how to configure passport module to verify a signed saml2 assertion token

[Indrani123]

I am using passport-saml , I have my own Idp server which provide both token based authentication as well as saml request response authentication functionality.

I have this scenario:

My application login to Idp server get an ssotoken.

Next Step, using this sso token to get (Security Service Token(STS) ie raw saml assertion token

Now my question is

,how to validate this raw saml-assertion using passport-saml module.Without any SAMLRequest

saml Assertion example I have:

<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"s2765f87a962432f95351a175dc635f1fe6228f433\" IssueInstant=\"2015-10-06T09:18:39Z\" Version=\"2.0\">\r\n<saml:Issuer>mysts</saml:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n<ds:SignedInfo>\r\n<ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\r\n<ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\r\n<ds:Reference URI=\"#s2765f87a962432f95351a175dc635f1fe6228f433\">\r\n<ds:Transforms>\r\n<ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\r\n<ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\r\n</ds:Transforms>\r\n<ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\r\n<ds:DigestValue>9cozNWCsiuDu3JgM61Vybw16BQc=</ds:DigestValue>\r\n</ds:Reference>\r\n</ds:SignedInfo>\r\n<ds:SignatureValue>\r\nJ/71Wn5jPiHdF+88A2wNQ7/KeWABg0bWsmUYYamr2znF2ziGQ81mc8TeuJsclfb5wF6yPPITUSV4\r\nffO58lzqx/TQm/xG48zZkijfNT+9yBEJwPIkEo+TnwK2HO1zJRi8dXX07H2POmldHXJblCNGg20F\r\nmMqQMp0c0vad509XY9RP9usuvP+5HS7XBbhLXsbdLzlhMXn3xdgwdTV/b6jvXXm7q1umNYLV9EiL\r\nYv6P2kBnh4R4ZLmDfVqrstXL3v0l9X8bqNwFVqd7dj2Dw3UJnBiA4yAIR4j5uUDo52KUYKZf4Fzm\r\nLmbk62CZ+Wp/H+I8O8nPIp8Xw972Khp9Rv3FdA==\r\n</ds:SignatureValue>\r\n<ds:KeyInfo>\r\n<ds:X509Data>\r\n<ds:X509Certificate>\r\nMIIFMjCCBBqgAwIBAgIHKysMAM0SOzANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO\r\nBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29t\r\nLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAx\r\nBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDEx\r\nMjYxNDQ2MTFaFw0xNTExMjQyMDE5MjlaMEExITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlk\r\nYXRlZDEcMBoGA1UEAwwTKi5zaWdtYS1zeXN0ZW1zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP\r\nADCCAQoCggEBAIYywh0+46mo6ra8K3U8SQJaKO2oauG2Olz1VODKNj1zNI3NN5lrmuj1z9cde5XL\r\nm8Go/ILQhqL2Z+0AfnqMtTv0aBI22BYXS8dNNXU+gNBqJl0YHooCS0Ke/3kGe+EpL9DEKhzHkoO/\r\nHZy9doUO4fG01n+B1sVHyVal+ktITtxS/cNDeK+s6AGtxslwvTQ0jMcghNzPDc2d4zIFPpKLtdB+\r\nOgUp+tXJ/nTTd563/7PSfKg2m3mrvgd2M7cI2cUDWXPePSgDiX26dSUCtnofKtqRw9fUV9VAJq/U\r\nPgWrX1e0rnux4tENOevZmXTeOuJEWoevXiATmQxZGUjpLIBWlfsCAwEAAaOCAbkwggG1MAwGA1Ud\r\nEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA2\r\nBgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkaWcyczEtODcuY3JsMFMG\r\nA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRl\r\ncy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0\r\ndHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5n\r\nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7\r\nbLPwtCyAzjAxBgNVHREEKjAoghMqLnNpZ21hLXN5c3RlbXMuY29tghFzaWdtYS1zeXN0ZW1zLmNv\r\nbTAdBgNVHQ4EFgQUw49JYzf7xfYHP5IpkARaZazADQAwDQYJKoZIhvcNAQELBQADggEBAGGUFLZV\r\nV21WtoIq5YfsT3riCPr5VgNhYMa62ggCoZpGWTIHrOctljN6ayOMoAS+dn6pGXw+9t5WMQ5kVamk\r\nuKYBAhikP6zlJ87hbMoRSv76Ct1LUyPxd6Sg1KYHfZ7C9tse8zL9Fy+iai/CGgh3BrcL5bBZnp8G\r\ni2S2LxD3AgnJeXV8A4nI4ntNxAe8/APomHdoKWhf2153HEKl0v4XR0dDyVl/45ipC0hKdQkV6VtI\r\nLdabyx7V7dvHwWerOsIhQiaAMqVL9hzgR9mFH0P3jP6sywT91zPsQiVf1XWPRMiH1OTJst6UNJcg\r\nFkiuB0VjIVM8J9vyFP0KzjthCuY6mbM=\r\n</ds:X509Certificate>\r\n</ds:X509Data>\r\n</ds:KeyInfo>\r\n</ds:Signature><saml:Subject>\r\n<saml:NameID Format=\"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified\">amadmin</saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\r\n<saml:SubjectConfirmationData NotOnOrAfter=\"2015-10-06T09:28:39Z\"/></saml:SubjectConfirmation>\r\n</saml:Subject><saml:Conditions NotBefore=\"2015-10-06T09:18:39Z\" NotOnOrAfter=\"2015-10-06T09:28:39Z\">\r\n<saml:AudienceRestriction>\r\n<saml:Audience>openam</saml:Audience>\r\n</saml:AudienceRestriction>\r\n</saml:Conditions>\r\n<saml:AuthnStatement AuthnInstant=\"2015-10-06T09:18:39Z\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>

the signed saml assertion contains signature and x509 certificate of the signer the signature part also carries the x509 certificate from the keystore

I didn't find any API ,which will do validation raw SAML Assertion based on certificate signed.

There are two method in passport-saml validateSignature and validatePostResponse which is accepting SamlResponse , but in my case it is just an Raw Saml Assertion Token.

In this case while validating saml assertion token, we dont have any web UI for IDP , all the validation is done by backend code, so there is no entry Point for configuring passport-saml, That's why I require raw saml assertion token validation.

Is it do able or not using passport-saml to validate raw Saml Assertion token based on signed certificate?

if this feature is not available , can passport-saml have this new feature to validate raw signed saml Assertion ?

Thanks

[ploer]

That's really not part of the design goals for passport-saml, so I don't think it makes sense as part of the public interface. Of course most of the logic you need is in saml.js, if you wanted to put together a PR to factor that to be more useful to you I'd be happy to take a look.

[Indrani123]

Hi Ploer,

Thanks, for updating ,

here are my Requirements for validating saml Assertion Signed Response. I need an API

saml.validate (samlAssertion,certificate,function(err,profile){ //using profile we can retrieve attributes,issuer claims etc. } where raw saml assertion token
This API will validate raw saml assertion based on certificate signed , else it will return some error Invalid signing

where raw saml Asseriton is the pure Assertion token ,

without any SamlRespons,SamlRequest

Let me know Is it possible to add this PR

Thanks, Indrani