SAML - consume assertion error

[Stefan Wendin]

I have an SAML test page that used to work in Coldfusion. What I do is to handle the POSTed assertion, validate the signature based on public key. In Lucee it generates an error message in my log file as seen below:

 Error occured trying to extract assertion data... The Reference for URI #dcaff33285ac6a7aba31ed254627dfce has no XMLSignatureInput; ; samlAssertionXML: PHNhbWx....

I added xmlsec.jar to Lucee which I also did on CF. Anyone experiencing the same issue?

Regards //Stefan

[Dominic Watson]

We'll need some code I think to be able to help. I've done some SAML2 work so might have some clue. I imagine however that its not related to that. Could you post the code that your using to process the incoming assertion request with?

Dominic

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/ebef7fce-9bdf-46ba-ada2-3ce930d5ef17%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Pixl8 Interactive, 3 Tun Yard, Peardon Street, London SW8 3HT, United Kingdom T: +44 [0] 845 260 0726• W: www.pixl8.co.uk• E: in...@pixl8.co.uk

Follow us on: Facebook Twitter LinkedIn

CONFIDENTIAL AND PRIVILEGED - This e-mail and any attachment is intended solely for the addressee, is strictly confidential and may also be subject to legal, professional or other privilege or may be protected by work product immunity or other legal rules. If you are not the addressee please do not read, print, re-transmit, store or act in reliance on it or any attachments. Instead, please email it back to the sender and then immediately permanently delete it. Pixl8 Interactive Ltd Registered in England. Registered number: 04336501. Registered office: 8 Spur Road, Cosham, Portsmouth, Hampshire, PO6 3EB

[Dominic Watson]

On what line is it erroring?

On 21 May 2015 at 18:03, Stefan Wendin <stefan...@comintelli.com> wrote:

Hi,

 

Thanks for the reply. The script I´m using is below. For test purposes I am setting the variable  SAMLResponse with the SAML assertion:

 

<cfset SAMLResponse = "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhb......">

 

<cfset x509cert = SAMLSvc.getIdpCertificate()>
 <cfscript>
  xmlResponse=CharsetEncode(BinaryDecode(SAMLResponse,"Base64") ,"utf-8");
  docElement = XmlParse(xmlResponse).getDocumentElement();
  
  responseID = docElement.getAttributes().getNamedItem('ID').getTextContent();
  //writedump(xmlResponse);
  //IdP is signing the SAML Response using a "non standard" ID attribute, which is only supported in DOM3 and XMLBeans does not support DOM3
  //the Assertion ID must be registerd before Signature Validation
  idResolver = CreateObject("Java", "org.apache.xml.security.utils.IdResolver");
  
  assertionElement = docElement.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0);
  attrStore = assertionElement.getAttributes();
  idAttr = CreateObject("Java","org.w3c.dom.Attr");
  idAttr = attrStore.getNamedItem("ID");

 

  idResolver.registerElementById(assertionElement, idAttr);

 

  SignatureConstants=CreateObject( "Java", "org.apache.xml.security.utils.Constants");
  SignatureSpecNS=SignatureConstants.SignatureSpecNS;
  //Must initiate only first time
  SecInit = CreateObject("Java", "org.apache.xml.security.Init").Init().init();
  xmlSignatureClass = CreateObject("Java", "org.apache.xml.security.signature.XMLSignature");
  signature = XMLSignatureClass.init(docElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig##","Signature").item(0), javacast("string",""));
  
  // Verify Signature
  isValid = signature.checkSignatureValue(x509cert);
  
  //Extract conditions
  conditionElement = docElement.getElementsByTagName("saml:Conditions").item(0);
  conditions = conditionElement.getAttributes();
  before = conditions.getNamedItem("NotBefore").getNodeValue();
  after = conditions.getNamedItem("NotOnOrAfter").getNodeValue();
 
