All, I have a quick question on the SAML 2.0 response that I've been working with as part of my web SSO.We are the Identity provider and we send SAML token to our Service Provider(SP). SP wants us to sign the entire before sending that.We sent SP our public certificate already. Whose certificate details go under the element in the generated SAML 2.0 response ? Is that the IDP's or the Service Providers(SP).We don't have a public certificate from our SP yet
<samlp2:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_71b134e9-1ab3-4680-90a4-3b95c8530a59" Version="2.0" IssueInstant="2017-09-21T17:29:21.6178748Z" Destination="https://sp.com" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_79b534eb-9771-4d22-9d61-d4dc5997be70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>RzEq/7vrq</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jQCx6BZyoW+okh+zxwrd</SignatureValue>
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=CA, DC=us, DC=local</X509IssuerName>
<X509SerialNumber>1248841732558767</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>MIIEpTCCA42gAwIBAgITOAAAARWJYtXzIdPzr</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp2:Status>
<samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp2:Status>
<saml2:Assertion Version="2.0" ID="_79b534eb-9771-4d22-9d61-d4dc5997be70" IssueInstant="2017-09-21T17:29:21.6208748Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://mycompany.com/</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">TestUser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
<saml2:AuthnStatement AuthnInstant="2017-09-21T17:29:21.6228748Z" SessionNotOnOrAfter="2017-09-21T17:34:21.6228748Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml20:AttributeStatement xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion">
<saml20:Attribute Name="MyCompany" NameFormat="www.sp.com">
<saml20:AttributeValue>test value</saml20:AttributeValue>
</saml20:Attribute>
</saml20:AttributeStatement>
</saml2:Assertion>
</samlp2:Response>
The certificate in the Response should be the one of the IDP. This way the SP can be sure the IDP signed the response and it wasn't manipulated by the user agent (or anyone else).
Related
I want to know how digestValue was calculated when we have AttributeStatement in the SAML 2 Response.
I can calculate and get the same digestValue when I do not have any "saml2:AttributeStatement" returned in SAML response by:
Deleting ds:Signature segment
Canonicalizing XML payload
Applying SHA-256 to calculate digest value (as I configured on IDP part)
But when I configured in IDP side to add "saml2:AttributeStatement" in the response along with one attribute, I can no longer calculate the same digestvalue as IDP returned to me no matter I kept "saml2:AttributeStatement" or not.
What shall I do here to calculate the correct value? FYI, I am using OKTA IDP.
My SAML Assertion in my SAML response is as follows:
<saml2:Assertion ID="id2725281198079267683856882"
IssueInstant="2021-09-20T07:18:33.051Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk1mv3c9ke9u3tz25d7
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id2725281198079267683856882">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>uHowdunaQ+0tDsHrEGgJFUWwd23L08Qubp9HFS2In2Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>S9YQNf7t...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDq...
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">allen.li#gmail.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="a3b3ff8jicf316993316069j03bdjfj"
NotOnOrAfter="2021-09-20T07:23:33.051Z"
Recipient="http://localhost:8080/saml/SSO"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-20T07:13:33.051Z"
NotOnOrAfter="2021-09-20T07:23:33.051Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:8080/saml/metadata</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-20T07:18:33.051Z"
SessionIndex="a3b3ff8jicf316993316069j03bdjfj"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>allen.li#gmail.com
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Issue resolved. There is a gap between OKTA performing Canonicalization and what is provided in Java org.apache.xml.security.c14n.Canonicalizer.getInstance(String). In Java implementation they deleted namespace xmlns:xs="http://www.w3.org/2001/XMLSchema", but OKTA kept it. After I added this namespace in canonicalized SAML Assertion and calculated digest value, I got same value as OKTA.
i'm implementing a DRM server, so far HLS is working great but i have a problem with the playready key encryption, i know that i need to use the public key and License Nonce(IV) from the client request but i couldn't find the algorithm to encrypt it.
