[OpenSAML] Problem reading SAML response

[ska...@lifecare.com]

Hi, Can you please help me with this issue. Thank you so much in advance.

I used below code to read the SAML response:

HTTPPostDecoder decode = new HTTPPostDecoder( new BasicParserPool() );
HttpServletRequestAdapter adapter = new
HttpServletRequestAdapter(request);
BasicSAMLMessageContext context = new BasicSAMLMessageContext();
context.setInboundMessageTransport(adapter);
decode.decode(context);
relayState = adapter.getParameterValue(this.RELAY_STATE_PARAM); //
decode.getRelayState();
// Only decode the relay state if there is one
if ((relayState != null) && (relayState.equalsIgnoreCase("") == false))
{
relayState = new String(Base64.decode(relayState));
}

XMLObjectBuilderFactory builderFactory =
org.opensaml.Configuration.getBuilderFactory();
ResponseBuilder rspBldr = (ResponseBuilder)
builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME);
Response rsp = rspBldr.buildObject();
rsp = (Response) context.getInboundMessage();
this.inResponseTo = rsp.getInResponseTo();
LOGGER.debug("Completed Step1");
if(inResponseTo != null) {
LOGGER.debug(inResponseTo.toString());
}

This code is working without any problem for below xml:

<Response Destination="https://myurl/sp/ACS.saml2"
ID="_be0417df481888bcc9a230d159002a733b4b" IssueInstant="2010-07-29T22:54:54Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://solmeurl</ns1:Issuer
>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:Assertion ID="_be7f4b4a5729bfbdb794574aa6cc79245658"
IssueInstant="2010-07-29T22:54:54Z" Version="2.0"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
<ns2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://somerl</ns2:
Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09xmldsig#rsa-sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_be7f4b4a5729bfbdb794574aa6cc79245658"
mlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
Algorithm="http://www.w3.org/2000/09xmldsig#enveloped-signature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">CkYboAHdsFZVG492+XGfFwYL2G4=</ds
:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">abc</ds:SignatureValue>
……………………

But it is not able to read samlp:Response tag. Any idea where I can define the
name space and read this samlp:Response xml object

<?xml version="1.0" encoding="UTF-8"?><samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="someurl"
ID="m8h2JP9iKUDTbPsBffZSm2WGC2M" IssueInstant="2010-07-29T14:52:43.578Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">preprodsaml.integration.hrp
ortalweb.com</saml:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#m8h2JP9iKUDTbPsBffZSm2WGC2M">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>bAsQA4vl5RMGPt0lLuH7LDWW2Gw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
dfgd/HpWbrBkAnHR8X9rm4wTnG7Ot+BKk6apFVOdhUQO1gLo1xMU
5mYRWrPUJA2J7JF5V34rWzEhTcFDDSspzsGU1uBinYzve2cMBqaQpOg4+RwEdsjyvdGRv/IorZOJ
H+wfKQq/F3YCEdFTGDA=
</ds:SignatureValue>
</ds:Signature><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Encry
ptedAssertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">d9e0/jTBM9VBn0kmJLfz/ttfMDRgf0H
2x6XKAz1n9tJQCOLxbf4gQZs8nwTITgfxixV+Olf7cs8K
OIUXJ5Y+ycoEyshk7Zxs/xhhWaFRFTnKh6SQTQ93YjKU5eVpaaNd5p258YqnVXte/NlmS2Gf2zTL
………………………………………………

[Yang Xiang]

Try to add the following code:

DefaultBootstrap.bootstrap();

it will load all default saml namespaces which are defined under
opensaml/schema/.

Cheers,

Yang

[ska...@lifecare.com]

I was doing
org.opensaml.DefaultBootstrap.bootstrap();
before the listed code. Still did not work.

Any ideas please?

[Yang Xiang]

Any debug / error info? If you bootstrap correctly you'll see something
like:

...

15:20:22.943 [main] DEBUG org.opensaml.xml.XMLConfigurator -
Initializing object provider
{urn:oasis:names:tc:SAML:2.0:protocol}Response
15:20:22.944 [main] DEBUG org.opensaml.xml.Configuration - Registering
new builder, marshaller, and unmarshaller for
{urn:oasis:names:tc:SAML:2.0:protocol}Response
15:20:22.949 [main] DEBUG o.o.xml.XMLObjectBuilderFactory - Registering
builder, org.opensaml.saml2.core.impl.ResponseBuilder under key
{urn:oasis:names:tc:SAML:2.0:protocol}Response
15:20:22.949 [main] DEBUG o.opensaml.xml.io.MarshallerFactory -
Registering marshaller, org.opensaml.saml2.core.impl.ResponseMarshaller,
for object type {urn:oasis:names:tc:SAML:2.0:protocol}Response
15:20:22.950 [main] DEBUG o.o.xml.io.UnmarshallerFactory - Registering
unmarshaller, org.opensaml.saml2.core.impl.ResponseUnmarshaller, for
object type, {urn:oasis:names:tc:SAML:2.0:protocol}Response
15:20:22.950 [main] DEBUG org.opensaml.xml.XMLConfigurator -
{urn:oasis:names:tc:SAML:2.0:protocol}Response intialized and
configuration cached

[ska...@lifecare.com]

Thank you so much for responding to my issue.

The log does not have any errors: It seems normal

Do you think I have to set namespace anywhere.

2010-07-30 11:29:07,222 DEBUG org.opensaml.DefaultBootstrap - Initializing
Velocity template engine
2010-07-30 11:29:07,374 DEBUG org.opensaml.xml.Configuration - VM using JAXP
parser org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
2010-07-30 11:29:07,571 DEBUG org.opensaml.xml.Configuration - VM using JAXP
parser org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
2010-07-30 11:29:07,612 DEBUG org.opensaml.DefaultBootstrap - Loading
XMLTooling configuration /default-config.xml
2010-07-30 11:29:07,618 DEBUG g.opensaml.xml.XMLConfigurator - Loading
configuration from XML Document
2010-07-30 11:29:07,640 DEBUG g.opensaml.xml.XMLConfigurator - Schema
validating configuration Document
2010-07-30 11:29:07,644 DEBUG g.opensaml.xml.XMLConfigurator - Configuration
document validated
2010-07-30 11:29:07,644 INFO g.opensaml.xml.XMLConfigurator - Preparing to
load ObjectProviders
2010-07-30 11:29:07,645 DEBUG g.opensaml.xml.XMLConfigurator - Initializing
object provider {http://www.opensaml.org/xmltooling-config}DEFAULT
2010-07-30 11:29:07,662 DEBUG org.opensaml.xml.Configuration - Registering new

builder, marshaller, and unmarshaller for

{http://www.opensaml.org/xmltooling-config}DEFAULT
2010-07-30 11:29:07,662 DEBUG ml.xml.XMLObjectBuilderFactory - Registering
builder, org.opensaml.xml.schema.impl.XSAnyBuilder under key
{http://www.opensaml.org/xmltooling-config}DEFAULT
2010-07-30 11:29:07,662 DEBUG nsaml.xml.io.MarshallerFactory - Registering
marshaller, org.opensaml.xml.schema.impl.XSAnyMarshaller, for object type
{http://www.opensaml.org/xmltooling-config}DEFAULT
2010-07-30 11:29:07,662 DEBUG aml.xml.io.UnmarshallerFactory - Registering
unmarshaller, org.opensaml.xml.schema.impl.XSAnyUnmarshaller, for object type,
{http://www.opensaml.org/xmltooling-config}DEFAULT
2010-07-30 11:29:07,662 DEBUG g.opensaml.xml.XMLConfigurator -
{http://www.opensaml.org/xmltooling-config}DEFAULT intialized and
configuration cached
2010-07-30 11:29:07,662 INFO g.opensaml.xml.XMLConfigurator - ObjectProviders
load complete
2010-07-30 11:29:07,662 DEBUG org.opensaml.DefaultBootstrap - Loading
XMLTooling configuration /schema-config.xml
2010-07-30 11:29:07,664 DEBUG g.opensaml.xml.XMLConfigurator - Loading
configuration from XML Document
2010-07-30 11:29:07,668 DEBUG g.opensaml.xml.XMLConfigurator - Schema
validating configuration Document
2010-07-30 11:29:07,669 DEBUG g.opensaml.xml.XMLConfigurator - Configuration
document validated
2010-07-30 11:29:07,669 INFO g.opensaml.xml.XMLConfigurator - Preparing to
load ObjectProviders
2010-07-30 11:29:07,670 DEBUG g.opensaml.xml.XMLConfigurator - Initializing
object provider {http://www.w3.org/2001/XMLSchema}anyType
2010-07-30 11:29:07,670 DEBUG org.opensaml.xml.Configuration - Registering new

