I'm writing an app that I'm trying to integrate into a Shibboleth/SAML authentication provider. I'm the SP, I believe (I'm using github.com/crewjam/saml for the SAML code). I've gotten the code to work with https://samltest.id and one other Shibboleth implementation.
A third Shibboleth implementation does not work, however. The tech support for the non-working server has given me its IdP URL, which appears to contain similar XML as the other two IdP URLs. In addition, the tech support emailed me a file containing another certificate -- not included in the XML -- and asked me whether I was using it.
At this point, I'm a little confused as to what exactly I need to implement. Do I need to somehow include this emailed certificate manually in my code? Or, should I rely on the XML to provide the right information?
I'd appreciate any advice!
The answer to this question depends on your "non-working" IdP. A SAML entity uses public key cryptography to secure the data transmitted to trusted partners. Public keys are published in the form of X.509 certificates in metadata whereas the corresponding private keys are held securely by the entity. These keys are used for message-level signing and encryption, and to create secure back channels for transporting SAML messages over TLS.
IF the IdP metadata (the XML document) is correct, it should contain the IdP's public key. Ideally you should rely on the metadata and the public key in the metadata but Things Happen(tm) and the cert in metadata might not be what you want.
See this answer for a little more detail on that.
Related
Not an expert on the subject, I wanted to understand if a public key such as the one used for signing saml tokens by a STS such as ADFS can be retrieved on-demand automatically by a relying party server. Is anything like this possible or does the public key need be deployed manually to servers requiring it? Do standards like SAML allow embedding a URL in the saml token for downloading the public key when needed? Is anything like this simply a crazy idea from a security standpoint?
The ADFS keys are all in the metadata.
The metadata is always publically available via a URL.
In addition, the RP normally requires the metadata to do the initial config. on its side.
I'm working with a customer who has built a home-grown engine to generate SAML assertions. We are using ForumSentry to validate the assertion, but the digest is failing to validate. We already have a dozen other customers sending us SAML assertions, for web SSO, perfectly well, and I'm sure ForumSys have many 100's of customers for ForumSentry working perfectly well too.
I've spent many hours trying to understand exactly what the digest is made of and trying to find samples of XML which goes into the digest algorithm. I've failed and I would appreciate some help please.
It seems to me that the only data signed is the reference URI, and not all other the "parameters" of the assertion, such as the subject, issuer, etc. Is this correct / what don't I understand? What is the background to this? If correct, how is the other data protected from tampering?
Is there an assumption that Web SSO must be over HTTPS to protect the integrity of the entire assertion?
What data exactly forms the data that is signed? Could someone post an example please, both pre and post canonicalization of data that is signed.
Any other background info would be great.
SAML uses XML DSig for signing. When a SAML entity (an assertion, an entire Response, metadata etc...) is signed it is done by using specific algorithms in the XML Dsig suite.
The reference of the signature must point to the ID of the signed entity. For a signed assertion that is the ID attribute of the <assertion> node.
The canonicalization algorithm used must be Exclusive Canonicalization. This is nothing that affects the actual XML contents, it is an instruction to the XML parser used by the crypto library that makes sure that whitespace differences etc. won't affect the validity of the signed data.
XML DSig works in two steps:
First a hash is calculated for each reference in the signature. For SAML signing there should only be one reference to the ID attribute of the enclosing entity.
Then a cryptographic signature is calculated across the XML containing the hashes.
This means that a single signature can be used to verify the integrity of several pieces of XML, but in SAML that functionality is not used.
With each signature containing exactly one reference to the ID attribute of the signed entity, the entire entity is protected by the signature.
I'd suggest that you read the SAML core spec section 5.4 if you need more details on how the XML signature works with SAML.
I am trying to understand the SAML 2 protocol and in that process got a little bit lost with the signature and certificate business.
Basically, I am not clear of when each of the certs are used.
Service Provider Meta Data and Identity Provider Metadata - do we need to generate certificates/keys as a part of the SP and IDP metadata? If so how/when will these certs be used?
HOK token also needs a certificate - when does that come into picture? Does the principal's certificate/public key needs to be exported to the IDP also along withe SP's certificate?
When using bearer tokens (they do not have any certs associated with the principal) is the SAML response/assertion still signed? Is it different from the ds:keyInfo in the SAML response in this case?
Thanks a bunch for the help!!
1.
Certificates in SP and IDP metadata are typically used for two purposes digital signing and digital encryption. Attribute "usage" on metadata makes the discrimination. Certificates are typically included in the metadata, but they could also be ommited and provided out-of-band (e.g. by direct configuration in IDP and SP, if supported). These keys identify the SP and IDP machines, they have nothing to do with the users.
When SP sends a SAML message towards IDP the message can be digitally signed using SP's private key (whose public key + certificate is included in the SP metadata and available to IDP), IDP is able to verify the SP's signature using the SP's public key.
