Re: SAML2 RACS for signed responses

Tue, 26 Nov 2013 13:58:08 -0800 

Hi
Thanks for reporting the issue, appears to be a bug in CXF or at the lower level. I guess the KeyInfo is typically available on the WS path hence the issue arises when it is not included. 

I can suggest a workaround for now, till the problem has been resolved:


RequestAssertionConsumerService validateSamlResponseProtocol and 
validateSamlSSOResponse methods are protected: I wonder if you can 
override the method where the problem occurs and do the manual 
validation for now or simply ignore the validation for now to get the 
POC done.




HTH
Sergey

On 26/11/13 13:25, Christian Metzler wrote:

Hi,

I am trying to implement a SAML Request Assertion Consumer Service
(RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a
keyInfo (which is defined optional in the SAML specification).This leads
to an exception when processing the response, because CXF tries to load
a DOM for the keyInfo.

|java.lang.NullPointerException
at
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)


|

I have a valid keystore.properties file as well as the certificate on my
RACS site, but this does not chage the behaviour. Is this a bug in CXF
or did I miss something to set up for my RACS?

That's my current configuration

     <bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">

         <property name="stateProvider" ref="stateManager" />
         <property name="enforceAssertionsSigned" value="false"/>
         <property name="signaturePropertiesFile"
value="serviceKeystore.properties"/>
         <property name="supportBase64Encoding" value="true" />
     </bean>

And the response from my IDP is:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
     Destination="https://localhost:8181/CxfOAuthServer/racs/sso";
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
     InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
IssueInstant="2013-11-26T09:46:48.020Z"
     Version="2.0">
     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>

     <saml2p:Status>
         <saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
     </saml2p:Status>
     <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
         ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
IssueInstant="2013-11-26T09:46:48.008Z"
         Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema";>
         <saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>

         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
             <ds:SignedInfo>
                 <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
                 <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
                 <ds:Reference URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
                     <ds:Transforms>
                         <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
                         <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                             <ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
                                 PrefixList="xs" />
                         </ds:Transform>
                     </ds:Transforms>
                     <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
                 </ds:Reference>
             </ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>

         </ds:Signature>
         <saml2:Subject>
             <saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>

             <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <saml2:SubjectConfirmationData
                     Address="127.0.0.1"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
                     NotOnOrAfter="2013-11-26T09:48:18.007Z"
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso"; />
             </saml2:SubjectConfirmation>
         </saml2:Subject>
         <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
             <saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>

<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>

             </saml2:AuthnContext>
         </saml2:AuthnStatement>
         <saml2:AttributeStatement>
             <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">admin</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">guest</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">Doe</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute
Name="urn:mace:dir:attribute-def:displayName">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">admin</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute Name="urn:mace:dir:attribute-def:givenName">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">John</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">example.com</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
                 <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
                     xsi:type="xs:string">John Doe</saml2:AttributeValue>
             </saml2:Attribute>
         </saml2:AttributeStatement>
     </saml2:Assertion>
</saml2p:Response>

Thanks for your help.




--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com






















					Reply via email to