two x509 certificates in the SAML response?
876 views
Skip to first unread message
jcubic
Nov 22, 2010, 12:44:10 PM11/22/10
to simpleSAMLphp
I have a working SSO environment using simplSAMLphp. I can
authenticate users and they can log into Google Apps. I am having a
problem logging into my postini console in Google Apps though. I am
thinking that problem is on their side though, since we can log into
the site normally without issue.
But, while working with support they pointed out that we are sending
two x509 certificates in our response for some reason. Does anyone
know why we would be doing this? Or how I could fix it?
I changed a few things, but here is a copy of our SAMl response:
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
InResponseTo="dfancmlkeehdpjbajdfancmlkeehdpjbaj"
IssueInstant="2010-11-20T00:03:33Z" Destination="https://
www.google.com/a/mydomain.com/acs" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxc4347542-
b6d5-8965-da6c-5feabc27d4a8">
<saml:Issuer>https://www.mydomain.com/saml/saml2/idp/metadata.php</
saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/
xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#pfxc4347542-b6d5-8965-da6c-5feabc27d4a8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>WjUIKxIFVEDo8nzOOxvWjUIKxIFVEDo=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>BKM5l8esRjriCzxDBm3PId7KNXP/
I0a0w5JYPctCVzhw7xJzJANIYRZBKM5l8esRjriCzxDBm3PId7KNXP/
I0a0w5JYPctCVzhw7xJzJANIYRZ+5CDkyrsR5elF8aeTynuRVz2hBzYNP/
40X86wml3D53dWEgcCNdKnWQvr1VVfLPleh5QqtEAb4hkM=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICLzCCAZgCCQCsCKuuyUGX6TANBgkqhkiG9w0BAQUFADBcMQ3wCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wHhcNMTAxMTAzMjM0OTUzWhcNMzgwMzIwMjM0OTUzWjBcMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMpFhRx7thRfJhdfGbe7UFs/
+eiheSXtoIG840lWG7H3B9gRBu/kEra8Ij/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv+4W6t3S+AHRodZ
+EcgDWSeUrvIT8CEDwKXJYlJaVE6G1haScQRo5ndGZWzp4Q
+6RSQu3AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADXa/J4nw4tC1kie1L5AqC/
WfniGNs0dUaNdiEi/RVGOi7vam1dmJBts4OkHpJM/2d8DfrnndWn
+bOMbbc0nwEAV9MO2N0VEmhct9RhZ7AB1ZwpIdBeRbq2qrQccD6eY/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" Version="2.0"
ID="pfx0b963224-50d2-4910-0d05-cc0eaeb1e17c"
IssueInstant="2010-11-20T00:03:33Z">
<saml:Issuer>https://www.mydomain.com/saml/saml2/idp/metadata.php</
saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/
xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#pfx0b963224-50d2-4910-0d05-cc0eaeb1e17c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>6+v6VkSe3gi+0SaKa48lPk4VJfE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>NdQNrVVj95dPpmK+nYqm2ZbqPeU9J+KgMIqsyByMFCQGm/
7R4x1Ye1W1VgXj+cZocQpe5hnMvycd/
2BCJW5YELLX0VgxSEcJ1xo4OKDelzYsJXm2pD7uaJPI9A3jSQKsdzTsONO2TPxpvGf6uFMuyNJlKG1seyTSuHFra
+q1k9w=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICLzCCAZgCCQCsCKuuyUGX6TANBgkqhkiG9w0BAQUFADBcMQ3wCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wHhcNMTAxMTAzMjM0OTUzWhcNMzgwMzIwMjM0OTUzWjBcMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMpFhRx7thRfJhdfGbe7UFs/
+eiheSXtoIG840lWG7H3B9gRBu/kEra8Ij/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv+4W6t3S+AHRodZ
+EcgDWSeUrvIT8CEDwKXJYlJaVE6G1haScQRo5ndGZWzp4Q
+6RSQu3AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADXa/J4nw4tC1kie1L5AqC/
WfniGNs0dUaNdiEi/RVGOi7vam1dmJBts4OkHpJM/2d8DfrnndWn
+bOMbbc0nwEAV9MO2N0VEmhct9RhZ7AB1ZwpIdBeRbq2qrQccD6eY/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">admin</
saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="dfancmlkeehdpjbajdfancmlkeehdpjbaj"
NotOnOrAfter="2010-11-20T00:08:33Z" Recipient="https://www.google.com/
a/mydomain.com/acs"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2010-11-20T00:08:33Z"
NotBefore="2010-11-20T00:03:03Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionNotOnOrAfter="2010-11-20T08:03:33Z"
SessionIndex="_887f71c9b55611a5219ed359f2a5c1b226ddc54a67"
AuthnInstant="2010-11-20T00:02:13Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
authenticate users and they can log into Google Apps. I am having a
problem logging into my postini console in Google Apps though. I am
thinking that problem is on their side though, since we can log into
the site normally without issue.
