Problems with IdP initiated SLO when SP uses PKIX validation
240 views
Skip to first unread message
Simon Annetts
Mar 5, 2010, 8:45:56 AM3/5/10
to simple...@googlegroups.com
Hi all
We are currently experiencing issues with Internet2 Shib SPs (v2.x) when our SSP IdP trys to request a logout. The error we see on the SP (and of course this breaks the logout chain) is:
The Internet2 SP has metadata for our IdP which does not contain a
My Questions are:
Should SSP be sending the cert in logout requests?
Is SSP sending it?
If the answers to these are yes and yes, any idea why the SP fails to validate the request?
Successful Login log using PKIX:
kind regards
Simon
We are currently experiencing issues with Internet2 Shib SPs (v2.x) when our SSP IdP trys to request a logout. The error we see on the SP (and of course this breaks the logout chain) is:
opensaml::SecurityPolicyException at (https://devel1.marteg.com/Shibboleth.sso/SLO/Redirect)
Message was signed, but signature could not be verified.
The Internet2 SP has metadata for our IdP which does not contain a
<ds:X509Data> <ds:X509Certificate> ... </ds:X509Certificate> </ds:X509Data>section, only a
<ds:KeyName>...</ds:KeyName>section so the SP I assume is using PKIX Path Validation (see the successful authentication logs below to see this working....) and extracting the subject name from the certificate which should be being sent in the saml request. Here is the SP log of the failing logout showing that no certificate (<KeyInfo> section) was present in the logout request.
2010-03-05 13:06:40 DEBUG Shibboleth.Listener [4]: dispatching message (default/SLO/Redirect) 2010-03-05 13:06:40 DEBUG OpenSAML.MessageDecoder.SAML2Redirect [4]: validating input 2010-03-05 13:06:40 DEBUG OpenSAML.MessageDecoder.SAML2Redirect [4]: decoded SAML message: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0f8fda671124b160d2f630a2308e78bab042855bde" Version="2.0" IssueInstant="2010-03-05T13:06:39Z" Destination="https://devel1.marteg.com/Shibboleth.sso/SLO/Redirect"><saml:Issuer>https://dev-shibboleth.networcs.net/SSO/shibboleth</saml:Issuer><saml:NameID SPNameQualifier="https://devel1.marteg.com/shibboleth" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1632879f09d08ea5ede2dc667cbed7e429ebc4335c</saml:NameID><samlp:SessionIndex>_f831d2f86429659f6e962e0a38ee266c19f2319ad4</samlp:SessionIndex></samlp:LogoutRequest> 2010-03-05 13:06:40 DEBUG OpenSAML.MessageDecoder.SAML2 [4]: extracting issuer from SAML 2.0 protocol message 2010-03-05 13:06:40 DEBUG OpenSAML.MessageDecoder.SAML2 [4]: message from (https://dev-shibboleth.networcs.net/SSO/shibboleth) 2010-03-05 13:06:40 DEBUG OpenSAML.MessageDecoder.SAML2 [4]: searching metadata for message issuer... 2010-03-05 13:06:40 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [4]: evaluating message flow policy (replay checking on, expiration 60) 2010-03-05 13:06:40 DEBUG XMLTooling.StorageService [4]: inserted record (_0f8fda671124b160d2f630a2308e78bab042855bde) in context (MessageFlow) 2010-03-05 13:06:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [4]: attempting to validate signature with the peer's credentials 2010-03-05 13:06:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [4]: no peer credentials validated the signature 2010-03-05 13:06:40 ERROR XMLTooling.TrustEngine.PKIX [4]: unable to perform PKIX validation, KeyInfo not present 2010-03-05 13:06:40 ERROR OpenSAML.SecurityPolicyRule.SimpleSigning [4]: unable to verify message signature with supplied trust engineOf course logout works fine if the metadata contains the key as it then uses Direct signature validation if PKIX fails, but our federation does not publish certs for IdPs.
