SAML - consume assertion error

331 views
Skip to first unread message

Stefan Wendin

unread,
May 21, 2015, 8:50:53 AM5/21/15
to lu...@googlegroups.com
I have an SAML test page that used to work in Coldfusion. What I do is to handle the POSTed assertion, validate the signature based on public key. In Lucee it generates an error message in my log file as seen below:

 Error occured trying to extract assertion data... The Reference for URI #dcaff33285ac6a7aba31ed254627dfce has no XMLSignatureInput; ; samlAssertionXML: PHNhbWx....

I added xmlsec.jar to Lucee which I also did on CF. Anyone experiencing the same issue?

Regards //Stefan

Dominic Watson

unread,
May 21, 2015, 12:29:05 PM5/21/15
to lu...@googlegroups.com
We'll need some code I think to be able to help. I've done some SAML2 work so might have some clue. I imagine however that its not related to that. Could you post the code that your using to process the incoming assertion request with?

Dominic

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/ebef7fce-9bdf-46ba-ada2-3ce930d5ef17%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Pixl8 Interactive, 3 Tun Yard, Peardon Street, London
SW8 3HT, United Kingdom

T: +44 [0] 845 260 0726 W: www.pixl8.co.uk E: in...@pixl8.co.uk

Follow us on: Facebook Twitter LinkedIn
CONFIDENTIAL AND PRIVILEGED - This e-mail and any attachment is intended solely for the addressee, is strictly confidential and may also be subject to legal, professional or other privilege or may be protected by work product immunity or other legal rules. If you are not the addressee please do not read, print, re-transmit, store or act in reliance on it or any attachments. Instead, please email it back to the sender and then immediately permanently delete it. Pixl8 Interactive Ltd Registered in England. Registered number: 04336501. Registered office: 8 Spur Road, Cosham, Portsmouth, Hampshire, PO6 3EB
Message has been deleted

Dominic Watson

unread,
May 22, 2015, 4:11:00 AM5/22/15
to lu...@googlegroups.com
On what line is it erroring?

On 21 May 2015 at 18:03, Stefan Wendin <stefan...@comintelli.com> wrote:
Hi,
 
Thanks for the reply. The script I´m using is below. For test purposes I am setting the variable  SAMLResponse with the SAML assertion:
 
<cfset SAMLResponse = "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhb......">
 
<cfset x509cert = SAMLSvc.getIdpCertificate()>
 <cfscript>
  xmlResponse=CharsetEncode(BinaryDecode(SAMLResponse,"Base64") ,"utf-8");
  docElement = XmlParse(xmlResponse).getDocumentElement();
  
  responseID = docElement.getAttributes().getNamedItem('ID').getTextContent();
  //writedump(xmlResponse);
  //IdP is signing the SAML Response using a "non standard" ID attribute, which is only supported in DOM3 and XMLBeans does not support DOM3
  //the Assertion ID must be registerd before Signature Validation
  idResolver = CreateObject("Java", "org.apache.xml.security.utils.IdResolver");
  
  assertionElement = docElement.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0);
  attrStore = assertionElement.getAttributes();
  idAttr = CreateObject("Java","org.w3c.dom.Attr");
  idAttr = attrStore.getNamedItem("ID");
 
  idResolver.registerElementById(assertionElement, idAttr);
 
  SignatureConstants=CreateObject( "Java", "org.apache.xml.security.utils.Constants");
  SignatureSpecNS=SignatureConstants.SignatureSpecNS;
  //Must initiate only first time
  SecInit = CreateObject("Java", "org.apache.xml.security.Init").Init().init();
  xmlSignatureClass = CreateObject("Java", "org.apache.xml.security.signature.XMLSignature");
  signature = XMLSignatureClass.init(docElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig##","Signature").item(0), javacast("string",""));
  
  // Verify Signature
  isValid = signature.checkSignatureValue(x509cert);
  