example from Microsoft playReady test server
client requst:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<AcquireLicense xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols">
<challenge>
<Challenge xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols/messages">
<LA xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols" Id="SignedData" xml:space="preserve">
<Version>1</Version>
<ContentHeader>
<WRMHEADER xmlns="http://schemas.microsoft.com/DRM/2007/03/PlayReadyHeader" version="4.0.0.0">
<DATA>
<PROTECTINFO>
<KEYLEN>16</KEYLEN>
<ALGID>AESCTR</ALGID>
</PROTECTINFO>
<KID>7987aj+eE0uBlXi0N73AQw==</KID>
<CHECKSUM>s1zZSs3Wwow=</CHECKSUM>
<CUSTOMATTRIBUTES>
<IIS_DRM_VERSION>7.1.1064.0</IIS_DRM_VERSION>
</CUSTOMATTRIBUTES>
<LA_URL>http://playready.directtaps.net/pr/svc/rightsmanager.asmx</LA_URL>
<DS_ID>AH+03juKbUGbHl1V/QIwRA==</DS_ID>
</DATA>
</WRMHEADER>
</ContentHeader>
<CLIENTINFO>
<CLIENTVERSION>2.0.0.1446</CLIENTVERSION>
</CLIENTINFO>
<RevocationLists>
<RevListInfo>
<ListID>ioydTlK2p0WXkWklprR5Hw==</ListID>
<Version>11</Version>
</RevListInfo>
<RevListInfo>
<ListID>gC4IKKPHsUCCVhnlttibJw==</ListID>
<Version>11</Version>
</RevListInfo>
<RevListInfo>
<ListID>BOZ1zT1UnEqfCf5tJOi/kA==</ListID>
<Version>12</Version>
</RevListInfo>
<RevListInfo>
<ListID>Ef/RUojT3U6Ct2jqTCChbA==</ListID>
<Version>34</Version>
</RevListInfo>
</RevocationLists>
<LicenseNonce>e7NgfwBi1xX/egdgV9BrWQ==</LicenseNonce>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://schemas.microsoft.com/DRM/2007/03/protocols#ecc256" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>WMRMServer</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>W13Rs+iFyn5Qgh8iAduenxsRw3w2mOTNhfOPI6Fwv5kIn93cCauDFJexka6jtQHJ+by8wyTv4u7RofeZW9G8NakvV0JpGg7d5rEg1q1XMwy267Hecnch75FKEPSiydx2NU83IambHenRhJJ5gg3/u1aVpaXsCVtnQsv5pt5L+JM=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>cWEqivcZkvs9Le02WXFsSnCn8W+J87cN0a0/6IXZ1OIYJ8ZgVE2Bf6J14Destd4rYxKonQiMZ5mL+LZytuq7dA8LGFASKUNGKynx887tdMDMbwJnBQAllE593kUqnD4XIyKO04APahlQ1k4ezBrTU3o0TD8ssIN2OxxW4NdoNMPc+rlrPMY31hXVoIdUV7viueMRFcokDgDk/vii3yrHfLpx+iyVINhYhye1Oh0JsKc8Fkz/O1XfSrCVQzVZHI3Hui62r/Pf9H1kblv7CXo1H7Vno8trNq2zsEj96lz2b2GgYpbbiMHBJAMmIjsR6o9z3KUbOIh0eIrupDLTTvITDXDX8Q9x1A9dsDOJJGWMgWUT2n0Ay6GIzATojlMfp9eCti2gJNWv+vWKJD0k2k/COk71mcWttGgA4dnxUqCkkr7wSI/mAmxb/ZHaNFBoF55sUTycsoYrucD60XHeZA3OB/1NIodczWfMwCE1UGiSXpafdxDsBxgdlDXQxHzlWXhQBzVWNdjpdLVv7NMteA8t6MqmD+i+xlOD/rI5ZWb9uNmBNMNF2KkgBLHx9NQx5BQReQonL1wHcEfk/SjiovRFx33aYkfDZZwx1QmIR6xhksktwpvO/z0Bud9II3gle/Is5XgQwXET25KRvJ/pZlIvwXuklpgzBFMTU71RbaKWWTeLk9zddw0bb0O/dNm8HX6JmZIv1VHz/D/p0l7L+JyG5xl1DxxIxJOIuVkhucdFJDVRlMbNXp2/hMTKpK9Ph