My Questions are:
Should SSP be sending the cert in logout requests?
Is SSP sending it?
If the answers to these are yes and yes, any idea why the SP fails to validate the request?
Successful Login log using PKIX:
2010-03-05 13:06:28 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: validating signature profile 2010-03-05 13:06:28 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved 0 certificate(s) 2010-03-05 13:06:28 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved 0 CRL(s) 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: attempting to validate signature with the peer's credentials 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: public key did not validate signature: Credential did not contain a verification key. 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: no peer credentials validated the signature 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: validating signature using certificate from within the signature 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: signature verified with key inside signature, attempting certificate validation... 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: checking that the certificate name is acceptable 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: certificate subject: emailAddress=ce...@networcs.net,CN=dev-shibboleth.networcs.net,OU=Information and Business Systems,O=Worcestershire County Council,L=Worcester,ST=Worcestershire,C=GB 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: unable to match DN, trying TLS subjectAltName match 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: unable to match subjectAltName, trying TLS CN match 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: matched subject CN to a key name (dev-shibboleth.networcs.net) 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine.PKIX [2]: performing certificate path validation... 2010-03-05 13:06:28 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolving ds:X509Certificate 2010-03-05 13:06:28 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved 1 certificate(s) 2010-03-05 13:06:28 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved 0 CRL(s) ... 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine [2]: supplying PKIX Validation information 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine [2]: supplied (16) CA certificate(s) 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine [2]: supplied (0) CRL(s) 2010-03-05 13:06:28 DEBUG XMLTooling.TrustEngine [2]: successfully validated certificate chain 2010-03-05 13:06:28 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: signature verified against message issuer 2010-03-05 13:06:28 DEBUG Shibboleth.SSO.SAML2 [2]: processing message against SAML 2.0 SSO profile 2010-03-05 13:06:28 DEBUG Shibboleth.SSO.SAML2 [2]: extracting issuer from SAML 2.0 assertionHere is some reference reading I found useful on PKIX and UKfederation: http://www.guanxi.uhi.ac.uk/index.php/Metadata_and_trust_in_the_UK_Access_Management_Federation
kind regards
Simon
-- This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of Ateb Ltd, unless specifically stated. Mae'r e-bost hwn ac unrhyw atodiad sydd ynghlwm wrtho, yn gyfrinachol. Os yw wedi eich cyrraedd mewn camgymeriad dilëwch ef oddi ar eich system. Peidiwch â defnyddio na datgelu'r wybodaeth mewn unrhyw ffordd a rhowch wybod imi ar unwaith os gwelwch yn dda. Gall y neges gynnwys barn bersonol nad yw o anghenraid yn farn Ateb Cyf, oni ddywedir hynny'n benodol. *********************************** Ateb Ltd. Company No. 3769059 VAT No. 736568987 Registered Address: Marteg House, St. Harmon, Rhayader, Powys LD6 5LG T: 01597 870329 M: 07932 014055 ***********************************
Olav Morken
Mar 5, 2010, 10:07:40 AM3/5/10
to simple...@googlegroups.com
On Fri, Mar 05, 2010 at 13:45:56 +0000, Simon Annetts wrote:
> Hi all
>
>
> We are currently experiencing issues with Internet2 Shib SPs (v2.x)
> when our SSP IdP trys to request a logout. The error we see on the
> SP (and of course this breaks the logout chain) is:
>
> opensaml::SecurityPolicyException at
> (https://devel1.marteg.com/Shibboleth.sso/SLO/Redirect)
>
> Message was signed, but signature could not be verified.
>
>
> The Internet2 SP has metadata for our IdP which does not contain a
>
> <ds:X509Data>
> <ds:X509Certificate>
> ...
