Hi Danushka,
Thanks for the response! I tested this without enabling the response
signing and assertion signing, but still the saml2:Issuer is duplicated in
both response and assertion. As per my reading on the saml spec in [1] the
Response doesn't contain an issuer, only the assertion contains the issuer
element which is noted in 3.4 Responses section. Please correct me if I'm
wrong.
Full Response is attached for the above scenario mentioned ( without
enabling the response signing and assertion signing )
[1] - http://saml.xml.org/saml-specifications
Thanks!
On Thu, Oct 1, 2015 at 8:33 PM, Danushka Fernando <[email protected]>
wrote:
> Hi Nadeesha
> The duplicate entry meant by you is under the saml assertion. Saml
> response object contains a saml assertion. And when you sign both response
> and assertion this entry includes into both objects. For more details you
> can refer to saml spec. [1]
>
> [1] http://saml.xml.org/saml-specifications
>
> Thanks & Regards
> Danushka Fernando
> Senior Software Engineer
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729
>
>
> On Oct 1, 2015 7:10 PM, "Nadeesha Meegoda" <[email protected]> wrote:
>
>> Hi IS team,
>>
>> I am testing SAML SSO with travelocity app and when I signed in to the
>> app I noticed in the SAML authentication response getting duplicate entries
>> for saml2:Issuer, ds:Signature, ds:X509Certificate etc with the same
>> response data. Is there a special reason these are duplicated? Just need to
>> clarify!
>>
>> Noted below is the section that is duplicated in the response:
>>
>> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> >mgt.is.wso2.com</saml2:Issuer>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#"; />
>> <ds:SignatureMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
>> <ds:Reference URI="#bnlofhdfbehmnhiajimjohbkhepimciajocfmdkl">
>> <ds:Transforms>
>> <ds:Transform Algorithm="
>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
>> <ds:Transform Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#"; />
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#sha1"; />
>>
>> <ds:DigestValue>fiOel63mdz3HsEz2JrSbUgBvYDw=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>>
>> <ds:SignatureValue>VgbMj1PIjJ0JFdyJ9AKaLkBnj7OD/prQahVU5WgdK9PAMvMedKt42pna+A5YznK0zLrzPKHAP/5VD6qHVPtF5LsYqJNEC4OTR1Mo2nzv34nOQxZZ95uxKBoxD/eVzgrqNBIzAecgSXvvYBj1ZlmjbJQoOuVxgdFOhOkz8S3bO+Q=</ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>>
>> <ds:X509Certificate>MIICAzCCAWygAwIBAgIEb38jDjANBgkqhkiG9w0BAQQFADBGMRAwDgYDVQQDEwd5bWMuY29tMQ0wCwYDVQQLEwROb25lMRQwEgYDVQQKEwtOb25lIEw9Tm9uZTENMAsGA1UEBhMETm9uZTAeFw0xNTA4MjkwNjIxNDJaFw0yNTA5MjUwNjIxNDJaMEYxEDAOBgNVBAMTB3ltYy5jb20xDTALBgNVBAsTBE5vbmUxFDASBgNVBAoTC05vbmUgTD1Ob25lMQ0wCwYDVQQGEwROb25lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPWrZjdgaHwd8FDZaOm57wz2fxSW4umTuyw8E8PnNwCkZqIGpxkJGqfEOzXhP38A84a7fwXUfCZuwetgvkU4vfqhHieqI5OiA02pZpBzWkYjpg8By6YeJyK4Vy4hB6yq1gTCaerqffeAfXWI0ILog9iwJtbAgfJUDqU9j5XEnMxQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAE8GmwMaydEFMb8hzvXjkX2pdjZto4S5AqaERjigR5OCsvcnuqNPspuAMyy7AC6xRCkKOfhFEfFcAHhExpqCfqFcuEhfqc3tL89eDyf1sxfnaoCPSWjgo/TirWSaaxcT2JAcWfGh74S77CHC/m9rZ9ozaTJRhzNw5RYEbWNKJEqc</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>>
>> Full Response is attached with the mail.
>>
>> Highly appreciate an explanation on this!
>>
>>
>> Thanks
>>
>> --
>> *Nadeesha Meegoda*
>> Software Engineer - QA
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> email : [email protected]
>> mobile: +94783639540
>> <%2B94%2077%202273555>
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
--
*Nadeesha Meegoda*
Software Engineer - QA
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
email : [email protected]
mobile: +94783639540
<%2B94%2077%202273555>
<saml2p:Response Destination="http://localhost:8080/travelocity.com/home.jsp";
ID="mlncolpndppldfahlldjahicojinmokhdllbdojj"
InResponseTo="0"
IssueInstant="2015-10-02T04:46:46.635Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>localhost</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="kaecjkibblcdmcmdgnfcjopedkioklmgbpkiepjl"
IssueInstant="2015-10-02T04:46:46.635Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#kaecjkibblcdmcmdgnfcjopedkioklmgbpkiepjl">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>sW59qQPVCbwovHQV8ME/7WZPz+A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>C4G4L7+DM/fFgIYc5DdiXvq81gbqI/FmS3VEqrKEQ5lsw4YghVO9rSNV/avqC6QSOQMqpdvM+V4Bk0orJEJMsJZaR4ekizaEp7iuNbfHAEWFz6Xl9/Fb5g+z1w/6Wk1O17k6SmrVTtlSmmPNXtFUsqY54SxXbgFKAVDZ12DX9/8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="0"
NotOnOrAfter="2015-10-02T04:51:46.635Z"
Recipient="http://localhost:8080/travelocity.com/home.jsp";
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-10-02T04:46:46.635Z"
NotOnOrAfter="2015-10-02T04:51:46.635Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>travelocity.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-10-02T04:46:46.636Z"
SessionIndex="8cc0659c-9f74-45d6-9b8e-553aa22dde4b"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
