SimpleSamlPHP (SP) & OKTA (IdP) - single-sign-on

I have a web application on my local computer: https://test.staging.me
This is PHP (cakephp) application.
I installed SimpleSamlPHP and configured it as the Service Provider(SP).
I created some tests from instruction: https://simplesamlphp.org/docs/stable/simplesamlphp-sp
And my tests with openidp.feide.no were successfully.
But I have problem with OKTA. I created "Test App Cakephp" and assigned people and configured SimpleSamlPHP for this.
But after logIn I get this SAML (without user attributes):
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" ID="id12087736095048056708868080" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id12087736095048056708868080">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>pU2jLhg9A4w97r8NVnBKl3IQZLE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VPDveGXR0s0aL87FHcwlgox2jpF8Ka68+35u5sAwtNPu6YGLeHBZXMM0VJBGubXaP43p7U/bOCEDN28Unvdu+r7nsPayg7KRJtEBG5IPS0aHAsAVvFWCNKwbj/F3V+mNfjj6tyCYxfUv0VzGYFx74sR4jyatwMWM0C8Tn5/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id120877360951785121155512781" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id120877360951785121155512781">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lob8Do3NlCm0YApUEdGks7Lvj5g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cxCVxow1zv7/C9fyG3n8FqXLNUCx6J3WMzZSB7oOQhBCWt1x+EmkB/Hh3l1AajeCRe50uCZlSfy5eN1kpLQPy1oqyTH/i08cdnzeb94eMh06JRpljSrGFBRyNz7RfoHSs13v8R3PEweDsM0XIUhfX3oL2JpGm7yxwcm/+UZpI2eq
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJv
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test1#my_domain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2015-04-07T15:54:27.571Z" Recipient="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-04-07T15:44:27.571Z" NotOnOrAfter="2015-04-07T15:54:27.571Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AudienceRestriction>
<saml2:Audience>https://test.staging.me/simplesamlphp/module.php/saml/sp/metadata.php/okta-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-04-07T15:49:27.571Z" SessionIndex="id1428421767571.740119289" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
I cut off "ds:SignatureValue" and "ds:X509Certificate" fields for convenience.
My question: Why I don't receive attributes of the user?
Thanks )

Okta, by default, doesn't send any attributes in the <saml2:AttributeStatement>. To configure the optional Attribute Statement take a look at Configuring the Okta Template SAML 2.0 App. The five standard Okta profile attributes you can send are First Name, Last Name, Email, and Okta Username.
For the users first and last name to be included in the SAMLResponse from Okta:
<saml2:AttributeStatement>
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Thomas</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kirk</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
You must configure your Okta SAML 2.0 app to include the following Attribute Statement:
FirstName|${user.firstName},LastName|${user.lastName}
In addition to the standard Okta profile attributes (First Name, Last Name, Email, and Okta Username), you can use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories.

Related

jmeter - WS Security for SOAP - SOAPMessage Timestamp&Token&Signature - problem with orders

I have been using this WS Security for SOAP plugin in jmeter for a long time. It works properly.
But I came across an interesting phenomenon about my current job. I would like to know if anyone has relevant experience on the subject!
The service we used to use as "asmx" has been changed to "svc". I'd like to test call this with a certificate.
A new feature has become the technology in the meantime, so that the service also requires a timestamp in the call, which is also signed.
By setting the jmeter components provided by the wss module properly, the tags in the wssecurity header are created in the following order, depending on which is higher in the hierarchy list:
Watch the timestamp!
<soapenv:Header>
<wsse:Security >
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>...
OR
<soapenv:Header>
<wsse:Security >
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>...
However, neither order is appropriate for the service.
By tricking and rebuilding the request with string operations. The correct order would be:
<soapenv:Header>
<wsse:Security >
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>...
However, I didn't see any way to set such an order!
Does anyone have any idea how I could solve this "nicely"?