builder, marshaller, and unmarshaller for

{http://www.w3.org/2001/XMLSchema}anyType
2010-07-30 11:29:07,670 DEBUG ml.xml.XMLObjectBuilderFactory - Registering
builder, org.opensaml.xml.schema.impl.XSAnyBuilder under key
{http://www.w3.org/2001/XMLSchema}anyType
2010-07-30 11:29:07,670 DEBUG nsaml.xml.io.MarshallerFactory - Registering
marshaller, org.opensaml.xml.schema.impl.XSAnyMarshaller, for object type
{http://www.w3.org/2001/XMLSchema}anyType
2010-07-30 11:29:07,670 DEBUG aml.xml.io.UnmarshallerFactory - Registering
unmarshaller, org.opensaml.xml.schema.impl.XSAnyUnmarshaller, for object type,
{http://www.w3.org/2001/XMLSchema}anyType
2010-07-30 11:29:07,670 DEBUG g.opensaml.xml.XMLConfigurator -
{http://www.w3.org/2001/XMLSchema}anyType intialized and configuration cached
2010-07-30 11:29:07,670 DEBUG g.opensaml.xml.XMLConfigurator - Initializing
object provider {http://www.w3.org/2001/XMLSchema}string

[ska...@lifecare.com]

I finally figured that, the issue is not with the name space, but the way i am
trying to encrypt the assertion.

Below is the saml response i am getting from my client. I used below code to
try to decrypt, but after the decryption is done. assertion object seems to be
null.

List<EncryptedAssertion> eAssertions = rsponse.getEncryptedAssertions();
EncryptedAssertion encryptedAssertion = eAssertions.get(0);
Credential decryptionCredential =
SecurityHelper.getSimpleCredential(publicKey, privateKey);
BasicCredential credential = new BasicCredential();
credential.setPrivateKey(privateKey);
Decrypter decrypter = new Decrypter(null, new
StaticKeyInfoCredentialResolver(credential), new
InlineEncryptedKeyResolver());
Assertion assertion = decrypter.decrypt(encryptedAssertion);

<?xml version="1.0" encoding="UTF-8"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://someurl" ID="xxx"

IssueInstant="2010-07-29T14:52:43.578Z" Version="2.0">
<saml:Issuer

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">someurl</saml:Issuer>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#m8h2JP9iKUDTbPsBffZSm2WGC2M">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>bAsQA4vl5RMGPt0lLuH7LDWW2Gw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>

signature value herexxxxxx

</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:EncryptedAssertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>

<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

f2QK7TzryCILkOq9oHQ=

</xenc:CipherValue>

</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>

<xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue

xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">DIyhwRIepiSJSSkr7RmLSVwrAnCA0pd
TvpuQjUecNEv9Gw5H1KtH14F8vxutlWNffZV/UL07ssVP


gWQ867y3jLVc7wAqbJ+XK+1NeUrEtYGaKxtKUTPwYmjfXRNdoQHiXpMcT1hAW+yoPynBZDmY6pNn


b08r4K8yPBpgnD+vLezwbaj5vErIldncuQWDzSyVQeWGf9gIq7MlUGq2FSATcUrWPJrLyXARqF9C


EaTRSZktt+FPgGTaBC0fLl3Mysvz32sK7lvqt2sxkHn51Bu5Zkf21gI13a5iWPGXyNsFOmZFxUsq


dIRO2V+ZTKt6yh5P36iR8kuB1Oiy2bBOmLcjjD/LVqP6GutVBzR34YykjnnGHd5gh1n8IulDTc5k

Z1aJS8Yoxmx2bGSws6igLM42EbBG06LyjjKWQS6yzNrsBw==
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
</samlp:Response>

[ska...@lifecare.com]

I was able to resolve this myself. Thought of posting there solution as it can
benefit other new SAML users.

BasicCredential credential = new BasicCredential();
credential.setPrivateKey(privateKey);

KeyInfoCredentialResolver keyResolver = new
StaticKeyInfoCredentialResolver(credential);
EncryptedKey key =
encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
Decrypter decrypter = new Decrypter(null, keyResolver, null);
SecretKey dkey = (SecretKey) decrypter.decryptKey(
key,
encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm());
Credential shared = SecurityHelper.getSimpleCredential(dkey);
decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null,
null);
Assertion assertion = decrypter.decrypt(encryptedAssertion);

Above code fully works.

