Sending an Unsigned Authentication request to simpleSAML IDP Using Java ISP Implementation

[Steve M]

Hi guys,

We have configured simpleSAML (SS) as both an ISP and IDP and it is
working fine. Currently it is supporting php apps. I notice though
that the ISP sends what looks to be a signed request to the IDP.

We want to extend to Java (Spring) apps, so I have create a light
weight ISP implementation, rather than deploy one of the larger
projects Shiboleth or OpenSAML.

I am trying to send an unsigned base64 encoded authorisation request
to SS IDP.:
https://sso.eduone.net.au/saml2/idp/SSOService.php?SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iXzZjMWUyOTIzLTYzODMtNGM3Ni05YjAzLWY1OWY1N2Q4ZWNiYSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTItMDQtMDRUNzoyODo1NSIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC90ZXN0L2NvbnN1bWUuanNwIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cDovL2xvY2FsaG9zdDo4MDgwL3Rlc3Q8L3NhbWw6SXNzdWVyPjxzYW1scDpOYW1lSURQb2xpY3kgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCIgQWxsb3dDcmVhdGU9InRydWUiPjwvc2FtbHA6TmFtZUlEUG9saWN5PjxzYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQgQ29tcGFyaXNvbj0iZXhhY3QiPjwvc2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg%3D%3D

The SAMLRequest decodes to:

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_33300277-7ef7-4cf4-8bcd-6141b7b39e49"
Version="2.0"
IssueInstant="2012-04-03T10:39:06"
ProtocolBinding="urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://localhost:8080/
test/consume.jsp">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:
8080/test</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext
Comparison="exact"></samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">urn:oasis:names:tc:SAML:
2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:AuthnRequest>


I get the following error in the log
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7]
SimpleSAML_Error_Exception: Error 4096 - Argument 1 passed to
SAML2_Message::fromXML() must be an instance of
DOMElement, null given, called in /opt/simplesamlphp/lib/SAML2/
HTTPRedirect.php on line 125 and defined
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7] Backtrace:
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7] 4 /opt/simplesamlphp/
www/_include.php:70 (SimpleSAML_error_handler)
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7] 3 /opt/simplesamlphp/
lib/SAML2/Message.php:455 (SAML2_Message::fromXML)
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7] 2 /opt/simplesamlphp/
lib/SAML2/HTTPRedirect.php:125 (SAML2_HTTPRedirect::receive)
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7] 1 /opt/simplesamlphp/
modules/saml/lib/IdP/SAML2.php:267
(sspmod_saml_IdP_SAML2::receiveAuthn Request)
Apr 03 22:57:31 simplesamlphp ERROR [3a9031f1a7] 0 /opt/simplesamlphp/
www/saml2/idp/SSOService.php:19 (N/A)

Two questions:
1. Do I need to configure the IDP to accept both an signed and
unsigned authentication request and how?
2. Is the authentication request valid.

Look forward to your response.

Steve

[Olav Morken]

On Tue, Apr 03, 2012 at 17:45:46 -0700, Steve M wrote:
> Hi guys,
>
> We have configured simpleSAML (SS) as both an ISP and IDP and it is
> working fine. Currently it is supporting php apps. I notice though
> that the ISP sends what looks to be a signed request to the IDP.
>
> We want to extend to Java (Spring) apps, so I have create a light
> weight ISP implementation, rather than deploy one of the larger
> projects Shiboleth or OpenSAML.

Isn't there already an implementation of SAML 2.0 for Spring Security?

> I am trying to send an unsigned base64 encoded authorisation request
> to SS IDP.:

> https://sso.eduone.net.au/saml2/idp/SSOService.php?SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc[...]

This is incorrectly encoded. You have not compressed it before you
base64-encoded it. See the specification for the HTTP-Redirect binding.

[...]

> Two questions:
> 1. Do I need to configure the IDP to accept both an signed and
> unsigned authentication request and how?

No, unless the IdP is configured to require signed requests, it does
not care about the signature status of the message.

> 2. Is the authentication request valid.

No, as mentioned above, it is incorrectly encoded.

Best regards,
Olav Morken
UNINETT / Feide

[Olav Morken]

[Since you sent your mail from a different email address than the one
you registered at the simplesamlphp mailing list, your message wasn't
posted to the list. I'm replying to the copy you sent to me directly.)

On Mon, Apr 16, 2012 at 18:14:02 +0930, Steve wrote:
> Thanks for your response Olav.
>
> I think you have identified the problem. I am very new to SAML as you can
> see. I was hoping to configure a very simple implementation to get us going
> initially.

I'd encourage you to use already existing implementations. Implementing
it from scratch requires much work, and is easy to get wrong.
Signature validation is very complex, and a mistake leaves you with an
SP without security.

> Could you please send me an example (xml) of a valid un-encoded idp request
> to SimpleSAML ISP plus the deflated base64 encode request, for comparison to
> allow me to validate I am sending a correct request.

Here is a working request:

[...]/SSOService.php?SAMLRequest=nVJLb9swDP4rhu6On0lrIQmQNRgWoF2DOtthl4GxmEWALLkivbX%2FvrLdoe0OOewiASS%2FBz9wSdCaTm56PtsHfOyROHpqjSU5Nlai91Y6IE3SQoskuZH15u5W5rNUdt6xa5wR7yCXEUCEnrWzItptV%2BKnqk55lRVVAfPsmB6vikWWFwWU1wUs5mmlyuIIizKdp3MRfUdPAbkSgSjAiXrcWWKwHEpplsdpGWeLQ5bJspLl1Q8RbcM22gKPqDNzRzJJtOpiDo3ZCbXCmXUJ6bYzOJhPhicfRpK6vq%2FR%2F9YNzrpzJ6LNX%2Bc3zlLfon%2Ftfnu4feOmC9StU70ZyZJJavrzGBoaqwpP0BuOKajtX5P9pK3S9tflUI%2FTEMkvh8M%2B3t%2FXB7FeDtxyDMmv%2F9NeiwwKGP5xt0zecy%2BnA%2FoaXO22e2d08xx9dr4Fvmx6qGgVn8ZRyR4sabQcgjbG%2FbnxCIwrwb5HkawnyY9nun4B&RelayState=https%3A%2F%2Fsp-test.feide.no%2F%3Flogin

Decoded (with whitespace inserted to make it readable):

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

ID="_d9f291393a51b0b7361233a483a6509d43ba640505"
Version="2.0"
IssueInstant="2012-04-16T11:49:47Z"
Destination="https://idp-test.feide.no/simplesaml/saml2/idp/SSOService.php"
AssertionConsumerServiceURL="https://sp-test.feide.no/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>

<saml:Issuer>https://sp-test.feide.no/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"
/>
</samlp:AuthnRequest>

(Note that this is just one example of an request. Not all attributes
present in this request are actually required.)

> I will deflate before base64 encoding as per HTTP-Redirect binding spec and
> give it another try.
>
> You are correct in relation to Spring Security support for SAML. It is
> currently an extension, with no official word from Spring Source as to its
> inclusion in security. I do notice that Vladamir Schafer has updated
> recently, so may be worth looking at in more detail. Has anyone in your
> community used it?

I know that at least one SP connected to the Feide IdP uses it (which
is why I have heard about it). From looking at SP metadata, there are
problably more, but it is difficult to say for sure.

> Anyway, I really appreciate your help.

You're welcome!