  // Extract User
  attributesElement = docElement.getElementsByTagName("saml:AttributeStatement").item(0);
  attributes = attributesElement.getAttributes();
  
  ssouser = StructNew();
  for (
   attNo = 0 ;
   attNo LT attributesElement.getLength() ;
   attNo = (attNo + 1)
   ){
   name = attributesElement.item(attNo).getAttributes().getNamedItem('Name').getTextContent();
   value = attributesElement.item(attNo).item(0).getTextContent();
   ssouser[name] = value;
  }
 </cfscript>

Best Regards,

Stefan Wendin
Senior Software Developer
___________________________________________________________________________________

Software for Knowledge Management & Competitive Intelligence	Comintelli® Kista Science Tower | S-164 51 Kista, Sweden Internet:www.comintelli.com E-mail:stefan...@comintelli.com Mobile: +46 70 269 95 01| Skype: stefanw70

 

 

 

------ Originalmeddelande ------

Från: "Dominic Watson" <dominic...@pixl8.co.uk>

Till: lu...@googlegroups.com

Skickat: 2015-05-21 18:29:04

Ämne: Re: [Lucee] SAML - consume assertion error

 

We'll need some code I think to be able to help. I've done some SAML2 work so might have some clue. I imagine however that its not related to that. Could you post the code that your using to process the incoming assertion request with?

Dominic

On 21 May 2015 at 13:50, Stefan Wendin <stefan...@comintelli.com> wrote:

I have an SAML test page that used to work in Coldfusion. What I do is to handle the POSTed assertion, validate the signature based on public key. In Lucee it generates an error message in my log file as seen below:

 Error occured trying to extract assertion data... The Reference for URI #dcaff33285ac6a7aba31ed254627dfce has no XMLSignatureInput; ; samlAssertionXML: PHNhbWx....

I added xmlsec.jar to Lucee which I also did on CF. Anyone experiencing the same issue?

Regards //Stefan

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/ebef7fce-9bdf-46ba-ada2-3ce930d5ef17%40googlegroups.com?utm_medium=email&utm_source=footer.

For more options, visit https://groups.google.com/d/optout.

--

Pixl8 Interactive, 3 Tun Yard, Peardon Street, London SW8 3HT, United Kingdom

T: +44 [0] 845 260 0726• W: http://www.pixl8.co.uk/• E: in...@pixl8.co.uk

Follow us on: Facebook Twitter LinkedIn

CONFIDENTIAL AND PRIVILEGED - This e-mail and any attachment is intended solely for the addressee, is strictly confidential and may also be subject to legal, professional or other privilege or may be protected by work product immunity or other legal rules. If you are not the addressee please do not read, print, re-transmit, store or act in reliance on it or any attachments. Instead, please email it back to the sender and then immediately permanently delete it. Pixl8 Interactive Ltd Registered in England. Registered number: 04336501. Registered office: 8 Spur Road, Cosham, Portsmouth, Hampshire, PO6 3EB

--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/xWkoeVTMNEY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAEYvUx%3DpZZeGEtNCjucMaNPZ8B1T57n653g3bjsSBTmbRFsFfQ%40mail.gmail.com?utm_medium=email&utm_source=footer.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/em1c10c468-15b3-476a-86f6-7b76fd596033%40stefan-omen.

For more options, visit https://groups.google.com/d/optout.

[Stefan Wendin]

I managed to solve the issue. I was using incorrect attribute reference since the saml response signature was different to the assertion signature. Case closed!

[Juan Aguilar]

Would you mind sharing your fixed code? I'm running into the same issue.

[Stefan Wendin]

What you need to do is find the correct signature. If the response is signed with one reference as item(0):

signature = XMLSignatureClass.init(docElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig##","Signature").item(0), javacast("string",""));

The assertion would be signed with reference in item(1):

signature = XMLSignatureClass.init(docElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig##","Signature").item(1), javacast("string",""));

My reference ID points to item(1) which is why I had to add that as the signature value.