But, while working with support they pointed out that we are sending
two x509 certificates in our response for some reason. Does anyone
know why we would be doing this? Or how I could fix it?
I changed a few things, but here is a copy of our SAMl response:
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
InResponseTo="dfancmlkeehdpjbajdfancmlkeehdpjbaj"
IssueInstant="2010-11-20T00:03:33Z" Destination="https://
www.google.com/a/mydomain.com/acs" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxc4347542-
b6d5-8965-da6c-5feabc27d4a8">
<saml:Issuer>https://www.mydomain.com/saml/saml2/idp/metadata.php</
saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/
xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#pfxc4347542-b6d5-8965-da6c-5feabc27d4a8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>WjUIKxIFVEDo8nzOOxvWjUIKxIFVEDo=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>BKM5l8esRjriCzxDBm3PId7KNXP/
I0a0w5JYPctCVzhw7xJzJANIYRZBKM5l8esRjriCzxDBm3PId7KNXP/
I0a0w5JYPctCVzhw7xJzJANIYRZ+5CDkyrsR5elF8aeTynuRVz2hBzYNP/
40X86wml3D53dWEgcCNdKnWQvr1VVfLPleh5QqtEAb4hkM=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICLzCCAZgCCQCsCKuuyUGX6TANBgkqhkiG9w0BAQUFADBcMQ3wCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wHhcNMTAxMTAzMjM0OTUzWhcNMzgwMzIwMjM0OTUzWjBcMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMpFhRx7thRfJhdfGbe7UFs/
+eiheSXtoIG840lWG7H3B9gRBu/kEra8Ij/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv+4W6t3S+AHRodZ
+EcgDWSeUrvIT8CEDwKXJYlJaVE6G1haScQRo5ndGZWzp4Q
+6RSQu3AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADXa/J4nw4tC1kie1L5AqC/
WfniGNs0dUaNdiEi/RVGOi7vam1dmJBts4OkHpJM/2d8DfrnndWn
+bOMbbc0nwEAV9MO2N0VEmhct9RhZ7AB1ZwpIdBeRbq2qrQccD6eY/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" Version="2.0"
ID="pfx0b963224-50d2-4910-0d05-cc0eaeb1e17c"
IssueInstant="2010-11-20T00:03:33Z">
<saml:Issuer>https://www.mydomain.com/saml/saml2/idp/metadata.php</
saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/
xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#pfx0b963224-50d2-4910-0d05-cc0eaeb1e17c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>6+v6VkSe3gi+0SaKa48lPk4VJfE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>NdQNrVVj95dPpmK+nYqm2ZbqPeU9J+KgMIqsyByMFCQGm/
7R4x1Ye1W1VgXj+cZocQpe5hnMvycd/
2BCJW5YELLX0VgxSEcJ1xo4OKDelzYsJXm2pD7uaJPI9A3jSQKsdzTsONO2TPxpvGf6uFMuyNJlKG1seyTSuHFra
+q1k9w=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICLzCCAZgCCQCsCKuuyUGX6TANBgkqhkiG9w0BAQUFADBcMQ3wCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wHhcNMTAxMTAzMjM0OTUzWhcNMzgwMzIwMjM0OTUzWjBcMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMRIwEAYDVQQHDAlIaWxsc2Jvcm8xETAPBgNVBAoMCFRlYW1KRmFiMRUwEwYDVQQDDAxUZWFtSkZhYi5Db20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMpFhRx7thRfJhdfGbe7UFs/
+eiheSXtoIG840lWG7H3B9gRBu/kEra8Ij/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv+4W6t3S+AHRodZ
+EcgDWSeUrvIT8CEDwKXJYlJaVE6G1haScQRo5ndGZWzp4Q
+6RSQu3AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADXa/J4nw4tC1kie1L5AqC/
WfniGNs0dUaNdiEi/RVGOi7vam1dmJBts4OkHpJM/2d8DfrnndWn
+bOMbbc0nwEAV9MO2N0VEmhct9RhZ7AB1ZwpIdBeRbq2qrQccD6eY/
qbMO72VwYFbCs14V66yw3eBZ3K8hDNsSk7nkrmTmfJLDv=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">admin</
saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="dfancmlkeehdpjbajdfancmlkeehdpjbaj"
NotOnOrAfter="2010-11-20T00:08:33Z" Recipient="https://www.google.com/
a/mydomain.com/acs"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2010-11-20T00:08:33Z"
NotBefore="2010-11-20T00:03:03Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionNotOnOrAfter="2010-11-20T08:03:33Z"