70TQNJx2hOvSEFwOjGsUpaGOI8z6r3zFpObg3w6VpeCBQNipekxSvgcedk2DNELYsFvTn5moxPEwCrPwYurg3dBbzSvgfZm67H/h319B/spg76MGiTauXl54LkOKQC2gWF/t7e9bV0NBZR5cAPwa346d5hWPnU/s1hAEKh8k5PZfQlHX9MY4ktYHe+16y4GhlN4FXF8fvnOlTYWZAa6UJyJycqHOeg5S/wb5qcx8HTJ7WXaz6EYN1f3ZLM+ziCRFL7DPBPs9fx4bpxIE01MjnDsCNQq1TJRtHJbjnhjZTyI77c17myN/rmauyZAeTgSeuVzEKwNi/UV2TQIxxFVlN0wMcoh8AHPuvuAU9MailoAHfRBvx46ksCD0l4GMssfMCqhLx54A0O8lwsmnVHfFBPMYwPXu3JJqiher9hsy9bzBtEOulLiiDpnA8ABZnRxH5aPo0cY5HjwUbinupJ5Zy+WeC1l6581ikQ2rRAFX68G7FabDqvhKJ9ruVOk3xw1k82IMsHrLxrxjPFh7+V3ixmg3/d/ExXRoayKVFTAax6c3e3sZaC7xopt9l0SFG8zLtMs9MyN6zH8J9P7/d2J8aU7Jvp+QU8G2b8+20Ci1BxIG04XEec1eSemcgTQ3AbwoCpN6UmZpe9EgkcfQcaXw0VyQSnk96xDrW1BkbCCBlqXWyYCNs335i/KcmbVgSICd/RJJlMTcDZx+TkUVSO52WPIYXKcMGhQi7KGND6R1PgEE1TFRRj7CeRWbswSzt3b/mDSy+T3Pg3v0miGN/sxulFrNJJpdnpExkWb2LDkFgO2N+GMZ2uHNdbE8JiXEgXiqbtRWpT/tfpp71YwQVsnRSgUUXnGop79wtfEtFC8sAQ/0v2Tj1+Nstf58t7rf8lOkY3dEVYxidLrgqfSpnkkJqmBAlhN5ZNXBv9ui/Ah1aY706tOPdMKsjHbz7LS9GPDeApYfVSsHGGVUMp5Ms0U7FlsqIDgcQR8SzDuhJen764U8lbj8nsWMFUkex5lTS5d4+mw/ysR1zd4BN6MYTMFqNRSLQEqaZQCft8pBTZ4QRnyJ9h8JrC+vdAI1jl69EaJfo+WgLMr+yG2Q9hM/qtMePqLmi+4ZwO4eszdt23d7437ueY7052yjaa5f42HQsul6qzkfKIs5jdu4oVFS2L3NycemiO6VSj8lp48WvlvPMTPihHuavxwrt/LQeM7NQg+Or1v2z9pyF/JN9gbUI72h6qfoN2/DlcPqmXBYb0TZaaXFrvZ2xllcAPHq/d8hdOpJ+aRS0+IV7ivIcftlPByr958Bmw2kkmNqZi4nwkfmilYQ3aVOr6GHgKRq76llVMhQBUc3c0WB2HCppwPz9j3kw9XY/72GnlnVCVkS+Ju864WbyKMNeWS5kHOyGdwgyRulidv7HiEZymOuL9npAKjso8kO+9aCLj5Wm1zylqudA15EhZaseD5ljK7c9dM0zYJcwe01MZHkUSqts1M4g9M83wLCllA6Hedfkb+niYKTTfcnnhNpLxQwkC3MMOhvl9ytGoW0jdAuYW+ubKR/mroAho5WisS64tLWR3Eo9NQoA224jIz7tHcMIMwQ+mH/SEUBy7qKRwTT5wmgJIDMjZckbeZAC3WsUgwvkkBL9Y5wQ8RuGMrfJMbCuU39w+FrH4We/JlmA6B+ArdWxkgxhvCCTk0WN1Zg/IOV6iWVNbGDmMqRVWijzDUC0CYP7ppk4c+VXDLfFKe04by9waIZW1h6aAavfvmbHZGw6b35keOS1VGfTlGGcSbfrIMwlRwV8AT+dgP1CU+gzhc9N+Os96ByplnsjtpPEoY2MN0QPziT5NLeCdBf8prtX8EOujnrW8enfubA/1qiROQsG+hWYIXyEG6SiIDq8y9dIIjB8DIe1rLcJzdBp17ajafy0ZyBAwt/3wA+37r1H26gcyfoAufBopK7JlnKOHoe1EU5MtCl+ZcoEJPXybE0GP4Q4Wdx/dhVFybMAt3BKnflx/zqWFDAItoru3gVqbFZZ4evhmSUcnL0xmzFvR89KFEIhNste8bq2AxZt5av/V+uTBFvWoHsdOhv8RIrL4o8SeGRWzgZ9gcQf8ieeFMaQSqaMKHiYfu99H/LVZpq0/YdRKs6pTKWFpfQXBXCQUO9IWQS98ddvyAKjwkq+Jzskg1yhIYJHU/jiq+yKPAsDLeD+WXovXeWPEEubkIT60g9Sb7GX6XYs2fnkR78DzxpMI8kyBs6EVwpgpeFBqH99rASOr8FrwHcFF0TAY8YtMiy+PK08xgMcrOg/0sLIoIWzQ7M25ttfKJtP+z/YA/4yi4hSxBojSbvxh8B41k044Q/ZI776ZAFp618QfDbwvS4Hh/42akPyA2Y8wjH+VoDesuxVzzr4g4pBMCWNVk7Q5WhfsoaA0WiV+mhK4VcPxMms8sGBGoZllQnwPh7JYy9Hz0wDg0OUAe8BLv/YwETYZwa0qlkLl4OMPAy8bSG8wo4TJeUubVF9FJeswXUt5K/FIv6S3AroecmGih9XIHNKnST9BTlcDSoxsLMfoYrQmFr8xJyJw/i+DtZr2zC1CUqBNGyvov9qFatys/HDe18KO51O/ahyUSjHEsCPCqxQfoQstvD7ZE/SN8c3ZZLNBqQ4SPY2jPqtsmzVch