adding certificates to SAML authentication requests

1,232 views

Skip to first unread message

sant...@sift.co.uk

unread,

Feb 21, 2011, 11:15:16 AM2/21/11

to simpleSAMLphp

Hi,

I am setting up a SimpleSAMLphp SP. All works good testing with
openIdp. However I am trying to add an x509 certificate to my authn
requests to send to the IdP. I am either misunderstanding how this
works.

I am using the HTTP-redirect binding. I have added a public and
private key to my metadata, and have enabled signing of requests:

authsources.php:

'default-sp' => array(
'saml:SP',
'certificate' => 'saml.cer',
'privatekey' => 'saml.pem',
'idp' => <domain>,
)

$metadata[<domain>] =
array(
'name' => array(
'en' => 'name',
),
'description' => 'desc',
'SingleSignOnService' => '<domain>/SAML/SSOService.aspx',
'SingleLogoutService' => '<domain>/SAML/SLOService.aspx',

'redirect.sign' => TRUE,
'sign.authnrequest' => TRUE,
);

My understanding of priveate public key pairs is that the public key
is sent out to sources attempting to connect to the server, and the
private key is on the server and should not be transfered and held
anywhere else.

However when I remove the 'private-key' it complains that there is no
key. Even when all I am attempting to do is send the public key with
the assertion (so I would assume that until an assertion is returned
the private key on my SP should be redundant). So it looks like SAML
is trying to sign and send the private key on my SP to the IdP (not
the public key).

If I set the 'privatekey' my assertion request will contain a
signature:
SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-
sha1&Signature=Jd%2Fg4dxC
%2Bjz6JA4HG5GZWktSJ2hoRu9VVDjkohqUJHwBNB7fF4hWRkU0nicbB4wZrjvGTsoaVnC7n9fIb3QZT954AVvdlsBLUNyTDpqt7cPzzV
%2F%2Bs8sh9vrjm1BklzzuwDRpEi5%2BcPUwudHVOCtmCyVBEQOZ9x%2F3QF4Jhjby9Ck
%3D

This is the case even if I disable the 'certificate'. So this
signature is built from the private key on my SP. Am I incorrect in
thinking that a private key should be private and not sent out?

If I disable 'redirect.sign' and 'sign.authnrequest' I can still check
the metadata via the federations tab: 'certData' =>
'MIIBzTCCATagAwIBAgIEQm3M6jANBgkqhkiG9w0BAQQFADArMQswCQYDVQQGEwJVUzENMAsGA1UEChMEdGVzdDENMAsGA1UEAxMEdGVzdDAeFw0wNTA0MjYwNTA4NThaFw0xNTA0MjQwNTA4NThaMCsxCzAJBgNVBAYTAlVTMQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgV/
g3WgSbAdu+6Tam2Nw70ucAii7h35vdLhQy2xIu3sCscCsKEjSxs3DVyWt3WSM/
ovn07rC40CMWK/9ILH9ayoiuin5YdK3lIwAcZJI1IJl9PuU4RzQ
+9pqpFXKDHB3Ez2NoV9Pvjg5RtDtIUzFhgBTnVXSLD5Ueobh0LtYK5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAJ8TP5c8+Hd
+phlPvbhDWLuPvj/8na3oZ2Ji8ul52Yqpz2EUwhKuszTznj1l9qWK7N3/eO
+Ch3SZsiZyaZH/Cv0h4CIANJvpd3MHMmWFd
+zkylj5qsCtyuySXWxolO5Ur134PON7ULcWi1oiEmiwZZuza9qCdBwm1MbGmR7iaPpo'

So my certificate is being picked up. However, when I send the authn
request (via the URL using the HTTP-Redirect binding) upon using a
decoder to see my SAML request message, it contains no certificate
information:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_2fd35a2342be35ea17da664df891989f6d32b28f81" Version="2.0"
IssueInstant="2011-02-21T15:32:52Z" Destination="domain.com/SAML/
SSOService.aspx" AssertionConsumerServiceURL="http://
devel.bhf.drupal.uk.sift.com/simplesaml/module.php/saml/sp/saml2-
acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST"><saml:Issuer>http://
devel.bhf.drupal.uk.sift.com/simplesaml/module.php/saml/sp/
metadata.php/default-sp</saml:Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"/></samlp:AuthnRequest>

This leads me to my question:
How do I send the certificate (public key) with my SAML request
message to the IdP?

I have tried afew different setups from examples from the
documentation. None will allow me to send the certificate in the
request to the IdP.

Thanks,
Seb

Olav Morken

unread,

Feb 25, 2011, 8:14:07 AM2/25/11

to simple...@googlegroups.com

On Mon, Feb 21, 2011 at 08:15:16 -0800, sant...@sift.co.uk wrote:
> Hi,
>
> I am setting up a SimpleSAMLphp SP. All works good testing with
> openIdp. However I am trying to add an x509 certificate to my authn
> requests to send to the IdP. I am either misunderstanding how this
> works.

Are you specifically trying to include a certificate in the
authentication request, or are you simply trying to sign it?

> I am using the HTTP-redirect binding. I have added a public and
> private key to my metadata, and have enabled signing of requests:
>

[...]

> My understanding of priveate public key pairs is that the public key
> is sent out to sources attempting to connect to the server, and the
> private key is on the server and should not be transfered and held
> anywhere else.

We do not send the public key in the HTTP-Redirect binding, since there
is no room to include a certificate when using that binding.

> However when I remove the 'private-key' it complains that there is no
> key. Even when all I am attempting to do is send the public key with
> the assertion (so I would assume that until an assertion is returned
> the private key on my SP should be redundant). So it looks like SAML
> is trying to sign and send the private key on my SP to the IdP (not
> the public key).
>
> If I set the 'privatekey' my assertion request will contain a
> signature:
> SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-
> sha1&Signature=Jd%2Fg4dxC
> %2Bjz6JA4HG5GZWktSJ2hoRu9VVDjkohqUJHwBNB7fF4hWRkU0nicbB4wZrjvGTsoaVnC7n9fIb3QZT954AVvdlsBLUNyTDpqt7cPzzV
> %2F%2Bs8sh9vrjm1BklzzuwDRpEi5%2BcPUwudHVOCtmCyVBEQOZ9x%2F3QF4Jhjby9Ck
> %3D
>
> This is the case even if I disable the 'certificate'. So this
> signature is built from the private key on my SP. Am I incorrect in
> thinking that a private key should be private and not sent out?

No, you are correct in that assumption. Never share your private key.
You have however misunderstood how signing works. When you sign a
message, you use the private key. The recipient of the message can then
use your public key to validate that signature.

> If I disable 'redirect.sign' and 'sign.authnrequest' I can still check
> the metadata via the federations tab: 'certData' =>

[...]

> So my certificate is being picked up. However, when I send the authn
> request (via the URL using the HTTP-Redirect binding) upon using a
> decoder to see my SAML request message, it contains no certificate
> information:

[...]

> This leads me to my question:
> How do I send the certificate (public key) with my SAML request
> message to the IdP?

Not currently possible, since we only support sending the AuthnRequest
message via the HTTP-Redirect binding, and you cannot include the
certificate when using that binding. From the specification:

Any signature on the SAML protocol message, including the
<ds:Signature> XML element itself, MUST be removed.

> I have tried afew different setups from examples from the
> documentation. None will allow me to send the certificate in the
> request to the IdP.

Why do you need to send the certificate to the IdP?

Regards,
Olav Morken
UNINETT / Feide

Reply all

Reply to author

Forward

0 new messages