I happen to stumble upon Bret's explanation in one of the threads that helped
me a lot.
http://groups.google.com/group/opensaml-users/browse_thread/thread/098452dd935
9663b

Now the only question I am left with is: Does this code handle all kinds of
SAMLResponses or is there anything I need to do to make it work for both
symmetric and assymmetric encryptions. I see that I might have to use
ChainEncryptedKeyResolver. Can anyone throw some light on it please?

[Brent Putman]

On 7/30/10 11:27 PM, ska...@lifecare.com wrote:
>
> Below is the saml response i am getting from my client. I used below code to
> try to decrypt, but after the decryption is done. assertion object seems to be
> null.
>

Upping the logging level to DEBUG should give a better idea what's going
on. Otherwise, I can't make a more specific suggestion as to what's
going on.

> List<EncryptedAssertion> eAssertions = rsponse.getEncryptedAssertions();
> EncryptedAssertion encryptedAssertion = eAssertions.get(0);
> Credential decryptionCredential =
> SecurityHelper.getSimpleCredential(publicKey, privateKey);
> BasicCredential credential = new BasicCredential();
> credential.setPrivateKey(privateKey);
> Decrypter decrypter = new Decrypter(null, new
> StaticKeyInfoCredentialResolver(credential), new
> InlineEncryptedKeyResolver());
> Assertion assertion = decrypter.decrypt(encryptedAssertion);
>

Well, I notice you aren't actually using the decryptionCredential that
you construct there with the SecurityHelper, you're instead creating yet
another Credential (called 'credential') that just has the private key.
That might be the source of the problem - Credentials are required to
have at a minimum either a public key or a secret. Unfortunately, the
current impl constructors don't enforce that. FYI, in v 3.0 they will
(i.e. no more no-arg constructor).

Except for that, this code looks ok, I don't spot anything immediately
wrong. That's assuming that the private key is the right one and so forth.

[Brent Putman]

On 7/31/10 1:02 AM, ska...@lifecare.com wrote:
> I was able to resolve this myself. Thought of posting there solution as it can
> benefit other new SAML users.
>
> BasicCredential credential = new BasicCredential();
> credential.setPrivateKey(privateKey);
> KeyInfoCredentialResolver keyResolver = new
> StaticKeyInfoCredentialResolver(credential);
> EncryptedKey key =
> encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
> Decrypter decrypter = new Decrypter(null, keyResolver, null);
> SecretKey dkey = (SecretKey) decrypter.decryptKey(
> key,
> encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm());
> Credential shared = SecurityHelper.getSimpleCredential(dkey);
> decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null,
> null);
> Assertion assertion = decrypter.decrypt(encryptedAssertion);
>
> Above code fully works.

Yes, it works, but you are handling there a lot of details that the
Decrypter is designed to hide, specifically the details of first
decrypting the encrypted data encryption key, and then performing the
actual data decryption. The reason for the 2nd
KeyInfoCredentialResolver constructor arg (newKEKResolver, "KEK" = "key
encryption key") is so that it can handle it all in one operation.

You can certainly do things in this more "manual" way, but it's doing
more work than you have to.

See the first decryption example on the wiki, that's pretty much the
simpler code for what you do above (which is in turn similar to your
earlier post, so something else must be going wrong somewhere):

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaXMLEncryption

>
> Now the only question I am left with is: Does this code handle all kinds of
> SAMLResponses or is there anything I need to do to make it work for both
> symmetric and assymmetric encryptions. I see that I might have to use
> ChainEncryptedKeyResolver. Can anyone throw some light on it please?

Those are 2 different issues. Usage of multiple EncryptedKeyResolvers
via a ChainingEncryptedKeyResolver handles the multiple cases of
placement of the EncryptedKey element (if a key encryption key or KEK is
in fact being used), for example inside the KeyInfo of the EncryptedData
vs. as a peer of the EncryptedData inside EncryptedAssertion vs other
possibilities.

Handling symmetric and asymmetric cases simultaneously would be handled
by the individual impl types and combination of
KeyInfoCredentialResolvers that you pass to the Decrypter.

Note also that using a StaticKeyInfoCredentialResolver makes tons of
simplifying assumptions, and in general is probably not what you want
for production code, unless the usage environment is also corresponding
simple.

--Brent