reading attributes in saml assertion
710 views
Skip to first unread message
Polo
Dec 28, 2010, 5:45:59 AM12/28/10
to simpleSAMLphp
Hi,
I don't know if the object of my post is right, but this is my
problem.
i'm not really an expert with simpleSAML, but i managed to setting up
an simpleSAMLphp environment as a SP.
The authentication phase work find, but i can't configure the
config.php to read IDP attributes.
the IDP of my customer send me this assertion to allow me to configure
the SP side:
<?xml version="1.0"?>
<samlp:Response IssueInstant="2010-12-16T15:18:55.368Z" ID="j2AGHnh2j0-
uravGQx8_0viIPDF" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lly-
qa:saml2:idp</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"/>
</samlp:Status>
<Assertion Version="2.0" IssueInstant="2010-12-16T15:18:55.899Z"
ID="kc5IsNxmJJAL52eAIBtu2yt0b2b">
<Issuer>lly-qa:saml2:idp</Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<ds:Reference URI="#kc5IsNxmJJAL52eAIBtu2yt0b2b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<ds:DigestValue>GOJZC6uo/nviwpVl3xEaCWf6w64=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aabUnLzoL3sTSTfAQ4LwgZPZ8Gh7OLx9xboT43Oo62/
c1jMQyVEUooAbi8kFzDilZ2m9HCPxIc/4
9UArVsh5TLKygcKdbjJfjFu53yBP1BO7hdlaYr5JvOHlguPF
+u92GcEyVe5kcxlzG8eRTH4dmkkp
+AZIrn97l0WtKc0GTtw=</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">PINGTEST0002</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<SubjectConfirmationData
NotOnOrAfter="2010-12-16T15:20:55.899Z" Recipient="https://my.url.fr/
environment_dev/simplesaml/module.php/saml/sp/saml2-acs.php/
environment_dev"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2010-12-16T15:20:55.899Z"
NotBefore="2010-12-16T15:16:55.899Z">
<AudienceRestriction>
<Audience>icsallegro:saml2:sp</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2010-12-16T15:18:55.899Z"
SessionIndex="kc5IsNxmJJAL52eAIBtu2yt0b2b">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:unspecified</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
when i put this assertion in the metadata converter i have this error
message:
simplesamlphp WARNING [b44d7b08ab] Schema validation failed on XML
string:
level=2,code=1845,line=2,col=0,msg=Element '{urn:oasis:names:tc:SAML:
2.0:protocol}Response': No matching global declaration available for
the validation root.
Dec 28 10:54:23 simplesamlphp ERROR [b44d7b08ab] /allegro_dev/
simplesaml/admin/metadata-converter.php - UserError:
ErrCode:METADATA_PARSER: Unexpected+root+node%3A+%5Burn%3Aoasis%3Anames
%3Atc%3ASAML%3A2.0%3Aprotocol%5D%3AResponse
My customer say me that the attribute name is SAML_SUBJECT, but all
the conbinaisons I tried to read this attribute have failed (with:
core:GenerateGroup, core:AttributeAdd, core:TargetedID, ..)
I read many docs about the attributs with simpleSAML, but, I do not
know how turn the question to read this attribute or simply to show
all attributes returned by the IDP that will allow me to configur my
config.php file..
So if anyone has an idea that would be great, because I'm a little bit
lost.
thanks.
I don't know if the object of my post is right, but this is my
problem.
i'm not really an expert with simpleSAML, but i managed to setting up
an simpleSAMLphp environment as a SP.
The authentication phase work find, but i can't configure the
config.php to read IDP attributes.
the IDP of my customer send me this assertion to allow me to configure
the SP side:
<?xml version="1.0"?>
<samlp:Response IssueInstant="2010-12-16T15:18:55.368Z" ID="j2AGHnh2j0-
uravGQx8_0viIPDF" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lly-
qa:saml2:idp</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"/>
</samlp:Status>
<Assertion Version="2.0" IssueInstant="2010-12-16T15:18:55.899Z"
ID="kc5IsNxmJJAL52eAIBtu2yt0b2b">
<Issuer>lly-qa:saml2:idp</Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<ds:Reference URI="#kc5IsNxmJJAL52eAIBtu2yt0b2b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<ds:DigestValue>GOJZC6uo/nviwpVl3xEaCWf6w64=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aabUnLzoL3sTSTfAQ4LwgZPZ8Gh7OLx9xboT43Oo62/
c1jMQyVEUooAbi8kFzDilZ2m9HCPxIc/4
9UArVsh5TLKygcKdbjJfjFu53yBP1BO7hdlaYr5JvOHlguPF
+u92GcEyVe5kcxlzG8eRTH4dmkkp
+AZIrn97l0WtKc0GTtw=</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">PINGTEST0002</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<SubjectConfirmationData
NotOnOrAfter="2010-12-16T15:20:55.899Z" Recipient="https://my.url.fr/
environment_dev/simplesaml/module.php/saml/sp/saml2-acs.php/
environment_dev"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2010-12-16T15:20:55.899Z"
NotBefore="2010-12-16T15:16:55.899Z">
<AudienceRestriction>
<Audience>icsallegro:saml2:sp</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2010-12-16T15:18:55.899Z"
SessionIndex="kc5IsNxmJJAL52eAIBtu2yt0b2b">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:unspecified</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
when i put this assertion in the metadata converter i have this error
message:
simplesamlphp WARNING [b44d7b08ab] Schema validation failed on XML
string:
level=2,code=1845,line=2,col=0,msg=Element '{urn:oasis:names:tc:SAML:
2.0:protocol}Response': No matching global declaration available for
the validation root.
