds:Transforms>
>>>> <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>>>> </ds:Reference>
>>>> </ds:SignedInfo>
>>>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>>>
>>>>
>>>>
>>>> </ds:Signature>
>>>> <saml2:Subject>
>>>> <saml2:NameID
>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>>>>
>>>>
>>>>
>>>> <saml2:SubjectConfirmation
>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>>> <saml2:SubjectConfirmationData
>>>> Address="127.0.0.1"
>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>> NotOnOrAfter="2013-11-26T09:48:18.007Z"
>>>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>>>> </saml2:SubjectConfirmation>
>>>> </saml2:Subject>
>>>> <saml2:AuthnStatement
>>>> AuthnInstant="2013-11-26T09:46:47.989Z">
>>>> <saml2:AuthnContext>
>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>>>>
>>>>
>>>>
>>>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>>>
>>>>
>>>>
>>>> </saml2:AuthnContext>
>>>> </saml2:AuthnStatement>
>>>> <saml2:AttributeStatement>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">guest</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:displayName">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:givenName">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">John</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute
>>>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>>>> <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">John
>>>> Doe</saml2:AttributeValue>
>>>> </saml2:Attribute>
>>>> </saml2:AttributeStatement>
>>>> </saml2:Assertion>
>>>> </saml2p:Response>
>>>>
>>>> Thanks for your help.
>>>>
>>>
>>>
>>
>>
>
--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
***********************************************************************
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Christian
On 27/11/13 08:52, Christian Metzler wrote:
> Hi Sergey,
>
> thanks for your reply. The problem seems to be in the
> SAMLProtocolResponseValidator class. Overriding the methods you
> suggested would not be sufficient. Instead I would have to write my own
> SAMLProtocolResponseValidator and intantiate it in the
> RequestAssertionConsumerService.
>
> The method which fails is the private
> validateResponseSignature(...)
>
> which will do the following:
>
> samlKeyInfo =
> SAMLUtil.getCredentialFromKeyInfo(
> keyInfo.getDOM(), requestData, docInfo,
> requestData.getWssConfig().isWsiBSPCompliant()
> );
>
I'm updating the code to make it provide custom
SAMLProtocolResponseValidator and override some of its specific
validation methods, where you can customize the signature validation
>
> Perhaps I should look for a different IDP implementation. I currently
> tried to work with Mujina IDP for testing purposes.
> Are there any suggestions, which IDP could work? I know your example
> works with Shibboleth, but I think Shibboleth is hard to set up and
> configure for testing purposes. Actually a IDP Mock would be really
> handsome... But I could not find anything else than Mujina.
>
Please check the providers which Colm has mentioned, I can also send you
some info on how to set up Shibboleth easily enough
Thanks, Sergey
>
> Kind regards,
>
> Christian
>
>
>
> Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
>> Hi
>>
>> Thanks for reporting the issue, appears to be a bug in CXF or at the
>> lower level. I guess the KeyInfo is typically available on the WS path
>> hence the issue arises when it is not included.
>>
>> I can suggest a workaround for now, till the problem has been resolved:
>>
>> RequestAssertionConsumerService validateSamlResponseProtocol and
>> validateSamlSSOResponse methods are protected: I wonder if you can
>> override the method where the problem occurs and do the manual
>> validation for now or simply ignore the validation for now to get the
>> POC done.
>>
>>
>>
>> HTH
>> Sergey
>>
>> On 26/11/13 13:25, Christian Metzler wrote:
>>> Hi,
>>>
>>> I am trying to implement a SAML Request Assertion Consumer Service
>>> (RACS) with Apache CXF 2.7.7
>>> Unfortunately the response of my Identity Provider does not include a
>>> keyInfo (which is defined optional in the SAML specification).This leads
>>> to an exception when processing the response, because CXF tries to load
>>> a DOM for the keyInfo.
>>>
>>> |java.lang.NullPointerException
>>> at
>>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>>
>>>
>>>
>>> |
>>>
>>> I have a valid keystore.properties file as well as the certificate on my
>>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>>> or did I miss something to set up for my RACS?
