Missing "Format" attribute in Saml2 Assertion <Issuer>

y.wa...@gmail.com

unread,

Dec 3, 2015, 4:01:00 PM12/3/15

to Transport Testing Tool, antoine....@nist.gov, Bruce Schreiber, Yan Wang

Hello Antoine and the team,

We are testing sending XDR message to TTT Ambulatory endpoint and getting below error:

issuerAllowedFormat(gov.nist.hit.ds.wsseTool.validation.tests.run.AssertionVal) : issuer format not allowed found : , but expected one of : [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, urn:oasis:names:tc:SAML:2.0:nameid-format:entity, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:2.0:nameid-format:transient] &&&& gov.nist.hit.ds.wsseTool.validation.WsseHeaderValidator

It seems like it's expecting "Format" attribute in <saml2:issuer> but our message is using <saml2:Issuer>xxxx</saml2:Issuer> without "Format".

I think the "Format" in <saml2:Issuer> tag is optional according to "2.2.5 Element <Issuer>" of https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

"The <Issuer> element, with complex type NameIDType, provides information about the issuer of a SAML assertion or protocol message. The element requires the use of a string to carry the issuer's name, but permits various pieces of descriptive data (see Section 2.2.2).
Overriding the usual rule for this element's type, if no Format value is provided with this element, then the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity is in effect (see Section 8.3.6)."

I appreciate if you could take a look at the error.

Thanks,
Yan

Gerardin, Antoine D.

unread,

Dec 3, 2015, 5:47:55 PM12/3/15

to y.wa...@gmail.com, Transport Testing Tool, Gerardin, Antoine D., Bruce Schreiber, Yan Wang

Our validation is based on the nhwin profile for saml :

http://sequoiaproject.org/wp-content/uploads/2014/11/nhin-authorization-framework-production-specification-v3.0.pdf

Section 3.2.3.1 states :

This <Assertion> element must contain an ID attribute, an IssueInstant attribute, a Version

attribute, an Issuer element, and an Attribute Statement element

Now there is this mention here about this issuer format attribute (p.18) :

Non-normative: The Nationwide Health Information Network, as of the time this text was written,

has issued no policy or

specification constraining the <Issuer> element; it is only constrained by

the underlying OASIS SAML 2.0 specifications, referenced elsewhere in this document. As per

SAML, the <Issuer> MUST specify the SAML authority that is making the claim(s) in the

as

sertion. The issuer SHOULD be unambiguous to the intended relying parties. In the absence

of policy to the contrary, and based on historical evidence, implementers should use a name

NameIDType Format of "x.509 Subject Name" type as specified in 8.3.3 of t

he OASIS SAML 2.0

core specification. Use of "8.3.1 Unspecified" as a NameIDType Format is not recommended.

So it seems it is convention to have this format attribute, even though not normative…

I do not know what should be the tool behavior regarding this kind of statement. Let me bring this matter to the relevant expert.

-Antoine

Yan Wang

unread,

Dec 3, 2015, 6:11:15 PM12/3/15

to Gerardin, Antoine D., y.wa...@gmail.com, Transport Testing Tool, Bruce Schreiber

Thanks Antoine,

Yan

--
Yan Wang
201.963.0005
yw...@max.md

Check out our new website!
www.maxmdirect.com

Gerardin, Antoine D.

unread,

Dec 7, 2015, 6:38:33 PM12/7/15

to Yan Wang, Gerardin, Antoine D., y.wa...@gmail.com, Transport Testing Tool, Bruce Schreiber

I dug out this spec spreadsheet coming from ONC:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwi3_bro9MrJAhVFdD4KHZNkCa8QFggfMAA&url=http%3A%2F%2Fexchange-iwg.wikispaces.com%2Ffile%2Fview%2FMessaging_Authorization_Test_Package_v3.0e.xlsx&usg=AFQjCNG0pvDujcmYTsI1XeGwrHWHVqes4g&sig2=80iRMmjXLBck2NXjQinh_w

If you look in SOAP Request Checklist, you find for test 1029

MA

1029

SAML Assertion

saml:Assertion/saml:Issuer/@Format

R

Verify: @Format is one of the following:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Authorization Framework 3.0: 3.3

SAML 2.0: 8.3

R means required.

This is the document we have based our validation tests from.

On Dec 3, 2015, at 6:11 PM, Yan Wang <yw...@max.md> wrote:

<Issuer>

Yan Wang

unread,

Dec 8, 2015, 6:47:48 PM12/8/15

to Gerardin, Antoine D., y.wa...@gmail.com, Transport Testing Tool, Bruce Schreiber

Hi Antoine,

Thanks for the information. We have rewrite the client (stopped using apache cxf to create saml token) and then we are able to fill out the required "Format" attributes. We are getting below two errors regarding to the signature of timestamp.

ERROR: verifyTimestampSignatureWithOpenSaml(gov.nist.hit.ds.wsseTool.validation.tests.run.SignatureVerificationVal) : cannot verify timestamp signature with opensaml. &&&& gov.nist.hit.ds.wsseTool.validation.WsseHeaderValidator
ERROR: verifyTimestampSignatureWithJavaxCrypto(gov.nist.hit.ds.wsseTool.validation.tests.run.SignatureVerificationVal) : cannot verify timestamp signature with javax.xml.crypto. signature validation status: falseReference with ID #timestamp1 in position0 has validity status: true Calculated digest: [B@5c1201cc Digest value: [B@2234274d Transforms performed: http://www.w3.org/2001/10/xml-exc-c14n# &&&& gov.nist.hit.ds.wsseTool.validation.WsseHeaderValidator

We have two signatures in security tag, one for assertion, the other for timestamp. They are signed by same key and same algorithm. The assertion signature is fine , but the timestamp signature is keep getting validation failure. Could you please provide more details of the signature validation status: false ?

FYI : Attached saml_soap.xml is our SOAP envelop that getting above error.

Thanks,
Yan

saml_soap.xml

rohitwa...@gmail.com

unread,

Nov 10, 2017, 9:36:47 AM11/10/17

to Transport Testing Tool

Hi
I am getting below,Please help
50:45 PM com.centrify.fs.SamlAgent processSigninMessage
SEVERE: Error parsing signin message.
org.xml.sax.SAXException: Missing value for element saml:AttributeValue
at com.centrify.common.CommonUtils.getElementText(Unknown Source)
at com.centrify.fs.saml.Claim.parseDom(Unknown Source)
at com.centrify.fs.saml.Claim.<init>(Unknown Source)
at com.centrify.fs.saml.SamlAssertion.parseDom(Unknown Source)
at com.centrify.fs.saml.SamlAssertion.<init>(Unknown Source)
at com.centrify.fs.saml.RequestedToken.parseDom(Unknown Source)
at com.centrify.fs.saml.RequestedToken.<init>(Unknown Source)
at com.centrify.fs.saml.Rstr.parseDom(Unknown Source)
at com.centrify.fs.saml.Rstr.<init>(Unknown Source)
at com.centrify.fs.SamlAgent.processSigninMessage(Unknown Source)
at com.centrify.fs.SamlAgent.handleRequest(Unknown Source)

Reply all

Reply to author

Forward