Zogoo
commented
11 months ago @habin201291 is your logout request signed? or just plain request as you described?
Closed habin201291 closed 10 months ago
Zogoo
commented
11 months ago @habin201291 is your logout request signed? or just plain request as you described?
habin201291
commented
11 months ago @Zogoo yes, my logout request is signed. This is my Saml SP config:
config.saml_configure do |settings|
settings.assertion_consumer_service_url = "#{saml_sp_host}/users/saml/auth"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
settings.sp_entity_id = "#{saml_sp_host}/users/saml/metadata"
settings.idp_slo_service_url = "#{saml_idp_host}/saml/logout"
settings.idp_sso_service_url = "#{saml_idp_host}/saml/auth"
settings.idp_slo_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
settings.idp_cert = "-----BEGIN CERTIFICATE-----\n#{ENV["SAML_IDP_SECRET_KEY"]}\n-----END CERTIFICATE-----"
settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
settings.certificate = "-----BEGIN CERTIFICATE-----\n#{ENV["SAML_SP_X509_CERTIFICATE"]}\n-----END CERTIFICATE-----"
settings.private_key = "-----BEGIN PRIVATE KEY-----\n#{ENV["SAML_SP_SECRET_KEY"]}\n-----END PRIVATE KEY-----"
settings.security[:authn_requests_signed] = true
settings.security[:logout_requests_signed] = true
settings.security[:logout_responses_signed] = true
settings.security[:metadata_signed] = true
settings.security[:digest_method] = XMLSecurity::Document::SHA1
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.security[:embed_sign] = false
settings.security[:want_assertions_signed] = true
end
And this is my logout request encoded XML:
fZHBasMwDIZfJTefvMix06SmCQzKoNDtsI0ddimK466BxM4sB/b4S5odyga7GCz+T5+EdoRDP+qj//BTfLafk6WY7Oencxg77yp2iXHUadp7g/3FU9QSANIFm2sLxZLDvmInqdR2K3LkjYGSK4mKb0FZ3ioFotw0UBgzR4kme3AU0cWKZZBJLgSX8CpAy0yLzTtL3mygqzq7A5Z8Db0jvfgqNgWnPVJH2uFgSUejX+4fj3oOaiSyYRn5Fhn/Z8bgoze+Z/VuSevrdKH+s3IJJaTT3J/WxQcbscWIu/QWW3s8zZbDPnnwYcD4v36pdC0/X6M6BnTUWRdZfcqNzKEVZ76xwnDVNAVHzDPe5DIvCtsCWPMjX331+vt1yfob
And this is signature of the logout request:
LaCXmCMkyMsF0VbBNRc8ppoO9nWPDcS/bw9tsAdOqkZznJLoOIaiEL/qeny5rx63CbCWDFFNPTS312cLhaCYi3hCBzCqvKs+fDztgREJq53APJaWQR3fQ6cK+mzaSrSsBKa/kIIv1b43NhfltbKTVArPMYwj3Ws0yX/2YeWAbCg=
I have tried to validate it by https://www.samltool.com/validate_logout_req.php and got a valid message
Zogoo
commented
10 months ago @habin201291 sorry for the delayed response. I think you are missing a service provider finder in your config.
In there, you need to configure the following parameters.
Here is an example of a single SP.
Following lambda should be set into your config config.service_provider.finder = <service_providers_lambda>
lambda { |_issuer_or_entity_id|
{
response_hosts: sp_metadata.assertion_consumer_services.map do |acs|
url = acs['location'] || acs[:location]
URI(url).host
end,
acs_url: sp_metadata.acs_urls.first[:location],
cert: (sp_metadata&.signing_certificate.present? ? Base64.decode64(sp_metadata&.signing_certificate) : nil),
fingerprint: (sp_metadata&.signing_certificate.present? ? SamlIdp::Fingerprint.certificate_digest(Base64.decode64(sp_metadata&.signing_certificate)) : nil)
}
}From this configuration, fingerprint will be used to request signature validation.
Zogoo
commented
10 months ago So, I'm going to close this issue, if you still having trouble with your config please feel free re-open it.
I'm using devise_saml_authenticatable gem as Saml SP. When a logout request is sent to the IDP, the system reports error 403 as below:
Access to localhost was denied You don't have authorization to view this page. HTTP ERROR 403I have parsed the SLO request to XML as follows:
<samlp:LogoutRequest Destination='http://localhost:3000/saml/logout' ID='_6e0db0f1-07a6-4814-8056-c2692d0afdf8' IssueInstant='2023-11-22T11:07:54Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>http://localhost:8080/users/saml/metadata</saml:Issuer><saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>habin201291@yopmail.com</saml:NameID><samlp:SessionIndex>_c988ca79-a95b-4c16-aa7c-5d511546afa8</samlp:SessionIndex></samlp:LogoutRequest>Or like this:
<samlp:LogoutRequest Destination='http://localhost:3000/saml/logout' ID='_13858cfe-d248-4818-8066-e6a46db13360' IssueInstant='2023-11-24T08:42:48Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>http://localhost:8080/users/saml/metadata</saml:Issuer><saml:NameID Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'>_db03ee7c-470c-4b43-9b22-b9a0e83f61a7</saml:NameID></samlp:LogoutRequest>valid_saml_request?function return false with error messageSignature is invalidHave I made a mistake or missed something?