SessionIndex="_887f71c9b55611a5219ed359f2a5c1b226ddc54a67"
AuthnInstant="2010-11-20T00:02:13Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Tom Scavo
Nov 22, 2010, 2:06:36 PM11/22/10
to simple...@googlegroups.com
On Mon, Nov 22, 2010 at 11:44 AM, jcubic <jcu...@gmail.com> wrote:
>
> But, while working with support they pointed out that we are sending
> two x509 certificates in our response for some reason. Does anyone
> know why we would be doing this? Or how I could fix it?
>
> But, while working with support they pointed out that we are sending
> two x509 certificates in our response for some reason. Does anyone
> know why we would be doing this? Or how I could fix it?
Your IdP is signing both the response and the assertion. You want to
reconfigure it so it signs just one, I suspect.
Tom
jcubic
Nov 22, 2010, 2:22:29 PM11/22/10
to simple...@googlegroups.com
I am pretty good with PHP, but new to SAML. If I could get some troubleshooting tips that would be great. Do I need to ask google which I need to sign? Or is their a way to disable/enable each and I can test which works?
I am guessing this is in the metadata. Maybe in saml20-idp-hosted.php or saml20-sp-remote.php Would I modify something in these files or is this setting somewhere else?
If their is a doc somewhere about this specific issue? I would love to spend some time reading about this problem to get a better grip on it.
Thank you for the help by the way, I really appreciate it.
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Tom Scavo
Nov 22, 2010, 2:39:34 PM11/22/10
to simple...@googlegroups.com
On Mon, Nov 22, 2010 at 1:22 PM, jcubic <jcu...@gmail.com> wrote:
> I am pretty good with PHP, but new to SAML. If I could get some
> troubleshooting tips that would be great. Do I need to ask google which I
> need to sign?
> I am pretty good with PHP, but new to SAML. If I could get some
> troubleshooting tips that would be great. Do I need to ask google which I
> need to sign?
Yes of course.
> Or is their a way to disable/enable each and I can test which
> works?
That would be one approach but I don't know how to do this, sorry.
> I am guessing this is in the metadata.
No, it's not, I'm sure of that. The metadata gives the public key of
the private key that does the signing, but the IdP application has to
be configured to use a specific credential.
> Maybe in saml20-idp-hosted.php
> or saml20-sp-remote.php Would I modify something in these files or is this
> setting somewhere else?
Sorry, someone more knowledgeable about SSP will have to answer that.
> If their is a doc somewhere about this specific issue? I would love to
> spend some time reading about this problem to get a better grip on it.
Look for "configuring signing credentials" or some such thing in the
IdP docs. Sorry, I don't have a pointer.
Tom
Peter Schober
Nov 24, 2010, 9:28:44 AM11/24/10
to simple...@googlegroups.com
* jcubic <jcu...@gmail.com> [2010-11-22 20:22]:
> I am pretty good with PHP, but new to SAML. If I could get some
> troubleshooting tips that would be great. Do I need to ask google which I
> need to sign? Or is their a way to disable/enable each and I can test which
> works?
> I am pretty good with PHP, but new to SAML. If I could get some
> troubleshooting tips that would be great. Do I need to ask google which I
> need to sign? Or is their a way to disable/enable each and I can test which
> works?
http://simplesamlphp.org/docs/1.6/simplesamlphp-reference-idp-hosted#section_2
saml20.sign.response
saml20.sign.assertion
cheers,
-peter
Reply all
Reply to author
Forward
0 new messages