When SP wants to encrypt part of the SAML data (whole message, assertion, name ID, attribute, ...) it uses public key declared in the IDP's metadata, IDP then decrypts the data using its private key.
Sometimes metadata can contain multiple signing or encryption keys, e.g. in case of certificate rollover before expiration.
2.
Bearer mechanisms are used to make sure that the entity (e.g. web browser) who is presenting a SAML message is allowed to do so. In SAML WebSSO AuthnResponse message gets issued by the IDP, but is delivered to the SP by the browser. HoK SubjectConfiguration tells that we are identifying the presenter by making sure that it can prove posession of a private key whose public key/certificate is included in the SubjectConfirmation element. This is typically done by usage of SSL/TLS Client Authentication (i.e. user installs private key in browser and uses it to authenticate toward SAML service when opening the HTTPS scheme with SSL/TLS).
So here we are dealing with keys issued directly to users, not to SP/IDP services. Whether or not you need to import user's certificate(s) to the IDP or not is IDP-implementation specific.
3.
Yes, the messages will still be signed (when configured to be) and KeyInfo in the SAML response will be the same in both cases.
Cheers,
Vladimir Schafer
I am working on a project that needs to be integrating SAML2.0. I was thrown into this project suddenly, i need to make it work.
Here is the background: We have created the files and wanted Client Company to integrate using SAML2 to get to our web site. We have sent them the meta datafile.
Now the client company had sent their metadata file. I dont know how and what to do with that file. Any help will be appreciated.
ASP.NET, Framework 4.0
The metadata file basically provides you information of your client. Such as entityID, credential, and so on. If it is an IdP then it also contain couple URLs so that you know where to send different request, e.g. login request, attribute query request. You need to give this metadata to your SAML component so that it know which client it should talk to.
Another main purpose is to establish a trust relationship between SP and IdP.
It's kind of old question but I would like to add some additional information and resources for .NET.
SAML Metadata is used to exchange configuration information between Service Provider and Identity Provider and vice versa. The information can include:
Binging location
Organization name
Contact Person
Single Sign On Url
Single Logout Url
The Metadata can be signed and encrypted so that the information is sent securely. The other side may need the corresponding public key to validate and decrypt it and then can be used to understand and establish the connection with the SP or IdP.
You can see some more info at the following blog posts:
http://samlcomponent.net/constructing-saml-metadata-xml-for-single-sign-on-idp/
http://samlcomponent.net/how-to-create-saml-metadata-xml-for-service-provider/
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:
1.No need to type in credentials
2.No need to remember and renew passwords
3.No weak passwords
It is easy to manage all applications in one tree using SAML SSO login.
How actually SAML works:
The user accesses the remote application using a link on an intranet, a bookmark, or similar and the application loads.
The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
The identity provider builds the authentication response in the form of an XML-document containing the user’s username or email address, signs it using an X.509 certificate, and posts this information to the service provider.
The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
The identity of the user is established and the user is provided with app access.
Take a look at the metadata SAML 2.0 specification to check what elements must be read by your implementation.
If you are looking for a SAML2 .Net Tookit, take a look to this thread of stackoverflow
Also take a look on SAML open source implementations to learn how others resolved this problem before:
SimpleSAMLphp (PHP implementation Idp/SP). (Metadata parser)
Shibboleth IdP (Java) (opensaml2) / SP (C)
spring-security-saml: SP (Java) (metadata files)
Jboss (Java)
Metadata is nothing but the xml file containing all the information required by your SAML implementation to talk with host. you can extract information from this meta to get the desired information required. Like public/private keys.
I hope you are also using certificate to talk with host on secure manner.
This key is required for handshaking with unknown host system.
I have set up a single sign on(SSO) for my services. All the services confirm the identity of the user using the IDPorvider(IDP). In my case I am also the IDP.
In my saml request, I have included the following:
1. the level for which auth. is required.
2. the consumer url
3. the destination service url.
4. Issuer
Then, encrypting this message with the SP's(service provider) private key and then with the IDP's Public key. Then I am sending this request.
The IDP on receiving the request, first decrypts with his own private key and then with SP's public key. In the saml response:
1. destination url
2. Issuer
3. Status of the response
Is this good enough? Please give your suggestions?
In general it goes something like this. There is encryption and then there is singing in SAML. You never want to be in production without digital signature sbeing used for SAML. You can disable signature processing for testing purposes I suppose. We alow this in SiteMinder Federation Servcies (SMFSS) for testing purposes only. So, with that being said you're not saying anything about digital signatures and are only talking about encryption.
But here is a rundown of the two in my own very dumbed down description which although I sound silly with the way I explain it I am hoping it will help you. And if you already know this I apologize in advance. One more thing is that this is very basic but you can get more details on google searching for encrytpion, decryption, certificates, etc.
