Hi Colm
I can see that it is a bearer assertion, which is where KeyInfo is
optional, right ?
I'm fine with the fix not being done at WSS4J level because WSS4J is
dedicated primarily to managing SAML (and other) assertions coming on
the WS path where no bearer assertions exist AFAIK so no need to relax
it there.
But we can def expect bearer SAML assertions on the RS path (the example
in http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile shows
no KeyInfo), and the bearer is expected in case of OAuth2 SAML2 grants.
IMHO we need to get it fixed in CXF RS code, I'll be happy to poke a bit
and offer it for the review once it is done
Thanks, Sergey
On 27/11/13 09:57, Colm O hEigeartaigh wrote:
Hi Christian,
I am not inclined to fix this issue in CXF/WSS4J, as it will involve
changing how we use keystores for signature validation. It is quite unusual
IMO to have a XML Signature without a KeyInfo pointing to the public key to
use to validate the signature.
For different IdPs, I have tested (successfully) against WSo2's Identity
Server, Josso, Shibboleth, Picketlink and OpenAM.
Colm.
On Wed, Nov 27, 2013 at 8:52 AM, Christian Metzler <
[email protected]> wrote:
Hi Sergey,
thanks for your reply. The problem seems to be in the
SAMLProtocolResponseValidator class. Overriding the methods you suggested
would not be sufficient. Instead I would have to write my own
SAMLProtocolResponseValidator and intantiate it in the
RequestAssertionConsumerService.
The method which fails is the private
validateResponseSignature(...)
which will do the following:
samlKeyInfo =
SAMLUtil.getCredentialFromKeyInfo(
keyInfo.getDOM(), requestData, docInfo,
requestData.getWssConfig().isWsiBSPCompliant()
);
Perhaps I should look for a different IDP implementation. I currently
tried to work with Mujina IDP for testing purposes.
Are there any suggestions, which IDP could work? I know your example works
with Shibboleth, but I think Shibboleth is hard to set up and configure for
testing purposes. Actually a IDP Mock would be really handsome... But I
could not find anything else than Mujina.
Kind regards,
Christian
Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
Hi
Thanks for reporting the issue, appears to be a bug in CXF or at the
lower level. I guess the KeyInfo is typically available on the WS path
hence the issue arises when it is not included.
I can suggest a workaround for now, till the problem has been resolved:
RequestAssertionConsumerService validateSamlResponseProtocol and
validateSamlSSOResponse methods are protected: I wonder if you can override
the method where the problem occurs and do the manual validation for now or
simply ignore the validation for now to get the POC done.
HTH
Sergey
On 26/11/13 13:25, Christian Metzler wrote:
Hi,
I am trying to implement a SAML Request Assertion Consumer Service
(RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a
keyInfo (which is defined optional in the SAML specification).This leads
to an exception when processing the response, because CXF tries to load
a DOM for the keyInfo.
|java.lang.NullPointerException
at
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
|
I have a valid keystore.properties file as well as the certificate on my
RACS site, but this does not chage the behaviour. Is this a bug in CXF
or did I miss something to set up for my RACS?
That's my current configuration
<bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.
RequestAssertionConsumerService">
<property name="stateProvider" ref="stateManager" />
<property name="enforceAssertionsSigned" value="false"/>
<property name="signaturePropertiesFile"
value="serviceKeystore.properties"/>
<property name="supportBase64Encoding" value="true" />
</bean>
And the response from my IDP is:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://localhost:8181/CxfOAuthServer/racs/sso";
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
IssueInstant="2013-11-26T09:46:48.020Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
http://mock-idp</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:
tc:SAML:2.0:assertion"
ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
IssueInstant="2013-11-26T09:46:48.008Z"
Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
http://mock-idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#176247f7-0559-400c-8e5b-
dafedbe5be4a">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTr
zVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+
oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="127.0.0.1"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
NotOnOrAfter="2013-11-26T09:48:18.007Z"
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso"; />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:
ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">guest</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:displayName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-
def:givenName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">John Doe</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for your help.
--
***********************************************************************
Christian Metzler * Software Developer
ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
http://www.abas-software.com * http://www.abas.de
Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
Registered Office / Sitz der Gesellschaft: Karlsruhe
Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim
***********************************************************************
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
