search

Uninett / mod_auth_mellon

An Apache module with a simple SAML 2.0 service provider
207 stars 182 forks source link

How to get decrypted Assertion in SAML response? #177

Closed mbraeger closed 6 years ago

mbraeger commented 6 years ago

We have to reuse SAML2 assertions from SSO token within our server backend to authorize against a custom authorization service. To do that we have to provide the decrypted XML Assertion, but currently we only manage to receive EncryptedAssertion via mod_auth_mellon from our SSO instance.

I fiddled with the Provider Metadata, but without success. I thought that this option should fix it:

...
<SPSSODescriptor
  WantAssertionsSigned="false"
  ...

Unfortunately, after restarting httpd the Assertion is still encrypted.

Here an example:

<samlp:Response ID="_2133215e-1440-427d-a0f3-e7716d50ec44"
                Version="2.0"
                IssueInstant="2018-08-14T14:04:18.305Z"
                Destination="https://example.com/mellon/postResponse"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="_D166E842D8EFED995310EB9C140AFAFC"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com/login</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>
  <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
          </e:EncryptionMethod>
          <KeyInfo>
            <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=example.com</ds:X509IssuerName>
                <ds:X509SerialNumber>17994003502834414395</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </KeyInfo>
          <e:CipherData>
            <e:CipherValue>...</e:CipherValue>
          </e:CipherData>
        </e:EncryptedKey>
      </KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </EncryptedAssertion>
</samlp:Response>

In case we don't mange to get the decrypted Assertion with the SAML response we have to decrypt it ourselves in the server backend which we would like to avoid.

olavmrk commented 6 years ago

Hi,

the option dumps the SAML Response data precicely as we receive it from the IdP. It is not processed in any way before it is saved. I don't see this behavior changing -- there is no way to get a response with a decrypted assertion, since the assertion is not inserted into the response when it is decrypted. Also doing that would break any signatures that may be on the Response element.