I want to know how digestValue was calculated when we have AttributeStatement in the SAML 2 Response.
I can calculate and get the same digestValue when I do not have any "saml2:AttributeStatement" returned in SAML response by:
Deleting ds:Signature segment
Canonicalizing XML payload
Applying SHA-256 to calculate digest value (as I configured on IDP part)
But when I configured in IDP side to add "saml2:AttributeStatement" in the response along with one attribute, I can no longer calculate the same digestvalue as IDP returned to me no matter I kept "saml2:AttributeStatement" or not.
What shall I do here to calculate the correct value? FYI, I am using OKTA IDP.
My SAML Assertion in my SAML response is as follows:
<saml2:Assertion ID="id2725281198079267683856882"
IssueInstant="2021-09-20T07:18:33.051Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk1mv3c9ke9u3tz25d7
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id2725281198079267683856882">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>uHowdunaQ+0tDsHrEGgJFUWwd23L08Qubp9HFS2In2Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>S9YQNf7t...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDq...
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">allen.li#gmail.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="a3b3ff8jicf316993316069j03bdjfj"
NotOnOrAfter="2021-09-20T07:23:33.051Z"
Recipient="http://localhost:8080/saml/SSO"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-20T07:13:33.051Z"
NotOnOrAfter="2021-09-20T07:23:33.051Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:8080/saml/metadata</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-20T07:18:33.051Z"
SessionIndex="a3b3ff8jicf316993316069j03bdjfj"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>allen.li#gmail.com
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Issue resolved. There is a gap between OKTA performing Canonicalization and what is provided in Java org.apache.xml.security.c14n.Canonicalizer.getInstance(String). In Java implementation they deleted namespace xmlns:xs="http://www.w3.org/2001/XMLSchema", but OKTA kept it. After I added this namespace in canonicalized SAML Assertion and calculated digest value, I got same value as OKTA.
Related
i'm implementing a DRM server, so far HLS is working great but i have a problem with the playready key encryption, i know that i need to use the public key and License Nonce(IV) from the client request but i couldn't find the algorithm to encrypt it.
example from Microsoft playReady test server
