Missing authn request signature

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing authn request signature

Paolo Smiraglia-2
Hello guys, my name is Paolo.

I created a Docker image that uses Shibboleth SP 2.x

   https://github.com/italia/spid-auth-docker

in order to setup a sort of authentication proxy.

Recently I realised that, despite "signing=true", the AuthN requests
are not signed. This is the template that I use to generate the
shibboleth2.xml file

   https://github.com/italia/spid-auth-docker/blob/master/etc/shibboleth/shibboleth2.xml.tpl

Could you check if there is something wrong? Many thanks!

Bests,

   Paolo

--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Missing authn request signature

Peter Schober
* Paolo Smiraglia <[hidden email]> [2018-06-12 11:40]:
> Recently I realised that, despite "signing=true", the AuthN requests
> are not signed. This is the template that I use to generate the
> shibboleth2.xml file
>
>    https://github.com/italia/spid-auth-docker/blob/master/etc/shibboleth/shibboleth2.xml.tpl
>
> Could you check if there is something wrong? Many thanks!

You mean besides loading remote SAML Metadata without performing
signature validation? ;)

You've changed the default location for the SAML key pair:

<CredentialResolver type="File"
  key="/opt/shibboleth-sp/certs/sp-key.pem"
  certificate="/opt/shibboleth-sp/certs/sp-cert.pem"

The software will generate a key pair from the RPM spec file but that
will end up in /etc/shibboleth. I don't see you moving this to the
specifified location above (e.g. in the Dockerfile) and it's not
obvious to me that some other process puts a key pair there?
Your README tells people to pu a key pair in
/opt/authproxy/certs/saml/ which doesn't match the configured location
either (unless you're doing some Docker mounting, I haven't checked).

But if the above were in fact the source of the error the SP should
complain loudly during startup about a missing key pair, AFAIR.
Did you check the logs?

-peter
 
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Missing authn request signature

Paolo Smiraglia-2
Hi Peter, thanks for the reply.

See comments inline.

   Paolo

On Tue, 12 Jun 2018 at 12:04, Peter Schober <[hidden email]> wrote:

>
> * Paolo Smiraglia <[hidden email]> [2018-06-12 11:40]:
> > Recently I realised that, despite "signing=true", the AuthN requests
> > are not signed. This is the template that I use to generate the
> > shibboleth2.xml file
> >
> >    https://github.com/italia/spid-auth-docker/blob/master/etc/shibboleth/shibboleth2.xml.tpl
> >
> > Could you check if there is something wrong? Many thanks!
>
> You mean besides loading remote SAML Metadata without performing
> signature validation? ;)

In theory, the metadata come from a trusted source. Anyway, I'll put
this aspect in the TODO list... :-D

> You've changed the default location for the SAML key pair:
>
> <CredentialResolver type="File"
>   key="/opt/shibboleth-sp/certs/sp-key.pem"
>   certificate="/opt/shibboleth-sp/certs/sp-cert.pem"
>
> The software will generate a key pair from the RPM spec file but that
> will end up in /etc/shibboleth. I don't see you moving this to the
> specifified location above (e.g. in the Dockerfile) and it's not
> obvious to me that some other process puts a key pair there?
> Your README tells people to pu a key pair in
> /opt/authproxy/certs/saml/ which doesn't match the configured location
> either (unless you're doing some Docker mounting, I haven't checked).

It should be ok. The bootstrap script makes its job...

   https://github.com/italia/spid-auth-docker/blob/master/usr/local/bin/docker-bootstrap.sh#L71-L102

> But if the above were in fact the source of the error the SP should
> complain loudly during startup about a missing key pair, AFAIR.
> Did you check the logs?

I'll do it soon (not possible now).

Apart the metadata, do you see something "strange" in shibboleth.xml
template about signature?
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Missing authn request signature

Peter Schober
* Paolo Smiraglia <[hidden email]> [2018-06-12 12:22]:
> > But if the above were in fact the source of the error the SP should
> > complain loudly during startup about a missing key pair, AFAIR.
> > Did you check the logs?
>
> I'll do it soon (not possible now).
>
> Apart the metadata, do you see something "strange" in shibboleth.xml
> template about signature?

First you should ascertain that the software is loading the key pair.
If it's not that's your answer why it's not signing.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Missing authn request signature

Paolo Smiraglia-2
On Tue, 12 Jun 2018 at 12:30, Peter Schober <[hidden email]> wrote:
> [...]
>
> First you should ascertain that the software is loading the key pair.
> If it's not that's your answer why it's not signing.

I verified and the keypair is correctly loaded. I put the logs in
debug mode but (IMHO) nothing relevant is shown.

This is the generated AuthnRequest

<samlp:AuthnRequest AssertionConsumerServiceURL="https://****/iam/SAML2/POST"
    AttributeConsumingServiceIndex="1"
Destination="https://idp.spid.gov.it/samlsso" ForceAuthn="true"
    ID="_f2f42b466c65bc2edf80cb4da21266a7" IssueInstant="2018-06-12T11:41:29Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        NameQualifier="****">
        ****
    </saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL1</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Missing authn request signature

Cantor, Scott E.
> This is the generated AuthnRequest

And for a redirect that's all you will see, that's not where a signature would be.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Missing authn request signature [SOLVED]

Paolo Smiraglia-2
> > This is the generated AuthnRequest
>
> And for a redirect that's all you will see, that's not where a signature would be.

You're absolutely right. The signature is in the query string under
"Signature" parameter. My mind was locked on HTTP-POST... Many thanks
guys!

--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]