SAML2 RACS for signed responses

Tue, 26 Nov 2013 05:26:14 -0800 

Hi,
I am trying to implement a SAML Request Assertion Consumer Service (RACS) with Apache CXF 2.7.7 Unfortunately the response of my Identity Provider does not include a keyInfo (which is defined optional in the SAML specification).This leads to an exception when processing the response, because CXF tries to load a DOM for the keyInfo. 

|java.lang.NullPointerException
at 
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)

|


I have a valid keystore.properties file as well as the certificate on my 
RACS site, but this does not chage the behaviour. Is this a bug in CXF 
or did I miss something to set up for my RACS?


That's my current configuration

    <bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
        <property name="stateProvider" ref="stateManager" />
        <property name="enforceAssertionsSigned" value="false"/>

        <property name="signaturePropertiesFile" 
value="serviceKeystore.properties"/>

        <property name="supportBase64Encoding" value="true" />
    </bean>

And the response from my IDP is:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"

    Destination="https://localhost:8181/CxfOAuthServer/racs/sso"; 
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
    InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8" 
IssueInstant="2013-11-26T09:46:48.020Z"

    Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
    <saml2p:Status>

        <saml2p:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

        ID="176247f7-0559-400c-8e5b-dafedbe5be4a" 
IssueInstant="2013-11-26T09:46:48.008Z"

        Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema";>

        <saml2:Issuer 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <ds:SignedInfo>

                <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
                <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />

                <ds:Reference URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
                    <ds:Transforms>
                        <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />

                        <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                            <ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";

                                PrefixList="xs" />
                        </ds:Transform>
                    </ds:Transforms>

                    <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />

<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
        </ds:Signature>
        <saml2:Subject>

            <saml2:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
            <saml2:SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml2:SubjectConfirmationData

                    Address="127.0.0.1" 
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
                    NotOnOrAfter="2013-11-26T09:48:18.007Z" 
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso"; />

            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
            <saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">admin</saml2:AttributeValue>
            </saml2:Attribute>

            <saml2:Attribute 
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">guest</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">Doe</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">[email protected]</saml2:AttributeValue>
            </saml2:Attribute>

            <saml2:Attribute 
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">[email protected]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:mace:dir:attribute-def:displayName">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">admin</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:mace:dir:attribute-def:givenName">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">John</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:type="xs:string">example.com</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">

                <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

                    xsi:type="xs:string">John Doe</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Thanks for your help.

--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister:  HRB 107644 Amtsgericht Mannheim
***********************************************************************























					Reply via email to