We Keep Coding

Configure SiteMinder as AWS Cognito userpool identityProvider using SAML2

When cognito sends the SAMLREQUEST to the IDP the request does not have all the information that the IDP is expecting.
SP is sending the following request:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="assertionURL" Destination="destinaUrl" ID="_a4b38e68-8e69-4a5d-927b-01e16da92ca7" IssueInstant="2019-10-23T15:14:36.339Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:blah:blah</saml2:Issuer>
</saml2p:AuthnRequest>
However through manual testing the following SAMLREQUEST works:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://uat-marley.auth.us-east-1.amazoncognito.com/saml2/idpresponse" Destination="https://ssofed-qa.metlife.com/affwebservices/public/saml2sso?SPID=urn:amazon:cognito:sp:us-east-1_k4dn6EP6k" ID="_a4b38e68-8e69-4a5d-927b-01e16da92ca7" IssueInstant="2019-10-23T15:14:36.339Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:amazon:cognito:sp:us-east-1_k4dn6EP6k</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
</saml2p:AuthnRequest>
The only difference is this line:
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
Because AWS userpools identity federation config only needs IDP metadata in order to integrate with IDPS, I'm assuming I need to tweak the metadata in order to change the SAMLREQUEST to include the NamePolicyId element.
I have been using this doc to try different elements:
http://www.datypic.com/sc/saml2/s-saml-schema-metadata-2.0.xsd.html
I've also been using this website to build metadata: https://www.samltool.com/idp_metadata.php
Also:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html
Idps sample metadata:
<EntityDescriptor ID="SM172d8336f5cde29cebbfed3478bc49c5ee3f72a813a3" entityID="urn:entity:id" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="true" ID="SM1d149b29837b56846f0e9a85ae92be6449ffd58ef1e" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo Id="myid" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
issuer info
</X509IssuerName>
<X509SerialNumber>
number
</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>
some cert
</X509Certificate>
<X509SubjectName>
relevant info
</X509SubjectName>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="redirect url" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="post url" />
</IDPSSODescriptor>
</EntityDescriptor>
I want to know how I can tweak the idps metadata such that cognito knows to send this <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
in the SAMLREQUEST.
Thank you for any help in advance, I've been struggling with this for a while.

How to configure Single Logout when using Google Apps as the Identity Provider?

As outlined in the Google docs you can use Google Apps as a SAML 2.0 IdP. The IdP metadata includes a URL for SSO, but doesn't contain a SLO URL:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=XXXXXXXX" validUntil="xxxxxxx">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Trying to just use the same URL for SLO results in an error at Google:
Error parsing the request, malformed_request: The SAML request is malformed. That’s all we know.
Of course you can just redirect to https://accounts.google.com/logout but that will only end the Google session.
SLO is not mentioned in Google docs. Is it supported?

Google does not support SAML SLO as an identity or service provider.

ADFS ignores my claim request

I get ADFS details of user via wsfed, via:
https://github.com/auth0/passport-wsfed-saml2
and I only get nameID.
metadata.xml (my server address was replaced with http://localhost/app/, it is ran in https):
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<fed:ClaimTypesRequested>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
<auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
</fed:ClaimTypesRequested>
<fed:TargetScopes>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost/app/</Address>
</EndpointReference>
</fed:TargetScopes>
<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost/app/</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
</EntityDescriptor>
even whenever I replace "optional" to false it doesn't return any claims.
does anyone why ADFS ignores my claims?

Are you expecting ADFS to derive the claims from "ClaimTypesRequested"?
The way ADFS works is that the claims are derived from claims rules that are configured in ADFS.
What claims rules have you got configured?

How to remove soap namespace from Envelope using Apache CXF

I am trying to access a 3rd party web service using Apache CXF 3.1. When I call the service with the wsdl2java generated code or curl the service returns an exception indicating the message is not a valid SOAP message. See the message below.
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<connectivityTest xmlns="urn:cdc:iisb:2011" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="connectivityTest">
<echoBack>Hello IIS!</echoBack>
</connectivityTest>
</soap:Body>
</soap:Envelope>
When I remove the namespace (soap:) and call the service using curl the service works. See working message below.
<?xml version="1.0" encoding="utf-8"?>
<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">
<Body>
<connectivityTest xmlns="urn:cdc:iisb:2011" xmlns:ns2="http://www.w3.org/2003/05/soap-envelope">
<echoBack>Hello IIS V2!</echoBack>
</connectivityTest>
</Body>
How do I remove the namespace from the Envelope and Body elements of my SOAP message before it sent? Based on searching the web it looks like I may need to create an interceptor. If some one can provide an example of an interceptor to remove the namespace from the Envelope and Body elements it would be much appreciated.
Thanks in advance!
JR

No Interceptor is required for this. You can configure the namespace in your jaxws properties.
<jaxws:properties>
<entry key="soap.env.ns.map">
<map>
<entry key="" value="http://schemas.xmlsoap.org/soap/envelope/"/>
</map>
</entry>
<entry key="disable.outputstream.optimization" value="true"/>
</jaxws:properties>

EWS request fails because not Internet

I am calling EWS service on internal network which has not access to Internet.
I can open EWS url with browser and verify that it is up an running.
But when I try to send the SOAP request.
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2007_SP1" />
</soap:Header>
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>IdOnly</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="calendar" />
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
It fails with error ENOTFOUD. I am assuming that it can not connect to given address in the SOAP xml for schema definitions.
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
How to deal with this when there is no internet connection.
I am sending request from meteor.js app using lather.js library.

The stuff that looks like URL:s, prefixed with xmlns, are just name spaces and shall not be called. A bit like namespaces in a java program (for example namespace com.sun.something) is not an url you can call.
You should just do a http POST and send the entire xml file to the soap server, which can be an internal ip number that is not on the internet.