SAML NameID not included in the auth data for SAML 1.0
84 views
Skip to first unread message
Nicholas Amon
Sep 4, 2014, 11:41:48 AM9/4/14
to simple...@googlegroups.com
Hi,
I have replaced our custom SAML solution with simpleSAMLphp and I'm testing support for both SAML 2.0 and SAML 1.1. All tests passed with SAML 2.0 but with SAML 1.1, the auth data retrieved via the following:
$this->samlAuthData = new SimpleSAML_Auth_Simple('default-sp');
$authData = $this->samlAuthData->getAuthDataArray()
error_log("The SSO data is " . print_r($authData,true));
The SSO data is Array
(
[saml:sp:IdP] => theIVE
[Attributes] => Array
(
)
[LogoutState] => Array
(
[saml:logout:Type] => saml1
)
[Authority] => default-sp
[AuthnInstant] => 1409842580
[Expire] => 1409871380
)
The authData doesn't return back the subject nameid. Here is the assertion returned by the (Juniper) IdP below. Also, I opened another topic where this response failed validation because the key used to sign the assertion is not contained in the response, even though I included the corresponding cert in the metadata ( I had to hack the code to explicitly retrieve the cert from the metadata and use it for validation).
I see the places in the code, specifically starting from saml1-acs.php, where the nameID is not being returned back even though it is retrievable from the Response object and likewise that the validation is failing because it is not retrieving it from the metadata.
Am I doing something wrong?
<?xml version="1.0" encoding="UTF-8"?> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2014-09-04T14:56:20Z" MajorVersion="1" MinorVersion="1" Recipient="https://XXXXXXX.com/samlsp/module.php/saml/sp/saml1-acs.php/default-sp" ResponseID="a3e0d1684186152ba797d9d77f076d29"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#a3e0d1684186152ba797d9d77f076d29"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml samlp ds xsd xsi code kind rw typens" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>XnF/lWnDdYN8eVRhZD6s5YeHUME=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>idWvwCqFx3nvvP9CsIEl8w4vomRXl9ksoP5nIMJVxqc96H180Xp1hmn5uVae/uRS n4YWA63mO/BcwAHOnV/NMKn86sVzCt3qrg3OMnoQJe9lnKldO+gP7aE5ZvoGojor 4nXWQfQo+3PQgia5HGMkUZHOIA/bjHU1JuheyBEFYQc=</ds:SignatureValue> </ds:Signature> <Status> <StatusCode Value="samlp:Success" /> </Status> <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="f7c44d4e7dcf82871fa54c0d90835006" IssueInstant="2014-09-04T14:56:20Z" Issuer="theIVE" MajorVersion="1" MinorVersion="1"> <Conditions NotBefore="2014-09-04T14:56:20Z" NotOnOrAfter="2014-09-04T15:01:20Z" /> <AuthenticationStatement AuthenticationInstant="2014-09-04T14:56:15Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <Subject> <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">nick</NameIdentifier> <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod> </SubjectConfirmation> </Subject> <SubjectLocality IPAddress="XXXXXX" /> </AuthenticationStatement> </Assertion> </Response>
Thanks in advance,
Nicholas
Peter Schober
Sep 9, 2014, 5:54:56 PM9/9/14
to simple...@googlegroups.com
* Nicholas Amon <nichol...@gmail.com> [2014-09-04 17:41]:
is not exposed in the SP API), and you seem to have found that the
code indeed does not do this. So you could either implement this
yourself (while you're at it) and send a pull request, or just file an
issue in the tracker.
-peter
> I see the places in the code, specifically starting from saml1-acs.php,
> where the nameID is not being returned back even though it is retrievable
> from the Response object and likewise that the validation is failing
> because it is not retrieving it from the metadata.
>
> Am I doing something wrong?
There was another thread where someone stated the same (NameIdentifier
> where the nameID is not being returned back even though it is retrievable
> from the Response object and likewise that the validation is failing
> because it is not retrieving it from the metadata.
>
> Am I doing something wrong?
is not exposed in the SP API), and you seem to have found that the
code indeed does not do this. So you could either implement this
yourself (while you're at it) and send a pull request, or just file an
issue in the tracker.
-peter
Nicholas Amon
Sep 10, 2014, 9:44:43 AM9/10/14
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks for the response. Pull request #108 created.
Reply all
Reply to author
Forward
0 new messages