CAS 5.2.0-RC3 saml 2.0 response KeyInfo how to configure

31 views
Skip to first unread message

Andy Ng

unread,
Sep 19, 2017, 5:52:21 AM9/19/17
to CAS Community
Hi all,

Version: CAS 5.2.0-RC3
Scope: SAML 2.0
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Problem: 
I am connecting my SAML 2.0 sp using CAS 5.2.0-RC1 without problem, but when I updated to CAS 5.2.0-RC3 it cannot connect.

My research shows me that:
In CAS 5.2.0-RC1, the keyInfo in saml2p:Response will be like below:

        <ds:KeyInfo>

            <ds:X509Data>

                <ds:X509Certificate>MIIDL.....TCC==</ds:X509Certificate>

            </ds:X509Data>

        </ds:KeyInfo>

However, in CAS 5.2.0-RC3, the keyInfo in saml2p:Response will be change like these:

        <ds:KeyInfo>

            <ds:KeyValue>

                <ds:RSAKeyValue>

                    <ds:Modulus>nv......==</ds:Modulus>

                    <ds:Exponent>AQAB</ds:Exponent>

                </ds:RSAKeyValue>

            </ds:KeyValue>

            <ds11:DEREncodedKeyValue xmlns:ds11="http://www.w3.org/2009/xmldsig11#">MII.......QAB</ds11:DEREncodedKeyValue>

        </ds:KeyInfo>
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Would like to know if there is any configure to force the KeyInfo to show X509Data, so my SAML 2.0 sp can read the KeyInfo, thanks!

-Andy

Andy Ng

unread,
Sep 20, 2017, 2:37:27 AM9/20/17
to CAS Community
Hi all:

I found out the problem occurs in this file:
org.apereo.cas.support.saml.web.idp.profile.builders.enc.BaseSamlObjectSigner, in the function [protected SignatureSigningConfiguration getSignatureSigningConfiguration()]

Instead of adding a BasicX509Credential to the credidential, a BasicCredential was added


which change the keyinfo from showing:

        <ds:KeyInfo> <ds:X509Data><ds:X509Certificate>MIIDL.....TCC==</ds:X509Certificate></ds:X509Data></ds:KeyInfo>


To 

        <ds:KeyInfo> <ds:KeyValue><ds:RSAKeyValue><ds:Modulus>nv......==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue><ds11:DEREncodedKeyValue xmlns:ds11="http://www.w3.org/2009/xmldsig11#">MII.......QAB</ds11:DEREncodedKeyValue></ds:KeyInfo>

I think I would try to contribute to CAS so that in CAS 5.2.0-RC4 there is option to choice which Credential I want to export.

-Andy
Reply all
Reply to author
Forward
0 new messages