Closed radenui closed 5 years ago
For the Issuer
element, I need to take a look on that.
The signature order can be configured with signatureConfig
when you construct the service provider instance.
signatureConfig: {
prefix: 'ds',
location: { reference: '/samlp:Response/saml:Issuer', action: 'after' },
}
Seems like the element being singed is Issuer: to reference it, xml-crypto has to add the Id attribute. Would it be possible in SAML spec to sign the whole payload ? The root element already contains the Id attribute.
For the record:
I tried to define the scope of the signature with AuthnRequest
instead of Issuer
in the entity-sp file => the generated signature seems to be invalid:
xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --trusted-pem cert.pem signed.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=250:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "signed.xml"
I tried to generate a signature with this tool:
I think that’s the implementation mistake, the scope of signature should be entired document instead of only issuer. Let’s me fix it first.
Would you like to paste the signed document here ? (Remove all sensitive information)
XML to sign
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="8edfd1ea-1393-4800-9085-e4d15a508203" Version="2.0" IssueInstant="2018-10-16T11:19:35.277Z" Destination="https://auth.example.com/saml/singleSignOn" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://mcpn-dev-web1.dvgendarmerie.fr:8080/saml/acs"><saml:Issuer>http://localhost:8080/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/></samlp:AuthnRequest>
Signed version (valid)
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx46e603f8-c7e9-012a-3f57-c20d9996e196" Version="2.0" IssueInstant="2018-10-16T11:19:35.277Z" Destination="https://auth.example.com/saml/singleSignOn" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://mcpn-dev-web1.dvgendarmerie.fr:8080/saml/acs"><saml:Issuer>http://localhost:8080/saml/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx46e603f8-c7e9-012a-3f57-c20d9996e196"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>II63y3B/8r9md/MpBgv5gDJ+rY0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ECt0LgvuCYHGEG1omD+GOZaZuCqpnEF275GLQrSqj+xBEnJ2naqgialh0C5XUThz+vYHq1X15UYiDB/IotV/R+k7r+VdB7TJLe4akdsB0Ib9xY5ZTjCuia53Yk8gaIHsbVW7YIUTO0WZ8XNfA/g7FSBd2L7XfceGzpM0j/sqBb71WT+Lipvs9R75w+Mj8+mTkDs5QkAwvaILRuLr7ntrVNtA4HJg4LijC38V17HVEZb43NVZnEUNO7y0YYaC7fgC7WCEwT56h/33degAU03hjiPz1qVy1C+rGkXQ/Frl67BHwuFlxImeUmcofW2G6LHob4sm9aMoF+cuJkIqGC1jJg==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDMjCCAhoCCQCdlzbdN6CfGjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJGUjEMMAoGA1UECAwDSURGMQ4wDAYDVQQHDAVQYXJpczELMAkGA1UECgwCUE4xDTALBgNVBAsMBE1DUE4xEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODA4MjIxNjEyNThaFw0xOTA4MjIxNjEyNThaMFsxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBhcmlzMQswCQYDVQQKDAJQTjENMAsGA1UECwwETUNQTjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtchzHj/hTQaM6ie3NPGBi7mh9Wsd6sKAKNuZPpfDz0CJfbOU+eBFFe90CDNjXIZkE+qZIlsNSeyPsX7DdtJhiaRCIjNGdhJV96XjEM7/+2VVKrM4qYQ+Qu98DX+h2h2S0dy65MJbeTgBo2cmMq/xm30z0EuExNuxl+Qc4pFmGaBHKEUhf6PyCUwXsEFybBXO8O/cP14WZc/a6or8GhRtIo3q+r9d9AOaEaYK30d2ExIC+zsJ0eICJyHvJV9QFeD2tO57QKDntkcahs5aWgT0fIHqoT5/jOC8HNPxGUx+6qygdQ6PxjisVTi7DRsxw8+vIlycn3flUesgFozs/fyNPQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQASaspfIHCt6JxGWY6Rqt5mJTlli3Aj7SoBRxQgeFCcRpSAXayEoYce2FFiRdl9h49eKAbV/HFryCgoEonplgDMMxz6uJkIvq6zWEnjgvEOVWB5mWM8sQTuS+nmbGFwmmNQjcZcgd9MU6Pm9PWQ36K+Eq6bFlPhZcoH3uBhqY8QT/UUiYrgUXCEu5G+ujiEsncd97s8O/znxK1iQn5jQYD/cWDrO9ZDwVWg6h0NsBiTBtjzNpXdul7Q1kotTAs5bbLrPGqmLAL8canFg8Go2HeN73zoqGmGbWndj0PA41F8WGOdjfM9iFQsUaAMS1rxProv/I/XoNPXiO+Imntd8arO</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/></samlp:AuthnRequest>
@radenui I have fixed this issue (573be12), by setting correct xpath reference and adding back the default signatureConfig
. Thanks for your report.
@radenui I am also planning to include the schema validation to login and logout request. See https://github.com/tngan/samlify/issues/123.
First of all, thanks for your awesome lib !
I'm facing an issue here, when trying to authenticate against LemonLDAP server : it seems like the authnRequest is malformed...
Here is the generated request:
When I test this against this online tool, it fails for 2 reasons:
Id
is not allowed int theIssuer
ElementNameIDPolicy
andRequestedAuthnContext
ElementsSeems like the first problem comes from the signature itself (Adding the reference to the signed element) in xml-crypto, and the second problem can be solved with Signature config.
Any hint on this ?