SimpleSAMLPHP 1.13.1 signed AuthnRequest with ADFS IdP
794 views
Skip to first unread message
nahi...@gmail.com
Oct 31, 2014, 10:56:28 AM10/31/14
to simple...@googlegroups.com
Hi All,
I have some trouble to setup simplesamlphp as an SP with an ADFS IdP.
For the moment I have something which is partially working, I can login from simplesamlphp on my IdP. But for security purpose, the IdP provider required an authnrequest signed from the SP, for my first test which is working we disabled this requirement.
I was thinking that I can enable signing "authnrequest" through those option on "config/authsources.php"
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'sign.authnrequest' => TRUE,
I try a lot of options mix with :
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
The only SAML request I got is this one :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_624307d2468e097c09aafb2cd90d714f3301e1b7b8" Version="2.0" IssueInstant="2014-10-31T14:41:26Z" Destination="https://fsdev.apps.airliquide.com/adfs/ls/" AssertionConsumerServiceURL="https://mydomain.tld/simplesaml/module.php/saml/sp/saml2-acs.php/al-adfs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://mydomain.tld/simplesaml/module.php/saml/sp/metadata.php/al-adfs</saml:Issuer>
</samlp:AuthnRequest>
But I should send something like this :
<AuthnRequest xmlns=3D"urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL=3D"HTTP://[]"
Destination=3D"https://myadfsidp.tld/adfs/ls/"
ID=3D"[]"
IssueInstant=3D"2014-10-29T13:29:09Z"
Version=3D"2.0"
>
<saml:Issuer xmlns:saml=3D"urn:oasis:names:tc:SAML:2.0:assertion">[]</s=
aml:Issuer>
<dsig:Signature xmlns:dsig=3D"http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo xmlns:dsig=3D"http://www.w3.org/2000/09/xmldsig#">
<dsig:CanonicalizationMethod Algorithm=3D"http://www.w3.org/200=
1/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xm=
ldsig#rsa-sha1" />
<dsig:Reference URI=3D"#[]">
<dsig:Transforms>
<dsig:Transform Algorithm=3D"http://www.w3.org/2000/09/=
xmldsig#enveloped-signature" />
<dsig:Transform Algorithm=3D"http://www.w3.org/2001/10/=
xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/x=
mldsig#sha1" />
<dsig:DigestValue>[]</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>[]</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>[]
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<NameIDPolicy AllowCreate=3D"true" />
</AuthnRequest>
Does some of you tried this and have any idea about what I'm doing wrong ?
Regards
Thanks
Nahir MOHAMED
I have some trouble to setup simplesamlphp as an SP with an ADFS IdP.
For the moment I have something which is partially working, I can login from simplesamlphp on my IdP. But for security purpose, the IdP provider required an authnrequest signed from the SP, for my first test which is working we disabled this requirement.
I was thinking that I can enable signing "authnrequest" through those option on "config/authsources.php"
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'sign.authnrequest' => TRUE,
I try a lot of options mix with :
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
The only SAML request I got is this one :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_624307d2468e097c09aafb2cd90d714f3301e1b7b8" Version="2.0" IssueInstant="2014-10-31T14:41:26Z" Destination="https://fsdev.apps.airliquide.com/adfs/ls/" AssertionConsumerServiceURL="https://mydomain.tld/simplesaml/module.php/saml/sp/saml2-acs.php/al-adfs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://mydomain.tld/simplesaml/module.php/saml/sp/metadata.php/al-adfs</saml:Issuer>
</samlp:AuthnRequest>
But I should send something like this :
<AuthnRequest xmlns=3D"urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL=3D"HTTP://[]"
Destination=3D"https://myadfsidp.tld/adfs/ls/"
ID=3D"[]"
IssueInstant=3D"2014-10-29T13:29:09Z"
Version=3D"2.0"
>
<saml:Issuer xmlns:saml=3D"urn:oasis:names:tc:SAML:2.0:assertion">[]</s=
aml:Issuer>
<dsig:Signature xmlns:dsig=3D"http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo xmlns:dsig=3D"http://www.w3.org/2000/09/xmldsig#">
<dsig:CanonicalizationMethod Algorithm=3D"http://www.w3.org/200=
1/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xm=
ldsig#rsa-sha1" />
<dsig:Reference URI=3D"#[]">
<dsig:Transforms>
<dsig:Transform Algorithm=3D"http://www.w3.org/2000/09/=
xmldsig#enveloped-signature" />
<dsig:Transform Algorithm=3D"http://www.w3.org/2001/10/=
xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/x=
mldsig#sha1" />
<dsig:DigestValue>[]</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>[]</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>[]
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<NameIDPolicy AllowCreate=3D"true" />
</AuthnRequest>
Does some of you tried this and have any idea about what I'm doing wrong ?
Regards
Thanks
Nahir MOHAMED
nahi...@gmail.com
Nov 6, 2014, 6:13:38 AM11/6/14
to simple...@googlegroups.com
No idea ? No tips, something I can check ?
Thanks
Thanks
Jaime Pérez Crespo
Nov 6, 2014, 6:47:10 AM11/6/14
to simple...@googlegroups.com
Hi Nahir,
I assume you are using the HTTP-Redirect binding, which is the default. If you enable signing the authentication requests, either by explicitly enabling it (sign.authnrequest option) or by setting SSP to sign all messages (redirect.sign option), then you will get them signed. But the HTTP-Redirect binding does not include the signature enveloped in the SAML request, but as an additional GET parameter in the HTTP request. That is, as defined in the standard, to save space in a limited context such as a URL.
So you should verify that you get the signature included into the URL you are redirected to (the same URL that contains the SAML requests), instead of looking for the signature inside the SAML request. If the signature is there, it’s working as expected, and if the IdP cannot validate the signature, then the problem is somewhere else.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
I assume you are using the HTTP-Redirect binding, which is the default. If you enable signing the authentication requests, either by explicitly enabling it (sign.authnrequest option) or by setting SSP to sign all messages (redirect.sign option), then you will get them signed. But the HTTP-Redirect binding does not include the signature enveloped in the SAML request, but as an additional GET parameter in the HTTP request. That is, as defined in the standard, to save space in a limited context such as a URL.
So you should verify that you get the signature included into the URL you are redirected to (the same URL that contains the SAML requests), instead of looking for the signature inside the SAML request. If the signature is there, it’s working as expected, and if the IdP cannot validate the signature, then the problem is somewhere else.
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
nahi...@gmail.com
Nov 12, 2014, 3:45:05 AM11/12/14
to simple...@googlegroups.com
Hi Jaime,
Thanks for your answer, I'm going to check that ASAP, and coming back with my investigation and the result.
Regards
Reply all
Reply to author
Forward
0 new messages