client requst:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<AcquireLicense xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols">
<challenge>
<Challenge xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols/messages">
<LA xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols" Id="SignedData" xml:space="preserve">
<Version>1</Version>
<ContentHeader>
<WRMHEADER xmlns="http://schemas.microsoft.com/DRM/2007/03/PlayReadyHeader" version="4.0.0.0">
<DATA>
<PROTECTINFO>
<KEYLEN>16</KEYLEN>
<ALGID>AESCTR</ALGID>
</PROTECTINFO>
<KID>7987aj+eE0uBlXi0N73AQw==</KID>
<CHECKSUM>s1zZSs3Wwow=</CHECKSUM>
<CUSTOMATTRIBUTES>
<IIS_DRM_VERSION>7.1.1064.0</IIS_DRM_VERSION>
</CUSTOMATTRIBUTES>
<LA_URL>http://playready.directtaps.net/pr/svc/rightsmanager.asmx</LA_URL>
<DS_ID>AH+03juKbUGbHl1V/QIwRA==</DS_ID>
</DATA>
</WRMHEADER>
</ContentHeader>
<CLIENTINFO>
<CLIENTVERSION>2.0.0.1446</CLIENTVERSION>
</CLIENTINFO>
<RevocationLists>
<RevListInfo>
<ListID>ioydTlK2p0WXkWklprR5Hw==</ListID>
<Version>11</Version>
</RevListInfo>
<RevListInfo>
<ListID>gC4IKKPHsUCCVhnlttibJw==</ListID>
<Version>11</Version>
</RevListInfo>
<RevListInfo>
<ListID>BOZ1zT1UnEqfCf5tJOi/kA==</ListID>
<Version>12</Version>
</RevListInfo>
<RevListInfo>
<ListID>Ef/RUojT3U6Ct2jqTCChbA==</ListID>
<Version>34</Version>
</RevListInfo>
</RevocationLists>
<LicenseNonce>e7NgfwBi1xX/egdgV9BrWQ==</LicenseNonce>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://schemas.microsoft.com/DRM/2007/03/protocols#ecc256" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>WMRMServer</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>W13Rs+iFyn5Qgh8iAduenxsRw3w2mOTNhfOPI6Fwv5kIn93cCauDFJexka6jtQHJ+by8wyTv4u7RofeZW9G8NakvV0JpGg7d5rEg1q1XMwy267Hecnch75FKEPSiydx2NU83IambHenRhJJ5gg3/u1aVpaXsCVtnQsv5pt5L+JM=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>cWEqivcZkvs9Le02WXFsSnCn8W+J87cN0a0/6IXZ1OIYJ8ZgVE2Bf6J14Destd4rYxKonQiMZ5mL+LZytuq7dA8LGFASKUNGKynx887tdMDMbwJnBQAllE593kUqnD4XIyKO04APahlQ1k4ezBrTU3o0TD8ssIN2OxxW4NdoNMPc+rlrPMY31hXVoIdUV7viueMRFcokDgDk/vii3yrHfLpx+iyVINhYhye1Oh0JsKc8Fkz/O1XfSrCVQzVZHI3Hui62r/Pf9H1kblv7CXo1H7Vno8trNq2zsEj96lz2b2GgYpbbiMHBJAMmIjsR6o9z3KUbOIh0eIrupDLTTvITDXDX8Q9x1A9dsDOJJGWMgWUT2n0Ay6GIzATojlMfp9eCti2gJNWv+vWKJD0k2k/COk71mcWttGgA4dnxUqCkkr7wSI/mAmxb/ZHaNFBoF55sUTycsoYrucD60XHeZA3OB/1NIodczWfMwCE1UGiSXpafdxDsBxgdlDXQxHzlWXhQBzVWNdjpdLVv7NMteA8t6MqmD+i+xlOD/rI5ZWb9uNmBNMNF2KkgBLHx9NQx5BQReQonL1wHcEfk/SjiovRFx33aYkfDZZwx1QmIR6xhksktwpvO/z0Bud9II3gle/Is5XgQwXET25KRvJ/pZlIvwXuklpgzBFMTU71RbaKWWTeLk9zddw0bb0O/dNm8HX6JmZIv1VHz/D/p0l7L+JyG5xl1DxxIxJOIuVkhucdFJDVRlMbNXp2/hMTKpK9Ph70TQNJx2hOvSEFwOjGsUpaGOI8z6r3zFpObg3w6VpeCBQNipekxSvgcedk2DNELYsFvTn5moxPEwCrPwYurg3dBbzSvgfZm67H/h319B/spg76MGiTauXl54LkOKQC2gWF/t7e9bV0NBZR5cAPwa346d5hWPnU/s1hAEKh8k5PZfQlHX9MY4ktYHe+16y4GhlN4FXF8fvnOlTYWZAa6UJyJycqHOeg5S/wb5qcx8HTJ7WXaz6EYN1f3ZLM+ziCRFL7DPBPs9fx4bpxIE01MjnDsCNQq1TJRtHJbjnhjZTyI77c17myN/rmauyZAeTgSeuVzEKwNi/UV2TQIxxFVlN0wMcoh8AHPuvuAU9MailoAHfRBvx46ksCD0l4GMssfMCqhLx54A0O8lwsmnVHfFBPMYwPXu3JJqiher9hsy9bzBtEOulLiiDpnA8ABZnRxH5aPo0cY5HjwUbinupJ5Zy+WeC1l6581ikQ2rRAFX68G7FabDqvhKJ9ruVOk3xw1k82IMsHrLxrxjPFh7+V3ixmg3/d/ExXRoayKVFTAax6c3e3sZaC7xopt9l0SFG8zLtMs9MyN6zH8J9P7/d2J8aU7Jvp+QU8G2b8+20Ci1BxIG04XEec1eSemcgTQ3AbwoCpN6UmZpe9EgkcfQcaXw0VyQSnk96xDrW1BkbCCBlqXWyYCNs335i/KcmbVgSICd/RJJlMTcDZx+TkUVSO52WPIYXKcMGhQi7KGND6R1PgEE1TFRRj7CeRWbswSzt3b/mDSy+T3Pg3v0miGN/sxulFrNJJpdnpExkWb2LDkFgO2N+GMZ2uHNdbE8JiXEgXiqbtRWpT/tfpp71YwQVsnRSgUUXnGop79wtfEtFC8sAQ/0v2Tj1+Nstf58t7rf8lOkY3dEVYxidLrgqfSpnkkJqmBAlhN5ZNXBv9ui/Ah1aY706tOPdMKsjHbz7LS9GPDeApYfVSsHGGVUMp5Ms0U7FlsqIDgcQR8SzDuhJen764U8lbj8nsWMFUkex5lTS5d4+mw/ysR1zd4BN6MYTMFqNRSLQEqaZQCft8pBTZ4QRnyJ9h8JrC+vdAI1jl69EaJfo+WgLMr+yG2Q9hM/qtMePqLmi+4ZwO4eszdt23d7437ueY7052yjaa5f42HQsul6qzkfKIs5jdu4oVFS2L3NycemiO6VSj8lp48WvlvPMTPihHuavxwrt/LQeM7NQg+Or1v2z9pyF/JN9gbUI72h6qfoN2/DlcPqmXBYb0TZaaXFrvZ2xllcAPHq/d8hdOpJ+aRS0+IV7ivIcftlPByr958Bmw2kkmNqZi4nwkfmilYQ3aVOr6GHgKRq76llVMhQBUc3c0WB2HCppwPz9j3kw9XY/72GnlnVCVkS+Ju864WbyKMNeWS5kHOyGdwgyRulidv7HiEZymOuL9npAKjso8kO+9aCLj5Wm1zylqudA15EhZaseD5ljK7c9dM0zYJcwe01MZHkUSqts1M4g9M83wLCllA6Hedfkb+niYKTTfcnnhNpLxQwkC3MMOhvl9ytGoW0jdAuYW+ubKR/mroAho5WisS64tLWR3Eo9NQoA224jIz7tHcMIMwQ+mH/SEUBy7qKRwTT5wmgJIDMjZckbeZAC3WsUgwvkkBL9Y5wQ8RuGMrfJMbCuU39w+FrH4We/JlmA6B+ArdWxkgxhvCCTk0WN1Zg/IOV6iWVNbGDmMqRVWijzDUC0CYP7ppk4c+VXDLfFKe04by9waIZW1h6aAavfvmbHZGw6b35keOS1VGfTlGGcSbfrIMwlRwV8AT+dgP1CU+gzhc9N+Os96ByplnsjtpPEoY2MN0QPziT5NLeCdBf8prtX8EOujnrW8enfubA/1qiROQsG+hWYIXyEG6SiIDq8y9dIIjB8DIe1rLcJzdBp17ajafy0ZyBAwt/3wA+37r1H26gcyfoAufBopK7JlnKOHoe1EU5MtCl+ZcoEJPXybE0GP4Q4Wdx/dhVFybMAt3BKnflx/zqWFDAItoru3gVqbFZZ4evhmSUcnL0xmzFvR89KFEIhNste8bq2AxZt5av/V+uTBFvWoHsdOhv8RIrL4o8SeGRWzgZ9gcQf8ieeFMaQSqaMKHiYfu99H/LVZpq0/YdRKs6pTKWFpfQXBXCQUO9IWQS98ddvyAKjwkq+Jzskg1yhIYJHU/jiq+yKPAsDLeD+WXovXeWPEEubkIT60g9Sb7GX6XYs2fnkR78DzxpMI8kyBs6EVwpgpeFBqH99rASOr8FrwHcFF0TAY8YtMiy+PK08xgMcrOg/0sLIoIWzQ7M25ttfKJtP+z/YA/4yi4hSxBojSbvxh8B41k044Q/ZI776ZAFp618QfDbwvS4Hh/42akPyA2Y8wjH+VoDesuxVzzr4g4pBMCWNVk7Q5WhfsoaA0WiV+mhK4VcPxMms8sGBGoZllQnwPh7JYy9Hz0wDg0OUAe8BLv/YwETYZwa0qlkLl4OMPAy8bSG8wo4TJeUubVF9FJeswXUt5K/FIv6S3AroecmGih9XIHNKnST9BTlcDSoxsLMfoYrQmFr8xJyJw/i+DtZr2zC1CUqBNGyvov9qFatys/HDe18KO51O/ahyUSjHEsCPCqxQfoQstvD7ZE