Invalid AuthnRequest XML ?

[radenui]

First of all, thanks for your awesome lib !

I'm facing an issue here, when trying to authenticate against LemonLDAP server : it seems like the authnRequest is malformed...

Here is the generated request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9f97c1cf-032e-42e2-88c2-d7274170e2e3" Version="2.0" IssueInstant="2018-10-15T09:42:11.512Z" Destination="https://auth.xxx.xxx.com/saml/singleSignOn" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:8080/saml/acs">
    <saml:Issuer Id="_0">http://localhost:8080/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/>
    <samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#_0">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>dUnYiDs9CSbqGmA+8jB2d98xQrY=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>kHaLIpCEDMO+XnP2ErwpASA4z8TMyBQxureguEJSZWki15ir+cvLDHCNPf1LRczqFpvnbwv/HX7hBZDuoxA+yZuSztXZ8W9u6nFWc7hdLKoDAzFvdfakA6E2Vyj5sD+JcUEZWeCyvcXjx11lHnBkUpn+bzfPXd9bc0IJuPNjr5ke1dwXdC8AOHs2z18Hor6ysYIDAppeFevSADZL9Uw02K764c441LE4Gk7XZBiG3dxhUWa4rQM2pCO7EFhhpcEv5+9tvtBwcaFlKcgyhAjpDJLi+T2uv/cYpcooh9y5HzQbxgsa5s/qVgtqWUkKHSxIUd63uAvGJNU9hpEdh4X3jQ==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>xxxxxxxxxxxxxxxxxxxxxxxxx</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
</samlp:AuthnRequest>

When I test this against this online tool, it fails for 2 reasons:

• The attribute Id is not allowed int the Issuer Element
• The signature should be placed before NameIDPolicy and RequestedAuthnContext Elements

Seems like the first problem comes from the signature itself (Adding the reference to the signed element) in xml-crypto, and the second problem can be solved with Signature config.

Any hint on this ?

[tngan]

For the Issuer element, I need to take a look on that.

The signature order can be configured with signatureConfig when you construct the service provider instance.

signatureConfig: {
  prefix: 'ds',
  location: { reference: '/samlp:Response/saml:Issuer', action: 'after' },
}

[radenui]

Seems like the element being singed is Issuer: to reference it, xml-crypto has to add the Id attribute. Would it be possible in SAML spec to sign the whole payload ? The root element already contains the Id attribute.

[radenui]

For the record:

I tried to define the scope of the signature with AuthnRequest instead of Issuer in the entity-sp file => the generated signature seems to be invalid:

xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --trusted-pem cert.pem signed.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=250:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "signed.xml"

I tried to generate a signature with this tool:

• the signed xml is valid with the same control
• the signature applies to the whole document (Reference URI attribute is the AuthNRequest ID)

[tngan]

I think that’s the implementation mistake, the scope of signature should be entired document instead of only issuer. Let’s me fix it first.

Would you like to paste the signed document here ? (Remove all sensitive information)

[radenui]

XML to sign

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="8edfd1ea-1393-4800-9085-e4d15a508203" Version="2.0" IssueInstant="2018-10-16T11:19:35.277Z" Destination="https://auth.example.com/saml/singleSignOn" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://mcpn-dev-web1.dvgendarmerie.fr:8080/saml/acs"><saml:Issuer>http://localhost:8080/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/></samlp:AuthnRequest>

Signed version (valid)

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx46e603f8-c7e9-012a-3f57-c20d9996e196" Version="2.0" IssueInstant="2018-10-16T11:19:35.277Z" Destination="https://auth.example.com/saml/singleSignOn" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://mcpn-dev-web1.dvgendarmerie.fr:8080/saml/acs"><saml:Issuer>http://localhost:8080/saml/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx46e603f8-c7e9-012a-3f57-c20d9996e196"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>II63y3B/8r9md/MpBgv5gDJ+rY0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ECt0LgvuCYHGEG1omD+GOZaZuCqpnEF275GLQrSqj+xBEnJ2naqgialh0C5XUThz+vYHq1X15UYiDB/IotV/R+k7r+VdB7TJLe4akdsB0Ib9xY5ZTjCuia53Yk8gaIHsbVW7YIUTO0WZ8XNfA/g7FSBd2L7XfceGzpM0j/sqBb71WT+Lipvs9R75w+Mj8+mTkDs5QkAwvaILRuLr7ntrVNtA4HJg4LijC38V17HVEZb43NVZnEUNO7y0YYaC7fgC7WCEwT56h/33degAU03hjiPz1qVy1C+rGkXQ/Frl67BHwuFlxImeUmcofW2G6LHob4sm9aMoF+cuJkIqGC1jJg==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDMjCCAhoCCQCdlzbdN6CfGjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGUjEMMAoGA1UECAwDSURGMQ4wDAYDVQQHDAVQYXJpczELMAkGA1UECgwCUE4xDTALBgNVBAsMBE1DUE4xEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODA4MjIxNjEyNThaFw0xOTA4MjIxNjEyNThaMFsxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBhcmlzMQswCQYDVQQKDAJQTjENMAsGA1UECwwETUNQTjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtchzHj/hTQaM6ie3NPGBi7mh9Wsd6sKAKNuZPpfDz0CJfbOU+eBFFe90CDNjXIZkE+qZIlsNSeyPsX7DdtJhiaRCIjNGdhJV96XjEM7/+2VVKrM4qYQ+Qu98DX+h2h2S0dy65MJbeTgBo2cmMq/xm30z0EuExNuxl+Qc4pFmGaBHKEUhf6PyCUwXsEFybBXO8O/cP14WZc/a6or8GhRtIo3q+r9d9AOaEaYK30d2ExIC+zsJ0eICJyHvJV9QFeD2tO57QKDntkcahs5aWgT0fIHqoT5/jOC8HNPxGUx+6qygdQ6PxjisVTi7DRsxw8+vIlycn3flUesgFozs/fyNPQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQASaspfIHCt6JxGWY6Rqt5mJTlli3Aj7SoBRxQgeFCcRpSAXayEoYce2FFiRdl9h49eKAbV/HFryCgoEonplgDMMxz6uJkIvq6zWEnjgvEOVWB5mWM8sQTuS+nmbGFwmmNQjcZcgd9MU6Pm9PWQ36K+Eq6bFlPhZcoH3uBhqY8QT/UUiYrgUXCEu5G+ujiEsncd97s8O/znxK1iQn5jQYD/cWDrO9ZDwVWg6h0NsBiTBtjzNpXdul7Q1kotTAs5bbLrPGqmLAL8canFg8Go2HeN73zoqGmGbWndj0PA41F8WGOdjfM9iFQsUaAMS1rxProv/I/XoNPXiO+Imntd8arO</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/></samlp:AuthnRequest>

[tngan]

@radenui I have fixed this issue (573be12), by setting correct xpath reference and adding back the default signatureConfig. Thanks for your report.

[tngan]

@radenui I am also planning to include the schema validation to login and logout request. See https://github.com/tngan/samlify/issues/123.