Generating empty Reference URI in a SAML response.
65 views
Skip to first unread message
JC
Jan 4, 2017, 4:14:06 PM1/4/17
to SimpleSAMLphp
Hi all,
I'm a pretty new user to SimpleSAMLPHP, and I'm currently using it to test a SAML SP.
This is only for personal purpose (the target of my test is my SP, not the IdP).
For one test, I need the SP to get a signed assertion whose Reference URI looks like this: <ds:Reference URI="">.
I know that according to the SAML 2.0 core specification it's explicitly disallowed to have an empty reference URI.
But I want to know the behaviour of my SP when getting a SAML Response with an empty string as Reference URI.
I tried to tweak several PHP files, but I was unsuccessful, so far.
Do you know if it could be possible to do that?
Can anybody suggest the PHP files to tweak to generate such a response?
Regards,
JC
I'm a pretty new user to SimpleSAMLPHP, and I'm currently using it to test a SAML SP.
This is only for personal purpose (the target of my test is my SP, not the IdP).
For one test, I need the SP to get a signed assertion whose Reference URI looks like this: <ds:Reference URI="">.
I know that according to the SAML 2.0 core specification it's explicitly disallowed to have an empty reference URI.
But I want to know the behaviour of my SP when getting a SAML Response with an empty string as Reference URI.
I tried to tweak several PHP files, but I was unsuccessful, so far.
Do you know if it could be possible to do that?
Can anybody suggest the PHP files to tweak to generate such a response?
Regards,
JC
Peter Schober
Jan 4, 2017, 4:55:47 PM1/4/17
to SimpleSAMLphp
* JC <jcda...@gmail.com> [2017-01-04 22:14]:
IDP implementation. I.e., not SimpleSAMLphp itself.
Probably not even SimpleSAMLphp's split off SAML2 library
https://github.com/simplesamlphp/saml2 as I doubt that's built to
allow generating invalid protocol messages either.
-peter
> I know that according to the SAML 2.0 core specification it's explicitly
> disallowed to have an empty reference URI.
> But I want to know the behaviour of my SP when getting a SAML Response with
> an empty string as Reference URI.
Seems you want something other than a working (and conformant) SAML
> disallowed to have an empty reference URI.
> But I want to know the behaviour of my SP when getting a SAML Response with
> an empty string as Reference URI.
IDP implementation. I.e., not SimpleSAMLphp itself.
Probably not even SimpleSAMLphp's split off SAML2 library
https://github.com/simplesamlphp/saml2 as I doubt that's built to
allow generating invalid protocol messages either.
-peter
JC
Jan 5, 2017, 4:05:29 AM1/5/17
to SimpleSAMLphp
Hi Peter,
Thank you very much for the clarification.
Actually, I managed to make SSP generate an assertion with an empty string as Reference URI.
I did this be adding this instruction $refNode->setAttribute("URI", ''); (in line 1094) in the file /usr/share/simplesamlphp/lib/xmlseclibs.php.
This allowed to perform the test for my SP.
Thank you again, I'll close this thread.
Regards,
JC
Thank you very much for the clarification.
Actually, I managed to make SSP generate an assertion with an empty string as Reference URI.
I did this be adding this instruction $refNode->setAttribute("URI", ''); (in line 1094) in the file /usr/share/simplesamlphp/lib/xmlseclibs.php.
This allowed to perform the test for my SP.
Thank you again, I'll close this thread.
Regards,
JC
Reply all
Reply to author
Forward
0 new messages