>>>
>>> That's my current configuration
>>>
>>> <bean id="consumerService"
>>> class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
>>>
>>>
>>> <property name="stateProvider" ref="stateManager" />
>>> <property name="enforceAssertionsSigned" value="false"/>
>>> <property name="signaturePropertiesFile"
>>> value="serviceKeystore.properties"/>
>>> <property name="supportBase64Encoding" value="true" />
>>> </bean>
>>>
>>> And the response from my IDP is:
>>>
>>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>> IssueInstant="2013-11-26T09:46:48.020Z"
>>> Version="2.0">
>>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>>
>>>
>>> <saml2p:Status>
>>> <saml2p:StatusCode
>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>> </saml2p:Status>
>>> <saml2:Assertion
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>>> IssueInstant="2013-11-26T09:46:48.008Z"
>>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>> <saml2:Issuer
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>>
>>>
>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>> <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>>> <ds:Reference
>>> URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
>>> <ds:Transforms>
>>> <ds:Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>> <ds:Transform
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>> <ec:InclusiveNamespaces
>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>>> PrefixList="xs" />
>>> </ds:Transform>
>>> </ds:Transforms>
>>> <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>>
>>>
>>> </ds:Signature>
>>> <saml2:Subject>
>>> <saml2:NameID
>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>>>
>>>
>>> <saml2:SubjectConfirmation
>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>> <saml2:SubjectConfirmationData
>>> Address="127.0.0.1"
>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>> NotOnOrAfter="2013-11-26T09:48:18.007Z"
>>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>>> </saml2:SubjectConfirmation>
>>> </saml2:Subject>
>>> <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
>>> <saml2:AuthnContext>
>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>>>
>>>
>>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>>
>>>
>>> </saml2:AuthnContext>
>>> </saml2:AuthnStatement>
>>> <saml2:AttributeStatement>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">guest</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:dir:attribute-def:displayName">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:dir:attribute-def:givenName">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">John</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute
>>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>>> <saml2:AttributeValue
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="xs:string">John
>>> Doe</saml2:AttributeValue>
>>> </saml2:Attribute>
>>> </saml2:AttributeStatement>
>>> </saml2:Assertion>
>>> </saml2p:Response>
>>>
>>> Thanks for your help.
>>>
>>
>>
>
>
Re: SAML2 RACS for signed responses
Posted by Christian Metzler <Ch...@abas.de>.
Hi Sergey,
thanks for your reply. The problem seems to be in the
SAMLProtocolResponseValidator class. Overriding the methods you
suggested would not be sufficient. Instead I would have to write my own
SAMLProtocolResponseValidator and intantiate it in the
RequestAssertionConsumerService.
The method which fails is the private
validateResponseSignature(...)
which will do the following:
samlKeyInfo =
SAMLUtil.getCredentialFromKeyInfo(
keyInfo.getDOM(), requestData, docInfo,
requestData.getWssConfig().isWsiBSPCompliant()
);
Perhaps I should look for a different IDP implementation. I currently
tried to work with Mujina IDP for testing purposes.
Are there any suggestions, which IDP could work? I know your example
works with Shibboleth, but I think Shibboleth is hard to set up and
configure for testing purposes. Actually a IDP Mock would be really
handsome... But I could not find anything else than Mujina.
Kind regards,
Christian
Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
> Hi
>
> Thanks for reporting the issue, appears to be a bug in CXF or at the
> lower level. I guess the KeyInfo is typically available on the WS path
> hence the issue arises when it is not included.
>
> I can suggest a workaround for now, till the problem has been resolved:
>
> RequestAssertionConsumerService validateSamlResponseProtocol and
> validateSamlSSOResponse methods are protected: I wonder if you can
> override the method where the problem occurs and do the manual
> validation for now or simply ignore the validation for now to get the
> POC done.
>
>
>
> HTH
> Sergey
>
> On 26/11/13 13:25, Christian Metzler wrote:
>> Hi,
>>
>> I am trying to implement a SAML Request Assertion Consumer Service
>> (RACS) with Apache CXF 2.7.7
>> Unfortunately the response of my Identity Provider does not include a
>> keyInfo (which is defined optional in the SAML specification).This leads
>> to an exception when processing the response, because CXF tries to load
>> a DOM for the keyInfo.
>>
>> |java.lang.NullPointerException
>> at
>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>
>>
>>
>> |
>>
>> I have a valid keystore.properties file as well as the certificate on my
>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>> or did I miss something to set up for my RACS?
