Hi Christian
On 27/11/13 10:30, Christian Metzler wrote:
Hi Sergey,
Am 27.11.2013 11:20, schrieb Sergey Beryozkin:
I'm updating the code to make it provide custom
SAMLProtocolResponseValidator and override some of its specific
validation methods, where you can customize the signature validation
ok, that would help. Anyway I will try to get Mujina send unsigned
requests, which also would solve the problem.
Perhaps I should look for a different IDP implementation. I currently
tried to work with Mujina IDP for testing purposes.
Are there any suggestions, which IDP could work? I know your example
works with Shibboleth, but I think Shibboleth is hard to set up and
configure for testing purposes. Actually a IDP Mock would be really
handsome... But I could not find anything else than Mujina.
Please check the providers which Colm has mentioned, I can also send
you some info on how to set up Shibboleth easily enough
I got Shibboleth up and running now. I think I just have to add MetaData
for my RelyingParty which is in that case my CxfOAuth Server. I think I
will have a closer look on the example configuration you provided with
the OAuth SSO example.
Sounds good.
By the way, the other thing which may be worth trying, CXF Fediz also
offers SSO support, it is WS-Federation based but it should work
seamlessly, I stopped short of updating our demo to work with Fediz too,
will need to revisit it asap.
Having Fediz also supporting IDP Saml Web SSO would be cool too,
hopefully in time it can be done. It can also act as OpenIdConnect
server in time too, Fediz can cover all of the SSO space eventually :-)
Cheers, Sergey
Thanks, Sergey
Kind regards,
Christian
Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
Hi
Thanks for reporting the issue, appears to be a bug in CXF or at the
lower level. I guess the KeyInfo is typically available on the WS path
hence the issue arises when it is not included.
I can suggest a workaround for now, till the problem has been resolved:
RequestAssertionConsumerService validateSamlResponseProtocol and
validateSamlSSOResponse methods are protected: I wonder if you can
override the method where the problem occurs and do the manual
validation for now or simply ignore the validation for now to get the
POC done.
HTH
Sergey
On 26/11/13 13:25, Christian Metzler wrote:
Hi,
I am trying to implement a SAML Request Assertion Consumer Service
(RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a
keyInfo (which is defined optional in the SAML specification).This
leads
to an exception when processing the response, because CXF tries to
load
a DOM for the keyInfo.
|java.lang.NullPointerException
at
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
|
I have a valid keystore.properties file as well as the certificate
on my
RACS site, but this does not chage the behaviour. Is this a bug in CXF
or did I miss something to set up for my RACS?
That's my current configuration
<bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
<property name="stateProvider" ref="stateManager" />
<property name="enforceAssertionsSigned" value="false"/>
<property name="signaturePropertiesFile"
value="serviceKeystore.properties"/>
<property name="supportBase64Encoding" value="true" />
</bean>
And the response from my IDP is:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://localhost:8181/CxfOAuthServer/racs/sso";
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
IssueInstant="2013-11-26T09:46:48.020Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
IssueInstant="2013-11-26T09:46:48.008Z"
Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference
URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="127.0.0.1"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
NotOnOrAfter="2013-11-26T09:48:18.007Z"
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso"; />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement
AuthnInstant="2013-11-26T09:46:47.989Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">guest</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:displayName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:givenName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">John
Doe</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for your help.