Actually, here is a rundown of what I use to train new support folks for Federation with SMFSS (SiteMinder Federation Services) and at the end is the section I wrote on certs. This was just something I wrote up very quickly and is not very slick looking but it defintiely gets the job done, and quickly. It was written as sort of a copy of what I do with POC SAML 2.0 POST customers who already have SiteMinder setup. I just figured I would give you this since it has a lot of tools you may find useful once you get going in case you were not aware of them already. ;-)
You will need two environments with Agent, Agent OP, Policy Server, Policy Server OP. Need two agents so one can be IDP and one SP.
To set up Agent Option Pack see:
Chapter 8: Federation Web Services Application Setup & Deploy Federation Web Services as a Web Application & Configure ServletExec to Work with Federation Web Services
Now set up the SAML 2.0 POST authentication: You should use the following as it is step by step. But first see the chapter on settings that must match as they need to match for the IDP and SP sides. The chapters below for IDP and SP set up are pretty much step by step, really, Follow 14 and 16 step by step and you’re good to go.
Chapter 22: Configuration Settings that Must Use the Same Values
Then use this to set up the IDP and SP:
Chapter 14: Configure SiteMinder as a SAML 2.0 Identity Provider
Chapter 16: Configure SiteMinder as a SAML 2.0 Service Provider
Run your SAML 2.0 transaction and get a Fiddler Trace of it. Pull out the certs and create a .cer file. Pull out the assertion and check the XML online using the tools below.
Set up Fiddler Tool and make sure you have HTTPS Decryption enabled. I had the link here but just go to gllgle and type in "Fiddler Tool HTTPS decryption" and you'll get it.
Used to review the URL posted or redirected with SAML transactions taken out of Fiddler Usually:
https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
I have used this one multiple times to validate XML (the assertion) when I get parsing errors or other errors with partners saying our assertion is not good or if we have a partners assertion that is not good. I like to check the syntax first and if that is fine then check SAML specs to see if they have correct values in the SAML assertion itself. In other words make sure it is SAML compliant.
http://www.w3schools.com/dom/dom_validate.asp
HINT: You can take the base 64 encoded cert info out of our logs or the Fiddler Traces and paste to a notepad and save it as name.cer. Then when you open this file you can look at the cert the customer is using. This is helpful because then you can see if they have the right cert and see who their Root CA is or their intermediate Root CA. Make sure you get all the data including the = or == that may be at the end of the lines for the cert info.
When performing SLO or Artifact the partner will need to connect on the back channel to a web server on the other partners site. When this happens the Web Server being connected to is being served over SSL/HTTPS. This means that the one connecting to that server must have the ROOT CA cert which signed the web sever’s cert in it’s keystore. The theory of this is the same as when you open a browser and connect to an HTTPS web server. All browsers come with the major Root CA certs already imported into them. The whole point of this is that when you put a cert on a web server it is not really for protection it is to let anyone who connects know that you really are that website and really are who you say you are. The fact that you have a cert makes your site be HTTPS and the reason you believe they are who they say they are is that they give you their cert when you connect and if you have the ROOT CA for that cert on the website then this means you trust their ROOT CA. if you trust their ROOT CA then you can connect. If you do not have the ROOT CA cert imported into your browser then you can not connect over SSL/HTTPS to that webserver.
**Encryption and Decryption (if a packet is reads off the wire then the data is encrypted for safety of packet data):
Encryption is done on the IDP side and you can encrypt the entire assertion, NameID value, Attributes and perhaps more?
Encryption is done on the IDP side using the PUBLIC Key Certificate (SP’s cert) which is given to the IDP offline by the SP.
When the SP gets the assertion (or whatever the IDP encrypted) then it must have it’s private key in it’s keystore so that it can decrypt the data and read it. This is the decryption.
The reason this is secure and protects the data is that ONLY the SP should have their own PRIVATE key. Thus if this packet was stolen no one can decrypt it but them.
***Signing and verification – This is not SECURE as it does not encrypt the data. It is not meant to be secure for the packets it is meant to tell someone you really are who you say you are. So if you sign and assertion your partner will know it came from the IDP they expected it to come from.
The IDP must use their public/private key PAIR to sign the data.
The SP must use the IDP’s PUBLIC key (given to the SP offline) to verify the signature. The reason you know the data is from that IDP is that ONLY data signed with the IDP’s private key and be decrypted with their public key. In other words, you can’t pretend you are that IDP and send signed data to the SP and get them to think it is the IDP because the public key for the IDP can only be used to verify things signed with the matching private key. This proves you are who you say you are.
end silly technote I wrote**
I hope you find the certs info and tools useful in your future SAML endeavours! Happy Federating!
update - I was not able to post all the links but some were just base 64 decryption as it will allow me to post only two I am posting the most needed two.
Thanks!
Crissy Stone
CA Technologies SiteMinder Support