search

wso2-extensions / identity-outbound-auth-samlsso

Apache License 2.0
5 stars 117 forks source link

Unable to decrypt SAML Assertion (from Okta IdP) #73

Open agilenovallc opened 5 years ago

agilenovallc commented 5 years ago

Description: The following error is received when an encrypted SAML assertion is received via IdP POST from an Okta IdP to WSO2:

Caused by: org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: Unable to decrypt the SAML Assertion at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:518) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.executeSAMLReponse(DefaultSAML2SSOManager.java:383) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSAMLResponse(DefaultSAML2SSOManager.java:374) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:331) at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:252) ... 67 more Caused by: java.lang.IndexOutOfBoundsException: Index: 0 at java.util.Collections$EmptyList.get(Collections.java:4454) at org.opensaml.xml.util.LazyList.get(LazyList.java:90) at org.opensaml.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:312) at org.opensaml.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:238) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.getDecryptedAssertion(DefaultSAML2SSOManager.java:1151) at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:516)

Looking at the XML, Okta is sending the EncryptedKey as a child of EncryptedAssertion:

Looking at the DefaultSAMLSSOManager.java, WSO2 is expecting the EncryptedKeys as a child of KeyInfo, i.e. encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys(). Shouldn't the code also check for keys using encryptedAssertion.getEncryptedKeys() to comply with xmlenc or am I missing something? I believe the xmlenc specification supports three different options for retrieving EncryptedKeys. NOTE: I have verified that the SAML Assertion can be decrypted using WSO2's private key using other SAML libraries. **Suggested Labels:** **Suggested Assignees:** **Affected Product Version:** All? Demonstrable in WSO2IS 5.4.1 and 5.7.0 **OS, DB, other environment details and versions:** Windows orLinux with H2 or SQL Server **Steps to reproduce:** 1) Configure WSO2 as a SAML application in Okta, specifying WSO2's certificate, consumer assertion URL and Enable SAML Assertion Encryption 2) Configured Okta as an Identity Provider in WSO2 using metadata imported from Okta and enable SAML Assertion Encryption 3) Click on the Okta tile to initiate a SAML POST 4) Observe "Unable to decrypt SAML Assertion" error **Related Issues:** N/A
thanujalk commented 5 years ago

Moved to https://github.com/wso2/product-is/issues/5475

thanujalk commented 5 years ago

Thanks for reporting the issue. I have added this to the IS 5.9.0 release milestone.