Saml authentication

297 views
Skip to first unread message

Nikoms

unread,
Feb 28, 2012, 4:23:57 AM2/28/12
to eID Applet
Hello,

I tried to authenticate with eid with saml because I can't use servlet
on my webserver.

After some searches, I discover that there is an example for SAML
here "http://code.google.com/p/eid-idp/wiki/SimpleSAMLphp".

I executed it in my dev environnement (so maybe that's the problem?),
the "redirection" works and I have to enter my pin code. But right
after, I have an "Erreur générale" with these logs :

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.5.Beta2
Java version: 1.7.0_03
Java vendor: Oracle Corporation
OS: Windows XP
OS version: 5.1
OS arch: x86
Web application URL: https://www.e-contract.be/eid-idp/authentication
Current time: Tue Feb 28 10:12:01 CET 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
SSL session Id mismatch
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: true
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: true
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: false
require secure smart card reader: false
transaction message: https://mysite.dev:4443/simplesaml/module.php/saml/sp/metadata.php/default-sp
@ 28/2/2012 10:11:59
Détection de la carte eID.
Détection de la carte eID.
Scanning card terminal: AKS ifdh 0
Scanning card terminal: AKS ifdh 1
Scanning card terminal: AKS VR 0
Scanning card terminal: Generic EMV Smartcard Reader 0
eID card detected in card terminal : Generic EMV Smartcard Reader 0
Autorisez...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...
computing digital signature...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
selecting key...
computing digital signature...
SW: 6700
error: compute digital signature error
error type: java.lang.RuntimeException
at be.fedict.eid.applet.sc.PcscEid.sign:816
at be.fedict.eid.applet.sc.PcscEid.signTransactionMessage:1840
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1034
at be.fedict.eid.applet.Controller.run:335
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Erreur générale.


Frank Cornelis

unread,
Feb 28, 2012, 5:21:35 AM2/28/12
to eid-a...@googlegroups.com
Hi Nikoms,


I've disabled the support for the new eID secure pinpad reader on the
e-contract.be eID IdP.
Could you try again now?

Which smart card reader do you use exactly?

Do you run a virtual machine? VMWare or so? If so, could you redo the
test without VM?

Kind Regards,
Frank.

Nikoms

unread,
Feb 28, 2012, 6:34:30 AM2/28/12
to eID Applet
Hi Frank,

Thank you for the quick answer!

It's working now. I use a "fnac" card reader and I have no VM.


I've changed identification to openId, it seems beter for PHP and my
configuration.

FYI, I use the openid enabled library (http://www.janrain.com/openid-
enabled). They give an example to connect to an openid address and it
works like a charm.

I just have to find how to retrieve attributes of the card and I'll be
happy.

As soon as I have founded, I will write the code here to help other
php dev's.

Thank you again.

Nicolas
> > transaction message:https://mysite.dev:4443/simplesaml/module.php/saml/sp/metadata.php/de...

Koen Thomeer

unread,
Feb 28, 2012, 6:48:20 AM2/28/12
to eid-a...@googlegroups.com
I used simpleSAMLphp, but I removed the cookies and the session vars of simpleSAMLphp afterwards, because I only needed to read the card (and not to do access authentication).

Koen

2012/2/28 Nikoms <nik...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.




--
Koen Thomeer, MD, MSc
http://koen.thomeer.be

Frank Cornelis

unread,
Feb 28, 2012, 6:49:02 AM2/28/12
to eid-a...@googlegroups.com
Hi Nikoms,


Thanks for the initiative to share your findings with us.

Could you be some more specific on this "fnac" card reader? Is it a
secure pinpad reader or so? Product ID?
We have to be able to test it out ourselves.


Kind Regards,
Frank.

Nikoms

unread,
Feb 28, 2012, 7:30:30 AM2/28/12
to eID Applet
Hi Frank,

Unfortunately, I have no more informations about this card reader
(There is nothing on the box except "fnac" smart). I'll try to found
some more informations about it for you.


I found out how to get attributes with PHP. I used lightopenid (Yes I
know, I change my mind everytime) which is the easiest I ever see
(http://gitorious.org/lightopenid).


I have 3 questions before showing the code :

- Is there other valid attributes in the axschema (see openid-
>required) ? (I founded them @ eid-idp-common/src/main/java/be/fedict/
eid/idp/common/OpenIDAXConstants.java)
- Is it possible to get the number of the house in another attribute?
- And even if I don't need it, is it possible to get the photo?

To get attributes, here is my code that works (except for the photo)


<?php
require 'openid.php';
try {
# Change 'localhost' to your domain name.
$openid = new LightOpenID('http://mysite.dev');
if(!$openid->mode) {
if(isset($_GET['login'])) {
$openid->identity = 'https://www.e-contract.be/eid-idp/
endpoints/openid/ident';
# The following two lines request attributes from the
provider.
$openid->required = array('namePerson/first',
'namePerson/last',
'namePerson',
'contact/postalAddress/home',
'contact/city/home',
'contact/postalCode/home',
'birthDate',
'person/gender',
'eid/nationality',
'eid/pob',

);
$openid->optional = array(
'eid/photo',
);
header('Location: ' . $openid->authUrl());
}
?>
<form action="?login" method="post">
<button>Login with Eid</button>
</form>
<?php
} elseif($openid->mode == 'cancel') {
echo 'User has canceled authentication!';
} else {
echo 'User ' . ($openid->validate() ? $openid->identity . '
has ' : 'has not ') . 'logged in.';
print_r($openid->getAttributes());
}
} catch(ErrorException $e) {
echo $e->getMessage();
}



I'll keep you in touch for the reader.

kind regards,

Nicolas

Frank Cornelis

unread,
Aug 10, 2012, 4:45:44 AM8/10/12
to eid-a...@googlegroups.com
Hi GS,



Could you try again now?