/SN8c3ZZLNBqQ4SPY2jPqtsmzVch4HTzhpFxyqXwe2uHaccCuNwlSmewDY2VkQDbWdvRPHzLPsHOPZJdcVvRw/C8S4wJNZ03GDiYHThJjWv7wgnpIUA/i68u7t6uS33xlPAlytIefnNpXA5bc6QDTzKJW9gwJ8hlxcsHxfO8d3+oij9/vqDQMG9j0EponBs1ewNaGTg8rniisnATQwQEZo4USNTE+VneWnaY1wLOSExCIv6glJ+oMfPvZT/pq/uhz6C7u7gfvVvTG3eY3/srKRE5baKwI8MJCEEqmWonHM5C+NRboRFMpqO5AR5X27YrSsa38xen8f1VHnzYLFr0UdkprbLbm/dvFpaxivYTqfCVQEXaFMTfNp884OylSAcmvNZbUvrCyritL5xiBm/1rxypDprDv0X0C1WR9rfGilbpqc8MdqcBgmsSpJO1zW43LBBPI6U4/oBlpYKx+T2ovlq/zdgwrtmX/rp6BB+nXFtWdgJZWYN+4cwF0FooIAF8hXNiJGWR9tVPipT7s00BaL0u8udR59W/2T79vUIt0PMpuVHFmp7ZSZumsr2W1pTybmmuj5Lv54XoXryTE63GZYZRhiEE5uS3hwSWLqxd0xyCnz6ThuWaS6N0+rlxDVM+9Z1rlIhR4C5YJ5LJ2xpZFsS1apXPLm+QQ7SM1lspF/bSlHv4m3/LJqaK/sbaLAaxORDF1uE6</CipherValue>
</CipherData>
</EncryptedData>
</LA>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://schemas.microsoft.com/DRM/2007/03/protocols#ecdsa-sha256" />
<Reference URI="#SignedData">
<DigestMethod Algorithm="http://schemas.microsoft.com/DRM/2007/03/protocols#sha256" />
<DigestValue>Y6z9FSz2qWpvIN823wrK13in0TnWGoAcPCKw9KlWZPk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>u45hKzad6Wir2SLSY7WTkTxpziPY2w5WTiLbNSb0RyciFV8Xm2aFyLbOCpMW33ZYubN59lsaZy8fAjUsr7ManA==</SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<ECCKeyValue>
<PublicKey>2sumijs/TOhMhxwvkmjp4nXwJku8UXFHU+oY4fg+sRTp/pM7O3/w4k4QXAAn69pHahdLN+6OGpnQfwTv4xzGCQ==</PublicKey>
</ECCKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</Challenge>
</challenge>
</AcquireLicense>
</soap:Body>
</soap:Envelope>
server response:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<AcquireLicenseResponse xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols">
<AcquireLicenseResult>
<Response xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols/messages">
<LicenseResponse xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols">
<Version>1</Version>
<Licenses>
<License>WE1SAAAAAAN7s2B/AGLXFf96B2BX0GtZAAMAAQAAAVAAAgAEAAAACAADAAIAAAAyAAAADQAAAAoAAQABADIAAAAMAAAAIgABADQAAAAKAJYAAAAzAAAACgABAAMACQAAAPIAAQAKAAAAnu/fO2o/nhNLgZV4tDe9wEMAAQADAIDB6u6Ltq5a8s2SvNkd4kAVzxDnlUysqzX6k5epsJ4iNaZaFyLTtpgVjTRQP2lgDeJaJSIObuf2yd2Qd1tWIQDk4gXxCbUPL8NJgdvl6d4z2xBIvJq4Ol3KDiHgkYn6mYEyniIm+2IWZUrUWsKo6Z2brnsoe3GoYoNmXkJ5+kyMOgAAACoAAABMAAEAQDrjNbZngMLUdzVuWakTkwXziavX6rZhzIaQJYQOWLtJSqiFpiWTutb777SRP48Zvx2FMpyqhGdjn53dLmsiRDYAAQALAAAAHAABABB8/phYFmuGw7Y3HoQs0swN</License>
</Licenses>
<Acknowledgement>
<TransactionID>5c062475-4b2c-48e6-9b0b-54fce5b2b770</TransactionID>
</Acknowledgement>
</LicenseResponse>
</Response>
</AcquireLicenseResult>
</AcquireLicenseResponse>
</soap:Body>
