IdP metadata EntitiesDescriptor - metadata

I'm using the ITfoxtec Identity SAML2 library with Keycloak as IdP. When requesting the IdP metadata information, the ITfoxtec Identity SAML2 library seems not to recognize the <EntitiesDescriptor> tag and expects a <EntityDescriptor> as the top level element in the metadata xml.
Use of <EntitiesDescriptor> is described in https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

I have released version 4.6.2-beta1 with support for reading SAML 2.0 metadata with a EntitiesDescriptor root element. The first EntityDescriptor element is selected.
Please let me know if it works for you.

Related

How to set WantAuthnRequestsSigned to false in Keycloak

i'm using keycloak and I want to change this attribute WantAuthnRequestsSigned to false in SAML Identity Provider Metadata,
thx
Just edit the saved SAML IDP metadata xml file and change WantAuthnRequestsSigned to false directly.
You also need to TURN OFF Client Signature Required in your client settings.
Based on the source code, WantAuthnRequestsSigned is hardcoded as true. But it doesn't matter.

How do I build a SAML login link dynamically?

I want a link on my login page that says "Log in with [identity provider]". For ssocircle, apparently the login link is
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=%2Fpublicidp
But this link isn't located anywhere in the XML used to configure it. The IdP XML contains the following:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/publicidp"/>
Is it not possible to build the URL from these? Do I need to add a configuration for every IdP that includes asking for the login URL as well as the XML?
Unfortunately the URL that you call on the IDP is out of scope for SAML.
SAML only specify that it is possible for the IDP to start the authentication itself, not what triggers it to start. This is why it is not present in metadata
For the use case you describe you should use Service Provider initiated SSO. In that case the URL that will be used to send the AuthnRequest to is defined in the metadata XML that you mentioned.
But you end up with a logic in your own application which must generate the correct AuthnRequest. But that URL is under your control ...
Image from the spec describes the SP initiated flow:

How to generate a Swagger file for a REST API

My requirement is to generate a Swagger File for a given ReST API URL. I have invoked the below mentioned URLs using POSTMAN client and it was working fine.
However, for this URL to use in Informatica, it's required to have associated Swagger file either json or yaml format.
I am just an end user to ReST API and not aware of its code.
Below are URLs which were used.
https://app.informaticaondemand.com/ma/api/v2/user/login [Method=POST]
https://app2.informaticacloud.com/saas/api/v2/activity/activityLog?rowLimit=1000 [Method=GET]
Please suggest any 3rd party utilities to help to create Swagger Files out of providing these APIs.
Thanks,
Tom George
You could use OpenAPI designer. It's an easy to use, self explaining swagger generator. Fill out the required forms in the "Header" tab and then add the login and activitylog paths in the tab "Paths"

How to display original content (DOM) of the assertion in Spring SAML?

For my project I am required to display the encrypted as well as decrypted version of the SAML response to the user.
Currently the Spring SAML sample app displays the Encrypted (i.e. original) SAML response, but I am not sure how to show the same response with all elements (NameID, assertions, and other elements) decrypted.
I know that the Spring SAML sample app displays the assertions in a table format, but I am required to display the entire 'decrypted' XML SAML response with all the tags and attributes.
Note I am working the SP part and the IDP is configured to send encrypted SAML responses with encrypted attributes and NameIDs.
Any help is appreciated.
Part 9.5 of the manual should help you.
9.5 Authentication assertion
Assertion used to authenticate user is stored in the SAMLCredential
object under property authenticationAssertion. By default the original
content (DOM) of the assertion is discarded and system only keeps an
unmarshalled version which might slightly differ from the original,
e.g. in white-spaces. In order to instruct Spring SAML to keep the
assertion in the original form (keep its DOM) set property releaseDOM
to false on bean WebSSOProfileConsumerImpl.
Assertion can be serialized to String using the following call:
XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()))

Kentor AuthService - Read Subject NameID

How can I access to saml2:NameID from saml2:Subject response XML node by using Kentor AuthService?
I couldn't find in code anything that deals with that part of XML. Maybe I'm missing something.
I'm not asking about Kentor IdP, I see that there NameID is sent as additional claim, which is translated as attribute, I'm asking in general, IdP does not have to be powered by Kentor, so I can't rely that I will have this value passed as attribute.
So, if it's handled I couldn't find it here:
https://github.com/KentorIT/authservices/tree/master/Kentor.AuthServices
One option can be to parse XML on my own, but if there's already implemented or better solution that will be great.
The Subject NameID is translated to a claim with type ClaimTypes.NameIdentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier).
It should be in the claims collection of the created claims identity.