deoxxa
commented
11 years ago Would you be able to provide me with a full input document?
Open scottylogan opened 11 years ago
deoxxa
commented
11 years ago Would you be able to provide me with a full input document?
scottylogan
commented
11 years ago Here's one:
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://127.0.0.1:3000/SAML2/AssertionConsumer/POST" ID="_5430eb747ecf5f4fb3990da7f0bbc5f5" InResponseTo="request-1377949958370-1404" IssueInstant="2013-08-31T11:52:38.588Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.itlab.stanford.edu/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8c4cb7abe1e92533414fd72dc446759c" IssueInstant="2013-08-31T11:52:38.588Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.itlab.stanford.edu/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_8c4cb7abe1e92533414fd72dc446759c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>iCDsigjDsqyx6jZA4+hnAVJU33Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>nlijun260cIdOdkWQGp3pR8BoPwXnJr0H5FMnYZi7tC2seSVXe207Wvuagnq8FqK/yfNsiRlVY+1Nsh1h3VQy+U9lTA7SUvWnUWky3lStWOVR/RhSgzpCC+NRghKg8zxQak3PCRG8VK5nLc4DPG6t3fFa9M9OplOkTXpR9jxoBeXw7GI+unMUp9NQ55L+kOD01fTDNsTsXGxol/VNIrjcIu/giK9/T0G/dC6Wu2UTJRrlCcN9nm1VPVhKTKpRajN7YyTf8TrtHgyFUna1Qmcu3xj7ODa8AZh8U3KGOcRh+S1UoCLN5cUjfW2VAmEpXzA0Z2p/dYted8w4dW/yTTN7w==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDQzCCAiugAwIBAgIUKuSXppluIJvYiroHZCb9QRi6uh0wDQYJKoZIhvcNAQEFBQAwITEfMB0G
A1UEAxMWaWRwLml0bGFiLnN0YW5mb3JkLmVkdTAeFw0xMzA3MTAxNzU3MzhaFw0xNjA3MTAxNzU3
MzhaMCExHzAdBgNVBAMTFmlkcC5pdGxhYi5zdGFuZm9yZC5lZHUwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCz67jrUj+nq3NemgxSbA4uOz9cLaZToM3uED7xy/vyFlbv8Od9i55NQSrj
dDufRI/TmTI52IkIX89wyeBspyP4jOy4y3EvQtFtVlXhHiTEdsvDn87E6esl3ouhR5nUY5zH7GwJ
p9zpJr3D56JGR2QpVtFbSFZbIMa6uhb9ToYNsByJeFasLWojcn1ycUrj8p8ZFk1aZio7VhJlPVdo
kJAhlqhlnkkZGIJHpgId0EOVrSfUNU8BdFJHlUkpvsJB3WViibLe9a5wclDVMpkMA+gapfx3Zp0y
tEIIG1qv0eQe9oAb45IUYatT0JYGzgTU4pClGwimQTVmNI0dvafvyqBjAgMBAAGjczBxMFAGA1Ud
EQRJMEeCFmlkcC5pdGxhYi5zdGFuZm9yZC5lZHWGLWh0dHBzOi8vaWRwLml0bGFiLnN0YW5mb3Jk
LmVkdS9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU9PDx6le/7k8fXsH3Qp3uaam/Jd8wDQYJKoZI
hvcNAQEFBQADggEBAKpsyW92XzEVgNwdapcejQTjF0Ccp0/DSoZSaK9oCuxTVQHvhN+mJuO+Mu94
gmX6BQ+GjGQAxbTwENrxa//pneJCQpBKkXJXjBMpuvFUvnthG34KZMXVqsdtkVuc9QwFULs/BPnT
0RC88DsKL/WxLmUSLDjfEzD1nQSVyDeQYd71wHjETkGow/1cbgaBra/+Gsj1e+2Lbj1HzMfeul4/
QP0hV44ZXqq1ujM8vt9lcNYbS6iPJp2pdZLPGeVOsy8jsPGYMGLqoETHAci6RRFdqxZ/GBIU0XhD
j7K8UBnFuD+DeiyAzIPnW6jIgIQ5o+W6Gb+K09XbVhKRTkwJ7WMimYk=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.itlab.stanford.edu/idp/shibboleth" SPNameQualifier="node-saml-test">_6d94353c8a613dd502ca78b73d23e772</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="171.65.249.134" InResponseTo="request-1377949958370-1404" NotOnOrAfter="2013-08-31T11:57:38.588Z" Recipient="http://127.0.0.1:3000/SAML2/AssertionConsumer/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-08-31T11:52:38.588Z" NotOnOrAfter="2013-08-31T11:57:38.588Z">
<saml2:AudienceRestriction>
<saml2:Audience>node-saml-test</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-08-31T11:50:23.179Z" SessionIndex="_c2e83dc4a2adc9e34457e089a7146417">
<saml2:SubjectLocality Address="171.65.249.134"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">swl@itlab.stanford.edu</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">member</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">affiliate</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">staff</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="gartnerUserClass" Name="https://gartner.com/attributes/gartnerUserClass" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">stfd-student</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">staff@itlab.stanford.edu</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">affiliate@itlab.stanford.edu</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">member@itlab.stanford.edu</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Scotty</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">users:test</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testgroup</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">staff:test</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">scotty.logan@itlab.stanford.edu</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Logan</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="telephoneNumber" Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">+1-650-555-1212</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="http://schemas.xmlsoap.org/claims/Group" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">users:test</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testgroup</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">staff:test</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="employeeNumber" Name="urn:oid:2.16.840.1.113730.3.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">04567890</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Scotty Logan</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
I tried using this code (along with saml2 and xml-c14n) to process SAML 2.0 assertions from a Shibboeth 2.4 IdP. The verification failed because xml-dsig / xml-c14n ignore the InclusiveNamespaces child element of the canonicalization transform:
For example, when the original SAML Assertion starts with
Shibboleth / OpenSAML canonicalizes it to
but xml-dsig canonicalizes it to