>>
>> That's my current configuration
>>
>> <bean id="consumerService"
>> class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
>>
>>
>> <property name="stateProvider" ref="stateManager" />
>> <property name="enforceAssertionsSigned" value="false"/>
>> <property name="signaturePropertiesFile"
>> value="serviceKeystore.properties"/>
>> <property name="supportBase64Encoding" value="true" />
>> </bean>
>>
>> And the response from my IDP is:
>>
>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>> IssueInstant="2013-11-26T09:46:48.020Z"
>> Version="2.0">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>
>>
>> <saml2p:Status>
>> <saml2p:StatusCode
>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>> </saml2p:Status>
>> <saml2:Assertion
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>> IssueInstant="2013-11-26T09:46:48.008Z"
>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>> <saml2:Issuer
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>>
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>> <ds:Reference
>> URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>> PrefixList="xs" />
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>
>>
>> </ds:Signature>
>> <saml2:Subject>
>> <saml2:NameID
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>>
>>
>> <saml2:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> <saml2:SubjectConfirmationData
>> Address="127.0.0.1"
>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>> NotOnOrAfter="2013-11-26T09:48:18.007Z"
>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>> </saml2:SubjectConfirmation>
>> </saml2:Subject>
>> <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
>> <saml2:AuthnContext>
>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>>
>>
>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>
>>
>> </saml2:AuthnContext>
>> </saml2:AuthnStatement>
>> <saml2:AttributeStatement>
>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">admin</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">guest</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> Name="urn:mace:dir:attribute-def:displayName">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">admin</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> Name="urn:mace:dir:attribute-def:givenName">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">John</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>> <saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">John
>> Doe</saml2:AttributeValue>
>> </saml2:Attribute>
>> </saml2:AttributeStatement>
>> </saml2:Assertion>
>> </saml2p:Response>
>>
>> Thanks for your help.
>>
>
>
--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
***********************************************************************
Re: SAML2 RACS for signed responses
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Thanks for reporting the issue, appears to be a bug in CXF or at the
lower level. I guess the KeyInfo is typically available on the WS path
hence the issue arises when it is not included.
I can suggest a workaround for now, till the problem has been resolved:
RequestAssertionConsumerService validateSamlResponseProtocol and
validateSamlSSOResponse methods are protected: I wonder if you can
override the method where the problem occurs and do the manual
validation for now or simply ignore the validation for now to get the
POC done.
HTH
Sergey
On 26/11/13 13:25, Christian Metzler wrote:
> Hi,
>
> I am trying to implement a SAML Request Assertion Consumer Service
> (RACS) with Apache CXF 2.7.7
> Unfortunately the response of my Identity Provider does not include a
> keyInfo (which is defined optional in the SAML specification).This leads
> to an exception when processing the response, because CXF tries to load
> a DOM for the keyInfo.
>
> |java.lang.NullPointerException
> at
> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>
>
> |
>
> I have a valid keystore.properties file as well as the certificate on my
> RACS site, but this does not chage the behaviour. Is this a bug in CXF
> or did I miss something to set up for my RACS?
>
> That's my current configuration
>
> <bean id="consumerService"
> class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
>
> <property name="stateProvider" ref="stateManager" />
> <property name="enforceAssertionsSigned" value="false"/>
> <property name="signaturePropertiesFile"
> value="serviceKeystore.properties"/>
> <property name="supportBase64Encoding" value="true" />
> </bean>
>
> And the response from my IDP is:
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
> IssueInstant="2013-11-26T09:46:48.020Z"
> Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>
> <saml2p:Status>
> <saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> </saml2p:Status>
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
> IssueInstant="2013-11-26T09:46:48.008Z"
> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
> <saml2:Issuer
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <ds:Reference URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="xs" />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData
> Address="127.0.0.1"
> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
> NotOnOrAfter="2013-11-26T09:48:18.007Z"
> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
> <saml2:AuthnContext>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>
> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">admin</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">guest</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Doe</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="urn:mace:dir:attribute-def:displayName">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">admin</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="urn:mace:dir:attribute-def:givenName">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">John</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">example.com</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">John Doe</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
> </saml2p:Response>
>
> Thanks for your help.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com