4HTzhpFxyqXwe2uHaccCuNwlSmewDY2VkQDbWdvRPHzLPsHOPZJdcVvRw/C8S4wJNZ03GDiYHThJjWv7wgnpIUA/i68u7t6uS33xlPAlytIefnNpXA5bc6QDTzKJW9gwJ8hlxcsHxfO8d3+oij9/vqDQMG9j0EponBs1ewNaGTg8rniisnATQwQEZo4USNTE+VneWnaY1wLOSExCIv6glJ+oMfPvZT/pq/uhz6C7u7gfvVvTG3eY3/srKRE5baKwI8MJCEEqmWonHM5C+NRboRFMpqO5AR5X27YrSsa38xen8f1VHnzYLFr0UdkprbLbm/dvFpaxivYTqfCVQEXaFMTfNp884OylSAcmvNZbUvrCyritL5xiBm/1rxypDprDv0X0C1WR9rfGilbpqc8MdqcBgmsSpJO1zW43LBBPI6U4/oBlpYKx+T2ovlq/zdgwrtmX/rp6BB+nXFtWdgJZWYN+4cwF0FooIAF8hXNiJGWR9tVPipT7s00BaL0u8udR59W/2T79vUIt0PMpuVHFmp7ZSZumsr2W1pTybmmuj5Lv54XoXryTE63GZYZRhiEE5uS3hwSWLqxd0xyCnz6ThuWaS6N0+rlxDVM+9Z1rlIhR4C5YJ5LJ2xpZFsS1apXPLm+QQ7SM1lspF/bSlHv4m3/LJqaK/sbaLAaxORDF1uE6</CipherValue>
</CipherData>
</EncryptedData>
</LA>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://schemas.microsoft.com/DRM/2007/03/protocols#ecdsa-sha256" />
<Reference URI="#SignedData">
<DigestMethod Algorithm="http://schemas.microsoft.com/DRM/2007/03/protocols#sha256" />
<DigestValue>Y6z9FSz2qWpvIN823wrK13in0TnWGoAcPCKw9KlWZPk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>u45hKzad6Wir2SLSY7WTkTxpziPY2w5WTiLbNSb0RyciFV8Xm2aFyLbOCpMW33ZYubN59lsaZy8fAjUsr7ManA==</SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<ECCKeyValue>
<PublicKey>2sumijs/TOhMhxwvkmjp4nXwJku8UXFHU+oY4fg+sRTp/pM7O3/w4k4QXAAn69pHahdLN+6OGpnQfwTv4xzGCQ==</PublicKey>
</ECCKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</Challenge>
</challenge>
</AcquireLicense>
</soap:Body>
</soap:Envelope>
server response:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<AcquireLicenseResponse xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols">
<AcquireLicenseResult>
<Response xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols/messages">
<LicenseResponse xmlns="http://schemas.microsoft.com/DRM/2007/03/protocols">
<Version>1</Version>
<Licenses>
<License>WE1SAAAAAAN7s2B/AGLXFf96B2BX0GtZAAMAAQAAAVAAAgAEAAAACAADAAIAAAAyAAAADQAAAAoAAQABADIAAAAMAAAAIgABADQAAAAKAJYAAAAzAAAACgABAAMACQAAAPIAAQAKAAAAnu/fO2o/nhNLgZV4tDe9wEMAAQADAIDB6u6Ltq5a8s2SvNkd4kAVzxDnlUysqzX6k5epsJ4iNaZaFyLTtpgVjTRQP2lgDeJaJSIObuf2yd2Qd1tWIQDk4gXxCbUPL8NJgdvl6d4z2xBIvJq4Ol3KDiHgkYn6mYEyniIm+2IWZUrUWsKo6Z2brnsoe3GoYoNmXkJ5+kyMOgAAACoAAABMAAEAQDrjNbZngMLUdzVuWakTkwXziavX6rZhzIaQJYQOWLtJSqiFpiWTutb777SRP48Zvx2FMpyqhGdjn53dLmsiRDYAAQALAAAAHAABABB8/phYFmuGw7Y3HoQs0swN</License>
</Licenses>
<Acknowledgement>
<TransactionID>5c062475-4b2c-48e6-9b0b-54fce5b2b770</TransactionID>
</Acknowledgement>
</LicenseResponse>
</Response>
</AcquireLicenseResult>
</AcquireLicenseResponse>
</soap:Body>
</soap:Envelope>
how do i create the License from the client request and my 16 byte key?
