Can samlsign validiate a saml response taken directly from the shibd logs?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Can samlsign validiate a saml response taken directly from the shibd logs?

Rodney McDuff
I'm trying to get a Shibboleth 2.1 SP working with an  eduGAIN  Bridging
Element.  I'm almost there. I get a saml 1.1 response from the BE that
seems well formed with an authN statement and an attribute statement
full of attributes. The signing cert, etc is in my metadata and issuing
entityID is consistent with the metadata. But still I can't valid the
response; getting an
    shib_handler: remoted message returned an error: Security of SAML
1.x SSO POST response not established.

Yes. I am aware of the
https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors
entry which states:

>
>
>         opensaml::saml2md::MetadataException: Security of SAML 1.x SSO
>         POST response not established.
>
> The usual cause for this is an incoming SAML assertion/response from
> an issuer for which the SP has no metadata loaded. This means either
> the metadata is wrong, or the IdP in question is using the wrong
> entityID in its configuration, so the URI passed to the SP doesn't
> match what it expects.
>
> More specific information is usually available from the shibd.log file.
>
I'd like to independently validiate the response and samlsign is sort of
independent (except it uses most of the same libraries). However
samlsign tells me that my signed saml response is unsigned:
   
    1245300714 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
Cannot verify unsigned object.

Its issues this error even before it gets to read the signing cert which
is a bit rude.

So the question is can samlsign validiate a saml response taken directly
from the shibd logs. If it can't what other tools are out there to
independently validiate my signed saml response.


--
Dr. Rodney G. McDuff                 |Ex ignorantia ad sapientiam
Manager, Strategic Technologies Group|    Ex luce ad tenebras
Information Technology Services      |
The University of Queensland         |
EMAIL: [hidden email]          |
TELEPHONE: +61 7 3365 8220           |


Reply | Threaded
Open this post in threaded view
|

Re: Can samlsign validiate a saml response taken directly from the shibd logs?

Chad La Joie
Are you sure the response is signed?  The error from samlsign would
suggest that it was not signed.  That would also be consistent with the
error you're getting from the SP.

Rodney McDuff wrote:

> I'm trying to get a Shibboleth 2.1 SP working with an  eduGAIN  Bridging
> Element.  I'm almost there. I get a saml 1.1 response from the BE that
> seems well formed with an authN statement and an attribute statement
> full of attributes. The signing cert, etc is in my metadata and issuing
> entityID is consistent with the metadata. But still I can't valid the
> response; getting an
>     shib_handler: remoted message returned an error: Security of SAML
> 1.x SSO POST response not established.
>
> Yes. I am aware of the
> https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors
> entry which states:
>>
>>         opensaml::saml2md::MetadataException: Security of SAML 1.x SSO
>>         POST response not established.
>>
>> The usual cause for this is an incoming SAML assertion/response from
>> an issuer for which the SP has no metadata loaded. This means either
>> the metadata is wrong, or the IdP in question is using the wrong
>> entityID in its configuration, so the URI passed to the SP doesn't
>> match what it expects.
>>
>> More specific information is usually available from the shibd.log file.
>>
> I'd like to independently validiate the response and samlsign is sort of
> independent (except it uses most of the same libraries). However
> samlsign tells me that my signed saml response is unsigned:
>    
>     1245300714 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
> Cannot verify unsigned object.
>
> Its issues this error even before it gets to read the signing cert which
> is a bit rude.
>
> So the question is can samlsign validiate a saml response taken directly
> from the shibd logs. If it can't what other tools are out there to
> independently validiate my signed saml response.
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Can samlsign validiate a saml response taken directly from the shibd logs?

Chad La Joie
In reply to this post by Rodney McDuff
So, looking at the XML you sent me, the response is, in fact, not
signed.  The assertion is signed but that's not what is being checked.
The SP uses the signature on the response and samlsign attempts to check
the signature on the root object that you give it.  if you could strip
out the assertion without breaking the signature (which you probably
can't, it's pretty hard to do) samlsign should validate it.

