Dear all,
This is the first time I use SimpleSAMLPHP and looks great. However, I
haven't been able to set an appropriate connection with OPENAM
(formelly OpenSSO) since when I test the federation connectivity I get
an error.
I have followed the instructions item per item and I'm pretty sure the
error is not related to configuration. After exchanging metadata
(parsing opensso metadata with the simplesaml tool and registering the
remote SP in opensso) I tried to test the system (using simplesaml
test under authentication tab) and got this error:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Reference validation failed
Backtrace:
8 /var/simplesamlphp/lib/xmlseclibs.php:1005
(XMLSecurityDSig::validateReference)
7 /var/simplesamlphp/lib/SAML2/Utils.php:56
(SAML2_Utils::validateElement)
6 /var/simplesamlphp/lib/SAML2/Assertion.php:471
(SAML2_Assertion::parseSignature)
5 /var/simplesamlphp/lib/SAML2/Assertion.php:241
(SAML2_Assertion::__construct)
4 /var/simplesamlphp/lib/SAML2/Response.php:38
(SAML2_Response::__construct)
3 /var/simplesamlphp/lib/SAML2/Message.php:471
(SAML2_Message::fromXML)
2 /var/simplesamlphp/lib/SAML2/HTTPPost.php:98
(SAML2_HTTPPost::receive)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:16 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)
Having a look to the code, I noticed that simplesaml fails to verify
the digest since the digest generated by simple saml does not match
the one sent by opensso. I placed some debugging messages and I found
the problem:
SimpleSAML receives a message whose assertion part is the following:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2dbfd1f904f7a1ae3c535ebefd711397ca097bc7e"
IssueInstant="2011-07-06T16:09:20Z" Version="2.0">
<saml:Issuer>
https://sso.pervasive.it.uc3m.es/opensso</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient" NameQualifier="
https://sso.pervasive.it.uc3m.es/
opensso">oCjCanKokkBSwLv2yR5f7Y9K75YK</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_39d67066a1ad25404668845811683e54e1fc3ac0ef"
NotOnOrAfter="2011-07-06T16:19:20Z" Recipient="http://
bib.pervasive.it.uc3m.es/simplesaml/module.php/saml/sp/saml2-acs.php/
pervasive-bib-services"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2011-07-06T15:59:20Z"
NotOnOrAfter="2011-07-06T16:19:20Z">
<saml:AudienceRestriction>
<saml:Audience>
http://bib.pervasive.it.uc3m.es</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2011-07-06T15:54:08Z"
SessionIndex="s262dbc9dd64d5b1b482b3c4c444dd539c4e7b3b01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="cn">
<saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Daniel Diaz</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
However, the XML sniped used in processRefNode (xmlseclibs) , called
by parseSignature (Assertion.php) after canonicalization and
transformation is:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2dbfd1f904f7a1ae3c535ebefd711397ca097bc7e"
IssueInstant="2011-07-06T16:09:20Z" Version="2.0">
<saml:Issuer>
https://sso.pervasive.it.uc3m.es/opensso</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient" NameQualifier="
https://sso.pervasive.it.uc3m.es/
opensso">oCjCanKokkBSwLv2yR5f7Y9K75YK</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_39d67066a1ad25404668845811683e54e1fc3ac0ef"
NotOnOrAfter="2011-07-06T16:19:20Z" Recipient="http://
bib.pervasive.it.uc3m.es/simplesaml/module.php/saml/sp/saml2-acs.php/
pervasive-bib-services"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2011-07-06T15:59:20Z"
NotOnOrAfter="2011-07-06T16:19:20Z">
<saml:AudienceRestriction>
<saml:Audience>
http://bib.pervasive.it.uc3m.es</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2011-07-06T15:54:08Z"
SessionIndex="s262dbc9dd64d5b1b482b3c4c444dd539c4e7b3b01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="cn">
<saml:AttributeValue xmlns:xsi="
http://www.w3.org/2001/XMLSchema-
instance" xsi:type="xs:string">Daniel Diaz</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
As you can see, there are two differences between the XML documents,
the first is closing the <saml:SubjectConfirmationData> at the end of
the element (i.e. blah blah" /> ) and the second uses an element
termination "</saml:SubjectConfirmationData>".
Moreover, the first has an extra xmlns:xs="
http://www.w3.org/2001/
XMLSchema" in the element <saml:attributeValue> that does not appear
in the second. Due to this, obviously, the signature cannot be the
same (hopefully).
I found the problem but I dont know how to proceed.
Can you please help me?
Regards
Dani