I am creating a draft envelope with a TXT document - which needs to display an Approve button to allow the signer to sign without placing a signature/initials on the document itself. Unfortunately I can't get the Approve button to show on the document, where have I gone wrong?
Here is the Request XML:
<ns1:envelopeDefinition xmlns:ns1="http://www.docusign.com/restapi">
<ns1:emailSubject>Test from iPaaS</ns1:emailSubject>
<ns1:documents>
<ns1:document>
<ns1:name>TestDocument</ns1:name>
<ns1:documentId>1</ns1:documentId>
<ns1:documentBase64><Base64BytesHere></ns1:documentBase64>
<ns1:fileExtension>txt</ns1:fileExtension>
</ns1:document>
</ns1:documents>
<ns1:recipients>
<ns1:signers>
<ns1:signer>
<ns1:routingOrder>1</ns1:routingOrder>
<ns1:recipientId>1</ns1:recipientId>
<ns1:name>John Smith</ns1:name>
<ns1:email>nobody#nobody.com</ns1:email>
</ns1:signer>
</ns1:signers>
</ns1:recipients>
<ns1:tabs>
<ns1:approveTabs>
<ns1:approve>
<anchorCaseSensitive />
<anchorHorizontalAlignment />
<anchorIgnoreIfNotPresent />
<anchorMatchWholeWord />
<anchorString />
<anchorUnits />
<anchorXOffset />
<anchorYOffset />
<conditionalParentLabel />
<conditionalParentValue />
<customTabId />
<documentId>1</documentId>
<mergeField />
<pageNumber>1</pageNumber>
<recipientId>1</recipientId>
<tabId />
<tabOrder />
<templateLocked />
<templateRequired />
<xPosition>100</xPosition>
<yPosition>100</yPosition>
<bold />
<font />
<fontColor />
<fontSize />
<italic />
<tabLabel />
<underline />
<buttonText />
<height>30</height>
<width>50</width>
</ns1:approve>
</ns1:approveTabs>
</ns1:tabs>
</ns1:envelopeDefinition>
Essentially I am looking for something that looks like the attached screenshot
The <tabs> node should be inside the <signer> node. The following example should work.
<ns1:envelopeDefinition xmlns:ns1="http://www.docusign.com/restapi">
<ns1:emailSubject>Test from iPaaS</ns1:emailSubject>
<ns1:documents>
<ns1:document>
<ns1:name>TestDocument</ns1:name>
<ns1:documentId>1</ns1:documentId>
<ns1:fileExtension>txt</ns1:fileExtension>
<ns1:documentBase64>RG9jIFRXTyBUV08gVFdP</ns1:documentBase64>
<ns1:fileExtension>txt</ns1:fileExtension>
</ns1:document>
</ns1:documents>
<ns1:recipients>
<ns1:signers>
<ns1:signer>
<ns1:routingOrder>1</ns1:routingOrder>
<ns1:recipientId>1</ns1:recipientId>
<ns1:name>John Smith</ns1:name>
<ns1:email>johnsmith#acme.com</ns1:email>
<ns1:tabs>
<ns1:approveTabs>
<ns1:approve>
<documentId>1</documentId>
<pageNumber>1</pageNumber>
<xPosition>100</xPosition>
<yPosition>100</yPosition>
<height>30</height>
<width>50</width>
</ns1:approve>
</ns1:approveTabs>
</ns1:tabs>
</ns1:signer>
</ns1:signers>
</ns1:recipients>
</ns1:envelopeDefinition>
I am trying to create an http client from wsdl and send an encrypted request.
