| Subject: | Problem with simpleSAMLphp and signed response |
Hi,
I'm working with a simpleSAMLphp as an IdP, and Net::SAML2 to integrate
an application as SP.
After some work I finally got a response by the IdP. The problem appears
when processing this response, at:
my $ret = $post->handle_response(
$saml_response
);
Specifically I detected the problem is in the verify method of Sig.pm.
I had to modify several things in order to make it work:
- signature prefix is '<ds:' not <dsig:'
- there are several signatures in the response, but Sig.pm assumes there
is only one... I had to modify the module in order to take into account
only the first (outermost) signature.
Now it works, but as I am completely new to XML programming the changes
I've introduced are rather "simple" and probably don't cover other cases.
I attach the modified Sig.pm and an example of the header (I removed
with attribute list).
Some more data:
- I'm using Net::SAML2 0.17
- on the server:
Linux clippervm 2.6.32-220.2.1.el6.x86_64 #1 SMP Tue Dec 13 16:21:34 EST
2011 x86_64 x86_64 x86_64 GNU/Linux
- on perl:
This is perl, v5.10.1 (*) built for x86_64-linux-thread-multi
Copyright 1987-2009, Larry Wall
Perl may be copied only under the terms of either the Artistic License
or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
Hope this helps!
Greetings,
David
| Subject: | XMLresponse.txt |
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxe1b094bb-da11-e825-33af-4be7b4dd0cd8" Version="2.0" IssueInstant="2012-03-21T09:34:49Z" Destination="https://sp1.ucm.es:8080/cgi-bin/testSAML2_bind.pl" InResponseTo="8e860823847102d55b9e2078037b79df">
<saml:Issuer>https://sso.ucm.es:8080/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfxe1b094bb-da11-e825-33af-4be7b4dd0cd8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>fQ2BDjWLb7i85kQ/7PEvrIr4G24=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>1M6Uw88pAgYD5kUaWZ+WPDxM7ZUE+JhmCGlkgaAvxBK9MO/G+PXQLMMpV4jQPaXjChfxUJczVhP8LbBs8pYozAe3nYeXrs7mrIiwOSu78TnXbJy8+jSndZgzUdqfHZbfunMCwCn+EKULpT6GU7PB5e7N2s08neUNYCglKUSnArQ=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJFUzEPMA0GA1UECAwGTWFkcmlkMQ8wDQYDVQQHDAZNYWRyaWQxDDAKBgNVBAoMA1VDTTEQMA4GA1UECwwHU1NJSS1DQTAeFw0xMjAzMjAxNTMxMzZaFw0xMzAzMjAxNTMxMzZaMFAxCzAJBgNVBAYTAkVTMQ8wDQYDVQQIDAZNYWRyaWQxDDAKBgNVBAoMA1VDTTENMAsGA1UECwwEU1NJSTETMBEGA1UEAwwKc3NvLnVjbS5lczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1+w8+98SLJIrA9e99rZ7q/9JTP9Nk2DDaM6m3F2kYBy6npPbI94RzdYUbn9FtATgztlTfe9yE12Uc7roCuY3EKcrxcwdta1ZulRyn7ihUREIz0m4DAMzlswPbdEuj6jBbr0pU/sHQEDB7Rdb4KEfk0I+RI5qb3DayFpNCL24bEsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK5zL442UO23oBNdGEpxefiamVbbMB8GA1UdIwQYMBaAFJSe7JIFgXldZYO9qt+5gblEr4HbMA0GCSqGSIb3DQEBBQUAA4GBAFUuJvclKPJFfmPtQH3cMu1rfdbxSRhGryltif/nqun57YiaNl72juRF51FZFqYFE4FKZjzuSQUi+xLS0Gu/xod4Eatpnj4hXnQeawx7LSzbrHW3/yUp2+/yhswEfED8IPMt09Do2g/hOF6iR5ibD+SRzbIyOb1WzPAkO3T6xCUm</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx5138f471-3cd4-58bf-3625-6b2df40ef216" Version="2.0" IssueInstant="2012-03-21T09:34:49Z">
<saml:Issuer>https://sso.ucm.es:8080/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx5138f471-3cd4-58bf-3625-6b2df40ef216">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>uV8jdTuNLFWNv3PEiNI6ECY1JWA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hmYVoTjrvJlOh3UWRJRFr5lhLeM4gdG8oBLOu970LYiDrNi3Hx8RhRPgvkmI4l0f9MmNXb6RO5CGOAL7zPdFD9uJ14YWAw4k3kMJ5mUM3ZKWHtLQ6gZJPxD0ZW4XphKXIOHaoxE93VVZEFxhjgB4y5gJ+w3LApIBh55/M4YgyJc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJFUzEPMA0GA1UECAwGTWFkcmlkMQ8wDQYDVQQHDAZNYWRyaWQxDDAKBgNVBAoMA1VDTTEQMA4GA1UECwwHU1NJSS1DQTAeFw0xMjAzMjAxNTMxMzZaFw0xMzAzMjAxNTMxMzZaMFAxCzAJBgNVBAYTAkVTMQ8wDQYDVQQIDAZNYWRyaWQxDDAKBgNVBAoMA1VDTTENMAsGA1UECwwEU1NJSTETMBEGA1UEAwwKc3NvLnVjbS5lczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1+w8+98SLJIrA9e99rZ7q/9JTP9Nk2DDaM6m3F2kYBy6npPbI94RzdYUbn9FtATgztlTfe9yE12Uc7roCuY3EKcrxcwdta1ZulRyn7ihUREIz0m4DAMzlswPbdEuj6jBbr0pU/sHQEDB7Rdb4KEfk0I+RI5qb3DayFpNCL24bEsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK5zL442UO23oBNdGEpxefiamVbbMB8GA1UdIwQYMBaAFJSe7JIFgXldZYO9qt+5gblEr4HbMA0GCSqGSIb3DQEBBQUAA4GBAFUuJvclKPJFfmPtQH3cMu1rfdbxSRhGryltif/nqun57YiaNl72juRF51FZFqYFE4FKZjzuSQUi+xLS0Gu/xod4Eatpnj4hXnQeawx7LSzbrHW3/yUp2+/yhswEfED8IPMt09Do2g/hOF6iR5ibD+SRzbIyOb1WzPAkO3T6xCUm</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="https://sp1.ucm.es:8080/cgi-bin/testSAML2.pl" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_d8d9ab645849d24aeb9144c0c2f1c2fee3ad7087ab</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2012-03-21T09:39:49Z" Recipient="https://sp1.ucm.es:8080/cgi-bin/testSAML2_bind.pl" InResponseTo="8e860823847102d55b9e2078037b79df"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2012-03-21T09:34:19Z" NotOnOrAfter="2012-03-21T09:39:49Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp1.ucm.es:8080/cgi-bin/testSAML2.pl</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2012-03-21T09:34:49Z" SessionNotOnOrAfter="2012-03-21T17:34:49Z" SessionIndex="_77c6a2594f557fecb537a3ff1295f2ef292213be77">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="ucmSyslogHome" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">pasito</saml:AttributeValue>
</saml:Attribute>
....
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
| Subject: | Sig.pm |
Message body is not shown because it is too large.