> </ds:X509Certificate>
> </ds:X509Data>
>
> section, only a
>
> <ds:KeyName>...</ds:KeyName>
>
> section so the SP I assume is using PKIX Path Validation (see the
> successful authentication logs below to see this working....) and
> extracting the subject name from the certificate which should be
> being sent in the saml request. Here is the SP log of the failing
> logout showing that no certificate (<KeyInfo> section) was present
> in the logout request.
>
[...]> Hi all
>
>
> We are currently experiencing issues with Internet2 Shib SPs (v2.x)
> when our SSP IdP trys to request a logout. The error we see on the
> SP (and of course this breaks the logout chain) is:
>
> opensaml::SecurityPolicyException at
> (https://devel1.marteg.com/Shibboleth.sso/SLO/Redirect)
>
> Message was signed, but signature could not be verified.
>
>
> The Internet2 SP has metadata for our IdP which does not contain a
>
> <ds:X509Data>
> <ds:X509Certificate>
> ...
> </ds:X509Certificate>
> </ds:X509Data>
>
> section, only a
>
> <ds:KeyName>...</ds:KeyName>
>
> section so the SP I assume is using PKIX Path Validation (see the
> successful authentication logs below to see this working....) and
> extracting the subject name from the certificate which should be
> being sent in the saml request. Here is the SP log of the failing
> logout showing that no certificate (<KeyInfo> section) was present
> in the logout request.
>
>
> Of course logout works fine if the metadata contains the key as it
> then uses Direct signature validation if PKIX fails, but our
> federation does not publish certs for IdPs.
>
> My Questions are:
> Should SSP be sending the cert in logout requests?
SSP currently only supports the HTTP-Redirect binding for logout
requests. That binding requires that any <ds:Signature>-element in the
message is removed, and is replaced with a signature in the query
string. That signature does not contain the certificate.
The rationale behind removing the <ds:Signature>-element is that the
message is transported through an URL, which has size limitations.
Specifically, Internet Explorer limits the URL to 2083 characters[1].
[1] http://support.microsoft.com/kb/208427
--
Olav Morken
UNINETT / Feide
Simon Annetts
Mar 5, 2010, 12:29:55 PM3/5/10
to simple...@googlegroups.com
Hi Olav
Thanks for the info on this, it makes sense now of course. Should I ask
our federation to consider publishing ds:X509Certificate info in the
metadata so that the SP will use that instead?
Thanks for the info on this, it makes sense now of course. Should I ask
our federation to consider publishing ds:X509Certificate info in the
metadata so that the SP will use that instead?
kind regards
Simon
--
This e-mail and any attachment is confidential.
If you have received it in error, please delete it from your system, do not use
or disclose the information in any way, and notify me immediately. The contents
of this message may contain personal views which are not necessarily the views
of Ateb Ltd, unless specifically stated.
Mae'r e-bost hwn ac unrhyw atodiad sydd ynghlwm wrtho, yn gyfrinachol.
Os yw wedi eich cyrraedd mewn camgymeriad dil�wch ef oddi ar eich system.
Peidiwch � defnyddio na datgelu'r wybodaeth mewn unrhyw ffordd a rhowch wybod
Olav Morken
Mar 9, 2010, 3:06:27 AM3/9/10
to simple...@googlegroups.com
On Fri, Mar 05, 2010 at 17:29:55 +0000, Simon Annetts wrote:
> Hi Olav
> Thanks for the info on this, it makes sense now of course. Should I
> ask our federation to consider publishing ds:X509Certificate info in
> the metadata so that the SP will use that instead?
> Hi Olav
> Thanks for the info on this, it makes sense now of course. Should I
> ask our federation to consider publishing ds:X509Certificate info in
> the metadata so that the SP will use that instead?
Whether you do that is up to you. As it is, that is the only way to
support single logout with signature validation with a simpleSAMLphp
IdP.
You may find section 2.5.1 of the SAML V2.0 Metadata Interoperability
Profile relevant:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cs-01.pdf
Reply all
Reply to author
Forward
0 new messages