fails decode SAML Response

Emidio Bianco

unread,

Mar 13, 2012, 2:30:00 PM3/13/12

to simpleSAMLphp

Hi all,

I can try to integrate SSP with limesurvey but the IdP (WSO2 Identity
Server) reply with the success xml:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response ID="gjaochncpllfmlafjdjebnmjidffodbfbokdelbl"
IssueInstant="2012-03-13T17:40:41.391Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"/></samlp:Status><saml:Assertion
ID="gajjiigkknakfakkdnoeihailapaniommkmafikj"
IssueInstant="2012-03-13T17:40:41.391Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">https://localhost:9443/samlsso</saml:Issuer>
<saml:Subject><saml:NameID>root</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer"><saml:SubjectConfirmationData
InResponseTo="_4b33449ac1cec0f612b6b76567b1401021fa8e53c1"
NotOnOrAfter="2012-03-13T17:45:41.391Z" Recipient="http://192.168.1.2/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"/></
saml:SubjectConfirmation></saml:Subject><saml:Conditions
NotBefore="2012-03-13T17:40:41.391Z"
NotOnOrAfter="2012-03-13T17:45:41.391Z"><saml:AudienceRestriction><saml:Audience>admin.limesurvey</
saml:Audience></saml:AudienceRestriction></
saml:Conditions><saml:AuthnStatement
AuthnInstant="2012-03-13T17:40:41.391Z"
SessionIndex="D7A959FE47C6841A0CA86F2176698453"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef></
saml:AuthnContext></saml:AuthnStatement></saml:Assertion></
samlp:Response>.

The decoding process in SAML2/HTTPPost.php:90 with base64_decode()
fails and this function return false.

Anyone have an idea about this failure?

Olav Morken

unread,

Mar 14, 2012, 10:42:20 AM3/14/12

to simple...@googlegroups.com

I assume that there is more to the response than what is above? E.g. a
signature?

> The decoding process in SAML2/HTTPPost.php:90 with base64_decode()
> fails and this function return false.

Have you looked at what data is passed to the base64_decode()-function?
My guess is that is is not valid base64-encoded data.

Best regards,
Olav Morken
UNINETT / Feide

Emidio Bianco

unread,

Mar 14, 2012, 12:26:54 PM3/14/12

to simpleSAMLphp

Hi Olav,

yes I've captured the response, I've listed in my previous message and
below.

> > The decoding process in SAML2/HTTPPost.php:90 with base64_decode()
> > fails and this function return false.
>
> Have you looked at what data is passed to the base64_decode()-function?
> My guess is that is is not valid base64-encoded data.

I've made a fix for base64_decode:

// Emidio: fix if the msg is not encoded
$tmp = base64_decode($msg);
if($tmp){
$msg = $tmp;
}

Now, the error is
"Missing <saml:Issuer> in message delivered to
AssertionConsumerService."
but the tag Issuer is present ( <saml:Issuer

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://

localhost:9443/samlsso</saml:Issuer> )

the received response is like this:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response ID="gjaochncpllfmlafjdjebnmjidffodbfbokdelbl"
IssueInstant="2012-03-13T17:40:41.391Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="gajjiigkknakfakkdnoeihailapaniommkmafikj"
IssueInstant="2012-03-13T17:40:41.391Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">https://localhost:9443/samlsso</saml:Issuer>
<saml:Subject><saml:NameID>root</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer"><saml:SubjectConfirmationData
InResponseTo="_4b33449ac1cec0f612b6b76567b1401021fa8e53c1"
NotOnOrAfter="2012-03-13T17:45:41.391Z" Recipient="http://192.168.1.2/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"/></
saml:SubjectConfirmation></saml:Subject>
<saml:Conditions NotBefore="2012-03-13T17:40:41.391Z"
NotOnOrAfter="2012-03-13T17:45:41.391Z">
<saml:AudienceRestriction><saml:Audience>admin.limesurvey</

saml:Audience></saml:AudienceRestriction></saml:Conditions>

<saml:AuthnStatement AuthnInstant="2012-03-13T17:40:41.391Z"
SessionIndex="D7A959FE47C6841A0CA86F2176698453">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef></
saml:AuthnContext></saml:AuthnStatement></saml:Assertion></
samlp:Response>

Any ideas?

________________________
Emidio Bianco

Olav Morken

unread,

Mar 15, 2012, 9:34:47 AM3/15/12

to simple...@googlegroups.com

On Wed, Mar 14, 2012 at 09:26:54 -0700, Emidio Bianco wrote:
>
> Hi Olav,
>
> yes I've captured the response, I've listed in my previous message and
> below.
>
> > > The decoding process in SAML2/HTTPPost.php:90 with base64_decode()
> > > fails and this function return false.
> >
> > Have you looked at what data is passed to the base64_decode()-function?
> > My guess is that is is not valid base64-encoded data.
>
> I've made a fix for base64_decode:
>
> // Emidio: fix if the msg is not encoded

I'd argue that you have fixed this in the wrong place. The correct
place to fix this is the IdP, which apparently isn't sending the
responses with the HTTP-POST binding.

> $tmp = base64_decode($msg);
> if($tmp){
> $msg = $tmp;
> }
>
> Now, the error is
> "Missing <saml:Issuer> in message delivered to
> AssertionConsumerService."
> but the tag Issuer is present ( <saml:Issuer
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://
> localhost:9443/samlsso</saml:Issuer> )

We are overly strict, and require the Issuer-element to be included in
the samlp:Response element (even if the saml:Assertion isn't
encrypted). I have now committed a fix for this in r3048: