SAML Response XML Creation

97 views
Skip to first unread message

deepak verma

unread,
Jan 7, 2017, 2:04:15 PM1/7/17
to SAML-based Single Sign On for Google Apps
I am trying to setup Google as SP and my own database as IDP. I have configured my GSuite account with my login and logout URL and google is redirecting to them perfectly.
But After SAML request from google, I try to generate saml response, I am getting G Suite - This account cannot be accessed because we could not parse the login request.


Below is my SAML Resposne XML:

<samlp:Response ID="GOSAMLRESPONSE1483815502560125571330856" IssueInstant="2017-01-07T18:58:22Z" Version="2.0" Destination="https://www.google.com/a/ieselgrao.org/acs" InResponseTo="pembiegljocdopdmngbhlbmgfimogjdhelpfleeo"
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue></DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue></SignatureValue>
        <KeyInfo>
            <KeyValue></KeyValue>
        </KeyInfo>
    </Signature>
        <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        </samlp:Status>
        <Assertion ID="GOSAMLASSERTION1483815502560125571330856" IssueInstant="2017-01-07T18:58:22Z" Version="2.0"
                xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                <Issuer></Issuer>
                <Subject>
                        <NameID
                                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                                ad...@demo.sample.com
                        </NameID>
                        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                <SubjectConfirmationData
                                        Recipient="https://www.google.com/a/demo.sample.com/acs"
                                        NotOnOrAfter="2017-01-08T18:58:22Z"
                                        InResponseTo="pembiegljocdopdmngbhlbmgfimogjdhelpfleeo"/>
                        </SubjectConfirmation>
                </Subject>
                <Conditions NotBefore="2017-01-07T18:58:22Z"
                        NotOnOrAfter="2017-01-08T18:58:22Z">
                        <AudienceRestriction>
                                <Audience>https://www.google.com/a/demo.sample.com/acs</Audience>
                        </AudienceRestriction>
                </Conditions>
                <AuthnStatement AuthnInstant="2017-01-07T18:58:22Z">
                        <AuthnContext>
                                <AuthnContextClassRef>
                                        urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                                </AuthnContextClassRef>
                        </AuthnContext>
                </AuthnStatement>
        </Assertion>
</samlp:Response>



Points:
1. google_request_id, I am filling the from SAMLRequest xml's ID attribute
2. username: with my gmail id

Questions:
1. How to fill digestvalue and signaturevalue nodes. and how to calculate them.
3. Do I need to post the sso SAML in base64 encoded format or just the above complete XML as post with SAMLResponse key. Also I am passing RelayState same as I received in saml request from google.

Any help will be much appreciated.and I am using python language. 

Thanks.


deepak verma

unread,
Jan 7, 2017, 3:14:46 PM1/7/17
to SAML-based Single Sign On for Google Apps
I tried passing digest values and signature value as



<samlp:Response ID="GOSAMLRESPONSE1483819662530462730598197" IssueInstant="2017-01-07T20:07:42Z" Version="2.0" Destination="https://www.google.com/a/demo.mediaagility.com/acs" InResponseTo="hehoaakjbcffnalanklehnehfkgbodhllpnmkpgm"

        xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

            <Reference URI="#GOSAMLASSERTION1483819662530462730598197">

                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

                <DigestValue>CqZoDobzF87fvSMDdflen5m+KBs=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVIVENDQXdXZ0F3SUJBZ0lKQU1MYVpCYnU3N1RxTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUdrTVFzd0NRWUQKVlFRR0V3SkpUakVSTUE4R0ExVUVDQXdJU0dGeWFYbGhibUV4RURBT0JnTlZCQWNNQjBkMWNtZGhiMjR4RlRBVApCZ05WQkFvTURFMWxaR2xoWVdkcGJHbDBlVEVXTUJRR0ExVUVDd3dOU1ZRZ1JHVndZWEowYldWdWRERVZNQk1HCkExVUVBd3dNWkdWdGJ5QjNaV0p6YVhSbE1Tb3dLQVlKS29aSWh2Y05BUWtCRmh0aFpHMXBia0JrWlcxdkxtMWwKWkdsaFlXZHBiR2wwZVM1amIyMHdIaGNOTVRjd01UQTJNVEV6TWpBeldoY05NVGN3TWpBMU1URXpNakF6V2pDQgpwREVMTUFrR0ExVUVCaE1DU1U0eEVUQVBCZ05WQkFnTUNFaGhjbWw1WVc1aE1SQXdEZ1lEVlFRSERBZEhkWEpuCllXOXVNUlV3RXdZRFZRUUtEQXhOWldScFlXRm5hV3hwZEhreEZqQVVCZ05WQkFzTURVbFVJRVJsY0dGeWRHMWwKYm5ReEZUQVRCZ05WQkFNTURHUmxiVzhnZDJWaWMybDBaVEVxTUNnR0NTcUdTSWIzRFFFSkFSWWJZV1J0YVc1QQpaR1Z0Ynk1dFpXUnBZV0ZuYVd4cGRIa3VZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCCkNnS0NBUUVBNUFpenJuRDFsWWlzNlg5aFdEUGtOWmNyOXhwMk0wNlVIQkFtQzBmYkhKQmhIQWsxclRGd21tengKdXBMb3lVQXQ0bnN3K3hFeWpiR3VaQXBoR1VIQ0EwVEZFY3Y0cWR4cjhSdmR2c2pZd0w2ZDdCRE9qNVJ3Z0phQgpNOXBnNk1BWDBvY05OZUVKYU9xMVA0M2pZRGZCRklhRHFrdDBHVG5XbUxwZXpnamRNb000UGgwOStWU1k1RVJICnl3V2Z3L1FCaUx0Z29UeFJNbkczNlgvWFJ2Q0FiTkt5YjZZVmVDUm5nckdYVUpDeGwwcGNTTUFVbHp6NmxkQ1oKb3MrbFVUZ2lyTUlSY2MvSFZJM2tnTVpQWVFkamoydjJLYWFHSk5lc0dJV1hSN1NYTGxWd1k2ck5SS1h6OVhPNgpJZmpiNnlWaTRCRGtib0IzeW92eXNhYkMvQVFyOFFJREFRQUJvMUF3VGpBZEJnTlZIUTRFRmdRVXhqVjQyMW1ECkVpQ1dGNkR0Rm41U3BIYlEvOEV3SHdZRFZSMGpCQmd3Rm9BVXhqVjQyMW1ERWlDV0Y2RHRGbjVTcEhiUS84RXcKREFZRFZSMFRCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFwRVpRdmZBZ2hqakswRW1nN1Bxdwo0WGRaTGQ4SEpYbGJSaEs5UldUQ0FrSkd3KzBqMjZ2Tkp1Q2ZTYjZLMGZNWXNTK2ljRExHZGxnaGk0T3J1WTRxCktzT1BQOHEwK0xodTNpZHVHbnZPMHk3ZWlPL1J0SG1MWWIydmFNUzRqTGRsNGhVY3QwcHRHV0Nwd2pUUDRuL2wKeHM5M3AwVjdxNFpMRXNQYzI3ajdTdGVyakJUR282YWdGb3R6VXJCVGxXQ1IvWFVGYjlPMEdncnF1bFJrRzcycgpkTy9oNHV2aXZpL0EyVFFIRTh6RlpSNEFyaEp1V0g3Q1BZUEJ4RUdYUFpZdzV6OUcyVTN1Z3A2eEJacnJHRnVBCkxlZHpDOWs2a1pFb0c3V1BHS3BpK0liNTUrTTFQUndHb2RZeUQ3VGFGVURzbTU0bndFSlpybFZrelBMNGx3Y3MKcXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</SignatureValue>

        <KeyInfo>
            <KeyValue></KeyValue>
        </KeyInfo>
    </Signature>
        <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        </samlp:Status>

        <Assertion ID="GOSAMLASSERTION1483819662530462730598197" IssueInstant="2017-01-07T20:07:42Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer></Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@demo.mediaagility.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="https://www.google.com/a/demo.mediaagility.com/acs" NotOnOrAfter="2017-01-08T20:07:42Z" InResponseTo="hehoaakjbcffnalanklehnehfkgbodhllpnmkpgm"/></SubjectConfirmation></Subject><Conditions NotBefore="2017-01-07T20:07:42Z" NotOnOrAfter="2017-01-08T20:07:42Z"><AudienceRestriction><Audience>https://www.google.com/a/demo.mediaagility.com/acs</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2017-01-07T20:07:42Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>
</samlp:Response>



1. digestvalue is: base64.b64encode(sha1(<Assertion ID="GOSAMLASSERTION1483819662530462730598197" IssueInstant="2017-01-07T20:07:42Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer></Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ad...@demo.mediaagility.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="https://www.google.com/a/demo.mediaagility.com/acs" NotOnOrAfter="2017-01-08T20:07:42Z" InResponseTo="hehoaakjbcffnalanklehnehfkgbodhllpnmkpgm"/></SubjectConfirmation></Subject><Conditions NotBefore="2017-01-07T20:07:42Z" NotOnOrAfter="2017-01-08T20:07:42Z"><AudienceRestriction><Audience>https://www.google.com/a/demo.mediaagility.com/acs</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2017-01-07T20:07:42Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>))

  1. 2. signature value is : base64.b64encode(open('cert.pm', 'rb').read())
Reply all
Reply to author
Forward
0 new messages