Rodney McDuff wrote:

> I'm trying to get a Shibboleth 2.1 SP working with an  eduGAIN  Bridging
> Element.  I'm almost there. I get a saml 1.1 response from the BE that
> seems well formed with an authN statement and an attribute statement
> full of attributes. The signing cert, etc is in my metadata and issuing
> entityID is consistent with the metadata. But still I can't valid the
> response; getting an
>     shib_handler: remoted message returned an error: Security of SAML
> 1.x SSO POST response not established.
>
> Yes. I am aware of the
> https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors
> entry which states:
>>
>>         opensaml::saml2md::MetadataException: Security of SAML 1.x SSO
>>         POST response not established.
>>
>> The usual cause for this is an incoming SAML assertion/response from
>> an issuer for which the SP has no metadata loaded. This means either
>> the metadata is wrong, or the IdP in question is using the wrong
>> entityID in its configuration, so the URI passed to the SP doesn't
>> match what it expects.
>>
>> More specific information is usually available from the shibd.log file.
>>
> I'd like to independently validiate the response and samlsign is sort of
> independent (except it uses most of the same libraries). However
> samlsign tells me that my signed saml response is unsigned:
>    
>     1245300714 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
> Cannot verify unsigned object.
>
> Its issues this error even before it gets to read the signing cert which
> is a bit rude.
>
> So the question is can samlsign validiate a saml response taken directly
> from the shibd logs. If it can't what other tools are out there to
> independently validiate my signed saml response.
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Can samlsign validiate a saml response taken directly from the shibd logs?

Rodney McDuff
Hi Chad

Chad La Joie wrote:
> So, looking at the XML you sent me, the response is, in fact, not
> signed.  The assertion is signed but that's not what is being checked.
> The SP uses the signature on the response and samlsign attempts to
> check the signature on the root object that you give it.  if you could
> strip out the assertion without breaking the signature (which you
> probably can't, it's pretty hard to do) samlsign should validate it.

Its this just semantics or am I missing something. Yes there is *no*
signature over the whole <Response> element but there is a signature
over the whole <Assertion> element which is one level down.

Anyway I've ripped out the  <Assertion> using xml_grep and samlsign is
now telling me:
    1245305219 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
"CredentialResolver did not supply a successful verification key"

One step closer. Ta.


>
> Rodney McDuff wrote:
>> I'm trying to get a Shibboleth 2.1 SP working with an  eduGAIN  Bridging
>> Element.  I'm almost there. I get a saml 1.1 response from the BE that
>> seems well formed with an authN statement and an attribute statement
>> full of attributes. The signing cert, etc is in my metadata and issuing
>> entityID is consistent with the metadata. But still I can't valid the
>> response; getting an
>>     shib_handler: remoted message returned an error: Security of SAML
>> 1.x SSO POST response not established.
>>
>> Yes. I am aware of the
>> https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors
>>
>> entry which states:
>>>
>>>         opensaml::saml2md::MetadataException: Security of SAML 1.x SSO
>>>         POST response not established.
>>>
>>> The usual cause for this is an incoming SAML assertion/response from
>>> an issuer for which the SP has no metadata loaded. This means either
>>> the metadata is wrong, or the IdP in question is using the wrong
>>> entityID in its configuration, so the URI passed to the SP doesn't
>>> match what it expects.
>>>
>>> More specific information is usually available from the shibd.log file.
>>>
>> I'd like to independently validiate the response and samlsign is sort of
>> independent (except it uses most of the same libraries). However
>> samlsign tells me that my signed saml response is unsigned:
>>        1245300714 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
>> Cannot verify unsigned object.
>>
>> Its issues this error even before it gets to read the signing cert which
>> is a bit rude.
>>
>> So the question is can samlsign validiate a saml response taken directly
>> from the shibd logs. If it can't what other tools are out there to
>> independently validiate my signed saml response.
>>
>>
>


--
Dr. Rodney G. McDuff                 |Ex ignorantia ad sapientiam
Manager, Strategic Technologies Group|    Ex luce ad tenebras
Information Technology Services      |
The University of Queensland         |
EMAIL: [hidden email]          |
TELEPHONE: +61 7 3365 8220           |


Reply | Threaded
Open this post in threaded view
|

RE: Can samlsign validiate a saml response taken directly from the shibd logs?

Cantor, Scott E.
In reply to this post by Rodney McDuff
> I'm trying to get a Shibboleth 2.1 SP working with an  eduGAIN  Bridging
> Element.  I'm almost there. I get a saml 1.1 response from the BE that
> seems well formed with an authN statement and an attribute statement
> full of attributes. The signing cert, etc is in my metadata and issuing
> entityID is consistent with the metadata. But still I can't valid the
> response; getting an
>     shib_handler: remoted message returned an error: Security of SAML
> 1.x SSO POST response not established.