</soap:Envelope>
how do i create the License from the client request and my 16 byte key?
All, I have a quick question on the SAML 2.0 response that I've been working with as part of my web SSO.We are the Identity provider and we send SAML token to our Service Provider(SP). SP wants us to sign the entire before sending that.We sent SP our public certificate already. Whose certificate details go under the element in the generated SAML 2.0 response ? Is that the IDP's or the Service Providers(SP).We don't have a public certificate from our SP yet
<samlp2:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_71b134e9-1ab3-4680-90a4-3b95c8530a59" Version="2.0" IssueInstant="2017-09-21T17:29:21.6178748Z" Destination="https://sp.com" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_79b534eb-9771-4d22-9d61-d4dc5997be70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>RzEq/7vrq</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jQCx6BZyoW+okh+zxwrd</SignatureValue>
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=CA, DC=us, DC=local</X509IssuerName>
<X509SerialNumber>1248841732558767</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>MIIEpTCCA42gAwIBAgITOAAAARWJYtXzIdPzr</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp2:Status>
<samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp2:Status>
<saml2:Assertion Version="2.0" ID="_79b534eb-9771-4d22-9d61-d4dc5997be70" IssueInstant="2017-09-21T17:29:21.6208748Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://mycompany.com/</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">TestUser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
<saml2:AuthnStatement AuthnInstant="2017-09-21T17:29:21.6228748Z" SessionNotOnOrAfter="2017-09-21T17:34:21.6228748Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml20:AttributeStatement xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion">
<saml20:Attribute Name="MyCompany" NameFormat="www.sp.com">
<saml20:AttributeValue>test value</saml20:AttributeValue>
</saml20:Attribute>
</saml20:AttributeStatement>
</saml2:Assertion>
</samlp2:Response>
The certificate in the Response should be the one of the IDP. This way the SP can be sure the IDP signed the response and it wasn't manipulated by the user agent (or anyone else).
I am trying to create an http client from wsdl and send an encrypted request.
However, I have tried most of encryption-Security packages in npm(soap, soap-x509-http, xml-crypto etc.) to achieve my goal but I couldn't send a correct request.
You can see the requirements and a sample request below.
Thanks in advance.