Databricks SSO authentication failed | Google IdP

I've configured Databricks SSO 2.0 to work with Google as IdP
When I try to test it I receive this error: "Single Sign-On authentication failed."
Tracking the SAML messages everything looks correct:
SAML REQUEST:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_956****d-44fe-**80-654e-b9ae3c8974e1"
Version="2.0"
IssueInstant="2021-10-19T12:38:10Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=*****sha*****"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://dbc-***990a9-*****.cloud.databricks.com/saml/consume"
>
<saml:Issuer>https://dbc-****990a9-*****.cloud.databricks.com/saml/consume</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML RESPONSE:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://dbc-*****990a9-*****.cloud.databricks.com/saml/consume"
ID="_d32****e5002e8760******d431c69"
InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_cb5ee***08cb7***********bd194"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_cb5ee92*******0652**2145*******4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i45E******dCx*********zXr7AC2RX38=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PeQTj**********************E8O46BoalK+7sblRLA5hCk/xuGRADeuGyGERwdEDdeY5tJK
uDhr+W4oML75eDYMSwYW6ZcDyFXFmQucia7HLD0pI************************************************iYZr8opwuzFkzOnnwulgTwlk9
137uW2/abZFV2M***************==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>*****************IBAgIGAVr9E/j7MA0GCSqGSIb3DQEBCwU***********************************qQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBSOUJWpyF3PEpiFHednZqU9U8yJ+fakv9CZrx0tvuAKLKfD7f8cZpH4FORCVg82stN3mOd
BlZ+3PyVr/tGz4Lf1vbXULC256HvmKBFI8jc/N*******************************</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">danilo.ca*****#********.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
Recipient="https://dbc-*******990a9-******.cloud.databricks.com/saml/consume"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-19T12:33:21.957Z"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://dbc-*******990a9-******.cloud.databricks.com/saml/consume</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-19T12:38:21.000Z"
SessionIndex="_**ee**********7c40*****cddbbd194"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
All information in the SAML looks correct, my email, google ID, databricks url, still it keeps failing.
This is the doc for Google workspace SSO:
v1: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite.html
v2: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite20.html
Troubleshooting docs:
https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#troubleshooting
If you are using Google Workspace (formerly GSuite) single sign-on (SSO v2.0).
Double-check Step 7: (Required) Select Signed response.. The response also has to be signed.
The solution is to mark the signed response to the signature will come before the assertion tag
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://*************.cloud.databricks.com/saml/consume"
ID="******************d3952e02"
InResponseTo="ONELOGIN_bc2cb9***************7-bb86-0***********fc4"
IssueInstant="2021-10-28T12:48:45.663Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=************</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_****************46dd50562**************52e02">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>***********2kA0VqohW***************OeeTyCnKuvVlGI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>*****************************JmIrnaHPRjm87OXyqnvOhNBjKD24BfBxnodbUmx9IeWKT4mBS13huje99DBl9S9
USPnKD3zwb1htVBWbT1TxSeD6EUZbl8**********************************3ODow==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>MIIDd**************************************UgwwH4Y/yQZx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