Kind Regards,
Frank.

On 08/10/2012 10:23 AM, gsraci...@gmail.com wrote:
Hi !


I got errors too buut I don't know why..

Here is the error log. Could you help us on it ?


eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
[libj2pcsc.so workaround] Workaround for developer-only libj2pcsc.so on GNU/Linux Platforms enabled..
[libj2pcsc.so workaround] pcsclite found. Adjusting sun.security.smartcardio.library to [/usr/lib/libpcsclite.so.1]
eID browser applet version: 1.0.5.Beta5
Java version: 1.6.0_26
Java vendor: Sun Microsystems Inc.
OS: Linux
OS version: 3.2.0-0.bpo.2-686-pae
OS arch: i386
Current time: Fri Aug 10 10:21:09 CEST 2012

session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5

SSL session Id mismatch
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: true
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: true
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: false
require secure smart card reader: false

Détection de la carte eID.
Détection de la carte eID.
Scanning card terminal: ACS ACR38U 00 00
Veuillez introduire votre carte eID...
Scanning card terminal: ACS ACR38U 00 00
eID card detected in card terminal : ACS ACR38U 00 00

Autorisez...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...
computing digital signature...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
selecting key...
computing digital signature...
selecting file
read binary
selecting file
read binary
selecting file
read binary
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1080
Lecture des données d'identification.
selecting file
read binary
selecting file
read binary
selecting file
read binary
Veuillez retirer votre carte eID...
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
HTTP response code: 500
<html><head><title>JBoss Web/3.0.0-CR2 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: java.lang.SecurityException: error verifying TransactionMessage signature: signed TransactionMessage incorrect
    org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:126)
    org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
    org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
    org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
    org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
    org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
    be.fedict.eid.idp.webapp.IE9CompatablityFixFilter.doFilter(IE9CompatablityFixFilter.java:42)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException: error verifying TransactionMessage signature: signed TransactionMessage incorrect
    be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:284)
    be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:83)
    be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:310)
    be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:61)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:60)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
    org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
    org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
    org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
    org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
    org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
    be.fedict.eid.idp.webapp.IE9CompatablityFixFilter.doFilter(IE9CompatablityFixFilter.java:42)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the JBoss Web/3.0.0-CR2 logs.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-CR2</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:191
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1169

at be.fedict.eid.applet.Controller.run:335
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:662
Erreur générale.


Thanks
--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/HWvHp2t6J20J.

Gaëtan Slongo

unread,
Aug 13, 2012, 10:10:35 AM8/13/12
to eID Applet
Hi ! :)

Yes no error it seems but now I get a redirect to :

https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

I don't understand why o_O

Where to configure the last redirect ?

Thanks



On 10 août, 10:45, Frank Cornelis <frank.corne...@fedict.be> wrote:
> Hi GS,
>
> Could you try again now?
>
> Kind Regards,
> Frank.
>
> > D�tection de la carte eID.
> > D�tection de la carte eID.
> > Lecture des donn�es d'identification.
> > Erreur g�n�rale.
>
> > Thanks
>
> > Le mardi 28 f�vrier 2012 10:23:57 UTC+1, Nikoms a �crit :
>
> >     Hello,
>
> >     I tried to authenticate with eid with saml because I can't use
> >     servlet
> >     on my webserver.
>
> >     After some searches,  I discover that there is an example for SAML
> >     here "http://code.google.com/p/eid-idp/wiki/SimpleSAMLphp
> >     <http://code.google.com/p/eid-idp/wiki/SimpleSAMLphp>".
>
> >     I executed it in my dev environnement (so maybe that's the problem?),
> >     the "redirection" works and I have to enter my pin code. But right
> >     after, I have an "Erreur g�n�rale" with these logs :
>
> >     eID Applet - Copyright (C) 2008-2011 FedICT.
> >     Released under GNU LGPL version 3.0 license.
> >     More info:http://code.google.com/p/eid-applet/
> >     <http://code.google.com/p/eid-applet/>
> >     checking applet privileges...
> >     security manager permission check for java
>
> ...
>
> plus de détails »

Frank Cornelis

unread,
Aug 13, 2012, 10:26:38 AM8/13/12
to eid-a...@googlegroups.com
Hi Gaëtan,


That's something you configure yourself as part of the SAML 2.0 Browser
POST request message. The exact configuration of course depends on the
used framework (which is SimpleSAML in your case).


Kind Regards,
Frank.
> --
> You received this message because you are subscribed to the Google Groups "eID Applet" group.

Gaëtan Slongo

unread,
Aug 13, 2012, 10:54:18 AM8/13/12
to eID Applet
Thanks for answer

I'm just discorvering all of theses technologies...

I found some config strings such as 'Location',
'AssertionConsumerService', 'RelayState' but I don't know which one to
use...

Could you just tell me how to get back to the index page right after
authentication ? Where to configure this part of that request ?

Thanks
> >>> at java.lang.Thread.run:662...
>
> read more »

Frank Cornelis

unread,
Aug 14, 2012, 4:46:59 AM8/14/12
to eid-a...@googlegroups.com
Hi Gaëtan,


For the SAML 2.0 Browser POST authentication protocol, the eID IdP is using the AssertionConsumerServiceURL attribute of the AuthnRequest element as target for passing the protocol response back to the relying party web application.

See also section 3.4.1 Element <AuthnRequest> of the Assertions and Protocols for the OASIS  Security Assertion Markup Language  (SAML) V2.0 specification:
https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf


Kind Regards,
Frank.
--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.


Reply all
Reply to author
Forward
0 new messages