With the SAML 1 SSO profile, the response MUST be signed. From the rest of
your thread, I gather it isn't signed, so the profile handler is kicking it
before it ever gets to the assertion.

> Its issues this error even before it gets to read the signing cert which
> is a bit rude.

samlsign is a low level utility that verifies only what you give it. If that
object isn't signed, it's an error, essentially invalid input.

> So the question is can samlsign validiate a saml response taken directly
> from the shibd logs. If it can't what other tools are out there to
> independently validiate my signed saml response.

That isn't your problem in this case, I doubt the assertion signature is
relevant to the error.

-- Scott



Reply | Threaded
Open this post in threaded view
|

Re: Can samlsign validiate a saml response taken directly from the shibd logs?

Cantor, Scott E.
In reply to this post by Rodney McDuff
Rodney McDuff wrote on 2009-06-18:
> Its this just semantics or am I missing something. Yes there is *no*
> signature over the whole <Response> element but there is a signature
> over the whole <Assertion> element which is one level down.

Doesn't matter. The old SAML profile doesn't place adequate protections into the assertion to limit bearer delivery (because the Audience condition wasn't mandated), so there's a Recipient attribute at the Response level that serves that purpose. An unsigned response is therefore not sufficiently secure.

A different SAML 1 profile could of course do things differently, but it wouldn't interoperate with a correctly written SP supporting the original one.

> Anyway I've ripped out the  <Assertion> using xml_grep and samlsign is
> now telling me:
>     1245305219 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
> "CredentialResolver did not supply a successful verification key"

I don't know how you ran it, and I can't imagine that xml_grep won't corrupt the XML signature anyway, but the error means you didn't supply a key to verify with.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Can samlsign validiate a saml response taken directly from the shibd logs?

Kristof BAJNOK
In reply to this post by Rodney McDuff
On Thursday 18 June 2009 Rodney McDuff wrote:
> Its this just semantics or am I missing something. Yes there is *no*
> signature over the whole <Response> element but there is a signature
> over the whole <Assertion> element which is one level down.

Can you confirm you are using the latest eduGAIN libraries? My eduGAIN
Shibboleth Home BE does sign the Response (and the Assertion as well).

However be aware of the known issues mentioned in
http://wiki.edugain.org/index.php/ShibInteroperability

Kristof
--
Kristof BAJNOK
Systems Engineer / Middleware
NIIF / Hungarnet
Hungary
Reply | Threaded
Open this post in threaded view
|

Re: Can samlsign validiate a saml response taken directly from the shibd logs?

Jim Fox
In reply to this post by Cantor, Scott E.

For what it's worth there's a beta version of a samlsign in the shib2 svn
repository that will verify the signature on an assertion whether or not
the enclosing document is signed.  It won't help your SP problem, but
might at least tell you if the assertion's signature is any good.

In the svn, see:  shib-extension/java-samlsign/trunk/...

Jim


On Thu, 18 Jun 2009, Scott Cantor wrote:

> Date: Thu, 18 Jun 2009 05:58:58 -0700
> From: Scott Cantor <[hidden email]>
> To: "[hidden email]" <[hidden email]>
> Reply-To: "[hidden email]" <[hidden email]>
> Subject: Re: [Shib-Users] Can samlsign validiate a saml response taken
>     directly from the shibd logs?
>
> Rodney McDuff wrote on 2009-06-18:
>> Its this just semantics or am I missing something. Yes there is *no*
>> signature over the whole <Response> element but there is a signature
>> over the whole <Assertion> element which is one level down.
>
> Doesn't matter. The old SAML profile doesn't place adequate protections into the assertion to limit bearer delivery (because the Audience condition wasn't mandated), so there's a Recipient attribute at the Response level that serves that purpose. An unsigned response is therefore not sufficiently secure.
>
> A different SAML 1 profile could of course do things differently, but it wouldn't interoperate with a correctly written SP supporting the original one.
>
>> Anyway I've ripped out the  <Assertion> using xml_grep and samlsign is
>> now telling me:
>>     1245305219 ERROR OpenSAML.Utility.SAMLSign : caught an exception:
>> "CredentialResolver did not supply a successful verification key"
>
> I don't know how you ran it, and I can't imagine that xml_grep won't corrupt the XML signature anyway, but the error means you didn't supply a key to verify with.
>
> -- Scott
>
>
>