Encryption should be performed using the following algorithms:
a. Key Encryption Algorithm: rsa-1_5
b. Symmetric Encryption Algorithm: #aes128-cbc
c. Encription Canonicalization: xml-exc-c14n
d. Token reference type: keyIdentifier (SKI)
Signature should be performed using the following algorithms:
a. Signature Algorithm: rsa-sha1
b. CanonicalizationMethod Algorithm: xml-exc-c14n
SOAP message could contain Timestamp
Sample Request(cipher values are shortened)
<?xml version="1.0"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsu:Timestamp wsu:Id="timestamp">
<wsu:Created>2017-01-25T10:53:55.572Z</wsu:Created>
<wsu:Expires>2017-01-25T10:58:55.572Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-47-1485341635575-1612376233">MIICXjCCAcegAwIBQ==</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="reference-50-1485341635576-76405248">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary7f9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">MZBUluEDgIrFJrntxdBEI9Cr2A0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">m5xNzosqhCIll4rMOH97zwKNprCC15w0LDta+NL81yIcPuLftJNZeI/RiPmJY7d3y2bdMV5Y=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" URI="#encrypted-49-1485341635575-737511276"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#element-46-1485341635572-1313338421">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">koftV3puKxIgrkVHHxwSJYxsUhA=</ds:DigestValue>
</ds:Reference>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#timestamp">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod xmlns:ds="http://www.4dbw3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">Q0nZM95JuHF2nveehBU6wjUsoY4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">BvlJMHJNrfI=</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="reference-48-1485341635575-111206538">
<wsse:Reference URI="#token-47-1485341635575-1612376233" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</env:Header>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-46-1485341635572-1313338421">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="encrypted-49-1485341635575-737511276" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">XoH4ROAG+6v0A28z1YeGeUfl4Im1q/jEJO+uDtAejU=13</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</env:Body>
</env:Envelope>
I have a need to check some security HTTP header (called for example X-MyApp-Security) value before processing it after Mule http:listener. Header should be checked like basic auth header but more simply.
I found some Mule documentation about this but don't understand how to use it my simple flow:
<http:listener-config name="HTTP_Listener_Configuration" host="${httpServer.host}" port="${httpServer.port}" doc:name="HTTP Listener Configuration" />
<flow name="planadoWebhookFlow">
<http:listener config-ref="HTTP_Listener_Configuration" path="/" doc:name="HTTP" allowedMethods="POST"/>
<set-payload value="Hello from security area!" doc:name="Set Payload"/>
</flow>
Please help me with header authentication in Mule 3.7.
You can use the "http:basic-security-filter" element, here you have an example:
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:scripting="http://www.mulesoft.org/schema/mule/scripting"
xmlns:http="http://www.mulesoft.org/schema/mule/http"
xmlns:jms="http://www.mulesoft.org/schema/mule/jms"
xmlns:vm="http://www.mulesoft.org/schema/mule/vm"
xmlns:file="http://www.mulesoft.org/schema/mule/file"
xmlns:ftp="http://www.mulesoft.org/schema/mule/ftp"
xmlns:db="http://www.mulesoft.org/schema/mule/db"
xmlns:mule-xml="http://www.mulesoft.org/schema/mule/xml"
xmlns:jersey="http://www.mulesoft.org/schema/mule/jersey"
xmlns:json="http://www.mulesoft.org/schema/mule/json"
xmlns:ws="http://www.mulesoft.org/schema/mule/ws"
xmlns:smtps="http://www.mulesoft.org/schema/mule/smtps"
xmlns:email="http://www.mulesoft.org/schema/mule/email"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/scripting http://www.mulesoft.org/schema/mule/scripting/current/mule-scripting.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/jms http://www.mulesoft.org/schema/mule/jms/current/mule-jms.xsd
http://www.mulesoft.org/schema/mule/vm http://www.mulesoft.org/schema/mule/vm/current/mule-vm.xsd
http://www.mulesoft.org/schema/mule/file http://www.mulesoft.org/schema/mule/file/current/mule-file.xsd