Dec 28 10:54:23 simplesamlphp ERROR [b44d7b08ab] /allegro_dev/
simplesaml/admin/metadata-converter.php - UserError:
ErrCode:METADATA_PARSER: Unexpected+root+node%3A+%5Burn%3Aoasis%3Anames
%3Atc%3ASAML%3A2.0%3Aprotocol%5D%3AResponse
My customer say me that the attribute name is SAML_SUBJECT, but all
the conbinaisons I tried to read this attribute have failed (with:
core:GenerateGroup, core:AttributeAdd, core:TargetedID, ..)
I read many docs about the attributs with simpleSAML, but, I do not
know how turn the question to read this attribute or simply to show
all attributes returned by the IDP that will allow me to configur my
config.php file..
So if anyone has an idea that would be great, because I'm a little bit
lost.
thanks.
Stefano Gargiulo
Dec 28, 2010, 8:43:18 AM12/28/10
to simple...@googlegroups.com
it seems that you have an assertion in the federation metadata.... how is configured the metadata source in config.php?
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Peter Schober
Dec 28, 2010, 10:06:25 AM12/28/10
to simpleSAMLphp
* Polo <prug...@hotmail.com> [2010-12-28 11:47]:
> when i put this assertion in the metadata converter [...]
> when i put this assertion in the metadata converter [...]
The metadata converter is for converting SAML 2.0 metadata to
SimpleSAMLphp's own metadata format.
A SAML assertion is not SAML metadata.
Whoever is running the IdP named "lly-qa:saml2:idp" should give you
SAML metadata describing this entity, not just an assertion.
(Note that "lly-qa:saml2:idp" is not a valid name for a SAML entity
but this has nothing to do with your problem at hand.)
> I read many docs about the attributs with simpleSAML, but, I do not
> know how turn the question to read this attribute or simply to show
> all attributes returned by the IDP that will allow me to configur my
> config.php file..
Once you get metadata and configure it per the docs, follow the rest
of the docs on how to access any attributes.
-peter
Polo
Dec 29, 2010, 5:19:51 AM12/29/10
to simpleSAMLphp
Thanks all for yours answers.
I finally managed to solve my problem.
This is how:
(it's importante, i was working with simpleSAML 1.6.2)
What I did not realize is that simplesaml waiting in the assertion
attributes under the form of tag: </saml:Attribute>, for exemple:
</saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:
2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">paul</saml:AttributeValue>
</saml:Attribute>
so any form of filter i defined can't work because i haven't this kind
tag in the XML IDP assertion response.
In fact, the tag containing the attribute I have to recover in the
response is (and no other attribute is sent):
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">PINGTEST0002</NameID>
I therefore seek ways on how to read this kind attribute and i found
the class: 'saml:NameIDAttribute', but this class doesn't exist in
SimpleSAMLphp version 1.6.2 but in 1.7.0, released 17/12/2010
(fortunately for me, thanks to developpers who save my project lol).
So i downloaded and install this 1.7.0 release and it work fine for
me.
and here is my config.php reduced to its simplest form appears:
'authproc.sp' => array(
20 => array(
'class' => 'saml:NameIDAttribute',
'format' => '%V',
),
50 => 'core:AttributeLimit',
),
PoLo
I finally managed to solve my problem.
This is how:
(it's importante, i was working with simpleSAML 1.6.2)
What I did not realize is that simplesaml waiting in the assertion
attributes under the form of tag: </saml:Attribute>, for exemple:
</saml:Attribute>
<saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:
2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">paul</saml:AttributeValue>
</saml:Attribute>
so any form of filter i defined can't work because i haven't this kind
tag in the XML IDP assertion response.
In fact, the tag containing the attribute I have to recover in the
response is (and no other attribute is sent):
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">PINGTEST0002</NameID>
the class: 'saml:NameIDAttribute', but this class doesn't exist in
SimpleSAMLphp version 1.6.2 but in 1.7.0, released 17/12/2010
(fortunately for me, thanks to developpers who save my project lol).
So i downloaded and install this 1.7.0 release and it work fine for
me.
and here is my config.php reduced to its simplest form appears:
'authproc.sp' => array(
20 => array(
'class' => 'saml:NameIDAttribute',
'format' => '%V',
),
50 => 'core:AttributeLimit',
),
PoLo
Reply all
Reply to author
Forward
0 new messages