Error using SimpleSAML as SP with OpenSSO Idp (SAML 2.0)

395 views
Skip to first unread message

Daniel Diaz

unread,
Jul 6, 2011, 2:41:14 PM7/6/11
to simpleSAMLphp
Dear all,

This is the first time I use SimpleSAMLPHP and looks great. However, I
haven't been able to set an appropriate connection with OPENAM
(formelly OpenSSO) since when I test the federation connectivity I get
an error.

I have followed the instructions item per item and I'm pretty sure the
error is not related to configuration. After exchanging metadata
(parsing opensso metadata with the simplesaml tool and registering the
remote SP in opensso) I tried to test the system (using simplesaml
test under authentication tab) and got this error:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Reference validation failed
Backtrace:
8 /var/simplesamlphp/lib/xmlseclibs.php:1005
(XMLSecurityDSig::validateReference)
7 /var/simplesamlphp/lib/SAML2/Utils.php:56
(SAML2_Utils::validateElement)
6 /var/simplesamlphp/lib/SAML2/Assertion.php:471
(SAML2_Assertion::parseSignature)
5 /var/simplesamlphp/lib/SAML2/Assertion.php:241
(SAML2_Assertion::__construct)
4 /var/simplesamlphp/lib/SAML2/Response.php:38
(SAML2_Response::__construct)
3 /var/simplesamlphp/lib/SAML2/Message.php:471
(SAML2_Message::fromXML)
2 /var/simplesamlphp/lib/SAML2/HTTPPost.php:98
(SAML2_HTTPPost::receive)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:16 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)

Having a look to the code, I noticed that simplesaml fails to verify
the digest since the digest generated by simple saml does not match
the one sent by opensso. I placed some debugging messages and I found
the problem:
SimpleSAML receives a message whose assertion part is the following:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2dbfd1f904f7a1ae3c535ebefd711397ca097bc7e"
IssueInstant="2011-07-06T16:09:20Z" Version="2.0">
<saml:Issuer>https://sso.pervasive.it.uc3m.es/opensso</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient" NameQualifier="https://sso.pervasive.it.uc3m.es/
opensso">oCjCanKokkBSwLv2yR5f7Y9K75YK</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_39d67066a1ad25404668845811683e54e1fc3ac0ef"
NotOnOrAfter="2011-07-06T16:19:20Z" Recipient="http://
bib.pervasive.it.uc3m.es/simplesaml/module.php/saml/sp/saml2-acs.php/
pervasive-bib-services"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2011-07-06T15:59:20Z"
NotOnOrAfter="2011-07-06T16:19:20Z">
<saml:AudienceRestriction>
<saml:Audience>http://bib.pervasive.it.uc3m.es</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2011-07-06T15:54:08Z"
SessionIndex="s262dbc9dd64d5b1b482b3c4c444dd539c4e7b3b01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="cn">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Daniel Diaz</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>

However, the XML sniped used in processRefNode (xmlseclibs) , called
by parseSignature (Assertion.php) after canonicalization and
transformation is:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2dbfd1f904f7a1ae3c535ebefd711397ca097bc7e"
IssueInstant="2011-07-06T16:09:20Z" Version="2.0">
<saml:Issuer>https://sso.pervasive.it.uc3m.es/opensso</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient" NameQualifier="https://sso.pervasive.it.uc3m.es/
opensso">oCjCanKokkBSwLv2yR5f7Y9K75YK</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_39d67066a1ad25404668845811683e54e1fc3ac0ef"
NotOnOrAfter="2011-07-06T16:19:20Z" Recipient="http://
bib.pervasive.it.uc3m.es/simplesaml/module.php/saml/sp/saml2-acs.php/
pervasive-bib-services"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2011-07-06T15:59:20Z"
NotOnOrAfter="2011-07-06T16:19:20Z">
<saml:AudienceRestriction>
<saml:Audience>http://bib.pervasive.it.uc3m.es</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2011-07-06T15:54:08Z"
SessionIndex="s262dbc9dd64d5b1b482b3c4c444dd539c4e7b3b01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="cn">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:type="xs:string">Daniel Diaz</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>

As you can see, there are two differences between the XML documents,
the first is closing the <saml:SubjectConfirmationData> at the end of
the element (i.e. blah blah" /> ) and the second uses an element
termination "</saml:SubjectConfirmationData>".
Moreover, the first has an extra xmlns:xs="http://www.w3.org/2001/
XMLSchema" in the element <saml:attributeValue> that does not appear
in the second. Due to this, obviously, the signature cannot be the
same (hopefully).

I found the problem but I dont know how to proceed.

Can you please help me?

Regards

Dani

Olav Morken

unread,
Jul 7, 2011, 5:40:23 AM7/7/11
to simple...@googlegroups.com

That is normal - that is exactly the type of changes that
canonicalization should cause.

> Moreover, the first has an extra xmlns:xs="http://www.w3.org/2001/
> XMLSchema" in the element <saml:attributeValue> that does not appear
> in the second. Due to this, obviously, the signature cannot be the
> same (hopefully).

This is a bit worriesome, because canonicalization shouldn't touch
attributes (other than reordering them).

> I found the problem but I dont know how to proceed.

What version of PHP are you using? What version of libxml2? What type
of canonicalization is OpenSSO using for its signature? (exclusive or
inclusive?) It is possible that this is either caused by using a too
old version of PHP or that there is a bug in the version of libxml2 you
are using.


Regards,
Olav Morken
UNINETT / Feide

Daniel Diaz

unread,
Jul 7, 2011, 11:14:32 AM7/7/11
to simpleSAMLphp
> UNINETT / Feide- Hide quoted text -
>
> - Show quoted text -

Hi,

Thanks for your promtply response. According to Php Info, the verions
of the software are:

PHP Version 5.3.2-1ubuntu4.9
libxml2 Version 2.7.6

The canonicalization is : <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

Do you know if either the php stack, the libxml2 library or the
cannonicalization method has a bug?

Thanks

Olav Morken

unread,
Jul 8, 2011, 7:34:09 AM7/8/11
to simple...@googlegroups.com

The versions of libxml2 is relatively recent, so I don't think it is
buggy. And the PHP version is new enough that we use the
canonicalization functions from libxml2, so I don't think PHP is the
problem.

Also, removing the xmlns:xs is not necessarily wrong, when using
the exclusive canonicalization.

Could you send the original base64-encoded XML message? E.g. by adding
something like:

file_put_contents('/tmp/rawmessage.b64', $msg);

Before the line that reads:

$msg = base64_decode($msg);

in lib/SAML2/HTTPPost.php?

(Feel free to send it by private mail if it contains details that you
would prefer not to share with the mailinglist.)

Reply all
Reply to author
Forward
0 new messages