http://www.mulesoft.org/schema/mule/ftp http://www.mulesoft.org/schema/mule/ftp/current/mule-ftp.xsd
http://www.mulesoft.org/schema/mule/db http://www.mulesoft.org/schema/mule/db/current/mule-db.xsd
http://www.mulesoft.org/schema/mule/xml http://www.mulesoft.org/schema/mule/xml/current/mule-xml.xsd
http://www.mulesoft.org/schema/mule/jersey http://www.mulesoft.org/schema/mule/jersey/current/mule-jersey.xsd
http://www.mulesoft.org/schema/mule/json http://www.mulesoft.org/schema/mule/json/current/mule-json.xsd
http://www.mulesoft.org/schema/mule/ws http://www.mulesoft.org/schema/mule/ws/current/mule-ws.xsd
http://www.mulesoft.org/schema/mule/smtps http://www.mulesoft.org/schema/mule/smtps/current/mule-smtps.xsd
http://www.mulesoft.org/schema/mule/email http://www.mulesoft.org/schema/mule/email/current/mule-email.xsd
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/3.1/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
">
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="user" password="password" authorities="ROLE_ADMIN" />
<ss:user name="anon" password="anon" authorities="ROLE_ANON" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="9091" doc:name="HTTP Listener Configuration"/>
<flow name="testingFlow">
<http:listener config-ref="HTTP_Listener_Configuration" path="/*" doc:name="HTTP"/>
<logger message="Before Authentication" level="INFO" doc:name="Log Failure"/>
<http:basic-security-filter realm="mule-realm"/>
<logger message="After Authentication" level="INFO" doc:name="Log Failure"/>
</flow>
</mule>
You can find more information in the next link:
https://docs.mulesoft.com/mule-user-guide/v/3.7/http-listener-connector#authentication
Im trying to set up wso2is as an IdP. Liferay acts as SP.
Signing in is done successfully. My actual problem is - there is no 'destination' attribute set in LogoutResponse so liferay saml-portlet is throwing:
14:12:26,779 ERROR [http-bio-8080-exec-18][BaseSamlStrutsAction:45com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present
com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:166)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)
at com.liferay.saml.hook.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:38)
So here is my actual LogoutRequest:
<saml2p:LogoutRequest Destination="https://localhost:9443/samlsso"
ID="_22d8ba65fc7ffdbc63d9d45ddea3e420ebc53373" IssueInstant="2014-07-30T13:16:33.576Z"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferaysamlspdemo</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_22d8ba65fc7ffdbc63d9d45ddea3e420ebc53373">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>A00CJe+mILdS1J9rofdyDWtO+/M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[value]
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[cert data]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxx</saml2:NameID>
<saml2p:SessionIndex>436f2982-c96c-4884-a9ea-7b8b4cde13ff</saml2p:SessionIndex>
</saml2p:LogoutRequest>
And the corresponding response:
<saml2p:LogoutResponse ID="hbkakhdacckapfinfncplppndpkhbpihhnfphjoh"
InResponseTo="_69f6c1f18217d5626f0a76a1b705138d56e5077f" IssueInstant="2014-07-30T14:12:26.651Z"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferaysamlidpdemo</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#hbkakhdacckapfinfncplppndpkhbpihhnfphjoh">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>35a6HRTd3gbqiGhR2RzkRWn+f04=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[value]
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[cert data]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
</saml2p:LogoutResponse>
Now is that a general wso2is problem and it does not include "destination" attribute to LogoutResponse or am i doeing something wrong. I would be great if i could get some help.
In case you are using HTTP-POST binding the standard says:
If the message is signed, the Destination XML attribute in the root
SAML element of the protocol message MUST contain the URL to which the
sender has instructed the user agent to deliver the message.
And therefore it would mean that wso2 has a bug.
The Destination attribute is not be required with HTTP-Artifact or SAML SOAP bindings. In case you use one of these, it would mean that there's a problem on the Liferay side.