  //Extract conditions
  conditionElement = docElement.getElementsByTagName("saml:Conditions").item(0);
  conditions = conditionElement.getAttributes();
  before = conditions.getNamedItem("NotBefore").getNodeValue();
  after = conditions.getNamedItem("NotOnOrAfter").getNodeValue();
 
  // Extract User
  attributesElement = docElement.getElementsByTagName("saml:AttributeStatement").item(0);
  attributes = attributesElement.getAttributes();
  
  ssouser = StructNew();
  for (
   attNo = 0 ;
   attNo LT attributesElement.getLength() ;
   attNo = (attNo + 1)
   ){
   name = attributesElement.item(attNo).getAttributes().getNamedItem('Name').getTextContent();
   value = attributesElement.item(attNo).item(0).getTextContent();
   ssouser[name] = value;
  }
 </cfscript>

Best Regards,

Stefan Wendin
Senior Software Developer
___________________________________________________________________________________


Software for Knowledge Management & Competitive Intelligence

Comintelli®
Kista Science Tower | S-164 51 Kista, Sweden
Internet:www.comintelli.com
E-mail:
stefan...@comintelli.com
Mobile: +46 70 269 95 01
| Skype: stefanw70

 
 
 
------ Originalmeddelande ------
Från: "Dominic Watson" <dominic...@pixl8.co.uk>
Skickat: 2015-05-21 18:29:04
Ämne: Re: [Lucee] SAML - consume assertion error
 
We'll need some code I think to be able to help. I've done some SAML2 work so might have some clue. I imagine however that its not related to that. Could you post the code that your using to process the incoming assertion request with?

Dominic
On 21 May 2015 at 13:50, Stefan Wendin <stefan...@comintelli.com> wrote:
I have an SAML test page that used to work in Coldfusion. What I do is to handle the POSTed assertion, validate the signature based on public key. In Lucee it generates an error message in my log file as seen below:

 Error occured trying to extract assertion data... The Reference for URI #dcaff33285ac6a7aba31ed254627dfce has no XMLSignatureInput; ; samlAssertionXML: PHNhbWx....

I added xmlsec.jar to Lucee which I also did on CF. Anyone experiencing the same issue?

Regards //Stefan

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Pixl8 Interactive, 3 Tun Yard, Peardon Street, London
SW8 3HT, United Kingdom
Follow us on: Facebook Twitter LinkedIn
CONFIDENTIAL AND PRIVILEGED - This e-mail and any attachment is intended solely for the addressee, is strictly confidential and may also be subject to legal, professional or other privilege or may be protected by work product immunity or other legal rules. If you are not the addressee please do not read, print, re-transmit, store or act in reliance on it or any attachments. Instead, please email it back to the sender and then immediately permanently delete it. Pixl8 Interactive Ltd Registered in England. Registered number: 04336501. Registered office: 8 Spur Road, Cosham, Portsmouth, Hampshire, PO6 3EB

--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/xWkoeVTMNEY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Stefan Wendin

unread,
May 25, 2015, 7:05:34 AM5/25/15
to lu...@googlegroups.com
I managed to solve the issue. I was using incorrect attribute reference since the saml response signature was different to the assertion signature. Case closed!

Juan Aguilar

unread,
May 27, 2015, 4:21:22 PM5/27/15
to lu...@googlegroups.com
Would you mind sharing your fixed code? I'm running into the same issue.

Stefan Wendin

unread,
Jun 2, 2015, 5:20:34 AM6/2/15
to lu...@googlegroups.com
What you need to do is find the correct signature. If the response is signed with one reference as item(0):
signature = XMLSignatureClass.init(docElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig##","Signature").item(0), javacast("string",""));

The assertion would be signed with reference in item(1):
signature = XMLSignatureClass.init(docElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig##","Signature").item(1), javacast("string",""));

My reference ID points to item(1) which is why I had to add that as the signature value.
Reply all
Reply to author
Forward
0 new messages