However, I have tried most of encryption-Security packages in npm(soap, soap-x509-http, xml-crypto etc.) to achieve my goal but I couldn't send a correct request.
You can see the requirements and a sample request below.
Thanks in advance.
Encryption should be performed using the following algorithms:
a. Key Encryption Algorithm: rsa-1_5
b. Symmetric Encryption Algorithm: #aes128-cbc
c. Encription Canonicalization: xml-exc-c14n
d. Token reference type: keyIdentifier (SKI)
Signature should be performed using the following algorithms:
a. Signature Algorithm: rsa-sha1
b. CanonicalizationMethod Algorithm: xml-exc-c14n
SOAP message could contain Timestamp
Sample Request(cipher values are shortened)
<?xml version="1.0"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsu:Timestamp wsu:Id="timestamp">
<wsu:Created>2017-01-25T10:53:55.572Z</wsu:Created>
<wsu:Expires>2017-01-25T10:58:55.572Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-47-1485341635575-1612376233">MIICXjCCAcegAwIBQ==</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="reference-50-1485341635576-76405248">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary7f9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">MZBUluEDgIrFJrntxdBEI9Cr2A0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">m5xNzosqhCIll4rMOH97zwKNprCC15w0LDta+NL81yIcPuLftJNZeI/RiPmJY7d3y2bdMV5Y=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" URI="#encrypted-49-1485341635575-737511276"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#element-46-1485341635572-1313338421">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">koftV3puKxIgrkVHHxwSJYxsUhA=</ds:DigestValue>
</ds:Reference>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#timestamp">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod xmlns:ds="http://www.4dbw3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">Q0nZM95JuHF2nveehBU6wjUsoY4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">BvlJMHJNrfI=</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="reference-48-1485341635575-111206538">
<wsse:Reference URI="#token-47-1485341635575-1612376233" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</env:Header>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-46-1485341635572-1313338421">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="encrypted-49-1485341635575-737511276" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">XoH4ROAG+6v0A28z1YeGeUfl4Im1q/jEJO+uDtAejU=13</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</env:Body>
</env:Envelope>
Im trying to set up wso2is as an IdP. Liferay acts as SP.
Signing in is done successfully. My actual problem is - there is no 'destination' attribute set in LogoutResponse so liferay saml-portlet is throwing:
14:12:26,779 ERROR [http-bio-8080-exec-18][BaseSamlStrutsAction:45com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present
com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present
at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:166)
at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)
at com.liferay.saml.hook.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:38)
So here is my actual LogoutRequest:
<saml2p:LogoutRequest Destination="https://localhost:9443/samlsso"
ID="_22d8ba65fc7ffdbc63d9d45ddea3e420ebc53373" IssueInstant="2014-07-30T13:16:33.576Z"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferaysamlspdemo</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_22d8ba65fc7ffdbc63d9d45ddea3e420ebc53373">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>A00CJe+mILdS1J9rofdyDWtO+/M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[value]
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[cert data]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxx</saml2:NameID>
<saml2p:SessionIndex>436f2982-c96c-4884-a9ea-7b8b4cde13ff</saml2p:SessionIndex>
</saml2p:LogoutRequest>
And the corresponding response:
<saml2p:LogoutResponse ID="hbkakhdacckapfinfncplppndpkhbpihhnfphjoh"
InResponseTo="_69f6c1f18217d5626f0a76a1b705138d56e5077f" IssueInstant="2014-07-30T14:12:26.651Z"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferaysamlidpdemo</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#hbkakhdacckapfinfncplppndpkhbpihhnfphjoh">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>35a6HRTd3gbqiGhR2RzkRWn+f04=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[value]
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[cert data]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
</saml2p:LogoutResponse>
Now is that a general wso2is problem and it does not include "destination" attribute to LogoutResponse or am i doeing something wrong. I would be great if i could get some help.
In case you are using HTTP-POST binding the standard says:
If the message is signed, the Destination XML attribute in the root
SAML element of the protocol message MUST contain the URL to which the
sender has instructed the user agent to deliver the message.
And therefore it would mean that wso2 has a bug.
The Destination attribute is not be required with HTTP-Artifact or SAML SOAP bindings. In case you use one of these, it would mean that there's a problem on the Liferay side.