Proper LogoutRequest for Single Logout with ADFS IdP

I'm successfully using OneLogin java-saml library for SAML SSO. But there are problems with SLO (Single Logout) with Active Directory Federation Service (ADFS). LogoutRequest created by the library is rejected by ADFS, while it is accepted by SimpleSAMLphp IdP. I pass both nameId and sessionIndex received from ADFS in Response at LogoutRequest creation.
Here are generated requests and received responses:
AuthNRequest:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" Version="2.0" IssueInstant="2017-05-31T15:43:07Z" ProviderName="My Company Service Provider" Destination="https://wintest.mycompany.test/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost:8443/builder/login_check_sso">
<saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/builder/login_check_sso" ID="_f5ea3a59-92f9-4b22-aaf0-36ed392df051" InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
<Issuer>http://wintest.mycompany.test/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>FNwbMonYZBBvTXSRbCWP7WxZgPZPSCcCFZozok9eRK4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fG1SIq3azZfBFQ+5YBBruuCQ03sLIHJ/YpK/AAOYkyJKXEZ5+SvNLgl+8/3a6Tk8mabZmwmawoJRf5UPb+fNtk+CeeWJ7kiUYcb2uvB4ic7Qd4qB+OgfqK0qVCkn9FWGEODLXA6v4tXWBZfSnzDrHEg7xLHrngesSnffY3uyQvH/rm4G2Vjd59LUeUtpJo2X5ZjVuk4sT5r21+UxpNU9LX8z7hXAZHhD1o4d2dqAs21tAGoid3p0RgNDy1WWGh1WSjFLHPDh220ZIchRFKveJE3R9M9nTKtOFESQsYc6TfmhJ5+Xm/j0VY7vvdhgguyq4MKzcPFK6tBL7I8KREck/Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>hamilton1#mycompany.test</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" NotOnOrAfter="2017-05-31T15:48:10.158Z" Recipient="https://localhost:8443/builder/login_check_sso" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-05-31T15:43:10.158Z" NotOnOrAfter="2017-05-31T16:43:10.158Z">
<AudienceRestriction>
<Audience>http://localhost:4568/sso/saml/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>hamilton#mycompany.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2017-05-31T12:18:50.194Z" SessionIndex="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
LogoutRequest:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
<saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">hamilton1#mycompany.test</saml:NameID>
<samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>
LogoutResponse:
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_1b3e8c81-2aba-45be-8fe6-54edda514d51" Version="2.0" IssueInstant="2017-05-31T15:43:24.808Z" Destination="https://localhost:8443/builder/logout_sso" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_1b3e8c81-2aba-45be-8fe6-54edda514d51">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>NDfLVWPkh2/UCEbLQ6V97OK2u4pajv3aLB9cPs5JkSc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>M1JaIz/AeJAh1bUzAUBrljch9EVOVA6K3lzuFDWwF0LtmXgcMEZV9Htp9owq5MNcOZ/mymBrKmndz1EDwDxwOCLjpvp5QX42G23dUCyYAGfQXE1Dzub7dsaTSlMWnkbh6fMLk/j5/fcLEi8vwXMInQv6isVpxnbYI+4ayQWOzo9QpfJBaromDDqVwbmkoT8lhRo06n32OAi8CtaAS2rjNqJyPfcnLp3jMpfg5Qh3wiKYnT6VkMpXw5ddVASByKlqzIRiuItwJsqF4JDDj+f2qgSdq6PaTgYpu8xnbFXTdOvDeg0ZgetQrnaZ07+5xLFLGI73feAWPUFPXwMHQ2THXA==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
</samlp:Status>
</samlp:LogoutResponse>
The error appeared on ADFS is: The SAML Single Logout request does not correspond to the logged-in session participant. With extra error description:
User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.
What should be modified in LogoutRequest to make logout happen?
OK, the problem is solved.
As you can see in SAML Response I've posted NameID element doesn't have Format attribute:
<Subject>
<NameID>hamilton1#mycompany.test</NameID>
...
</Subject>
So ADFS expects that Format attribute will be absent in LogouRequest too.
The following LogoutRequests results in successful logout:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
<saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
<saml:NameID>hamilton1#mycompany.test</saml:NameID>
<samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>
If I change Claim Issuing Policy to map Name ID to EmailAddress in ADFS with the following rules:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
I receive the following SAML Response:
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">hamilton1#mycompany.test</NameID>
...
</Subject>
And sending LogutRequest with <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> logout happens successfully:
I'm using java-saml of version 2.0.1, so I'm doing the following in Java because LogoutRequest doesn't have a constructor accepting nameIdFormat: https://github.com/onelogin/java-saml/blob/v2.0.1/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java:
LogoutRequest logoutRequest = new LogoutRequest(settings, null, nameId, sessionIndex);
String samlRequestXml = logoutRequest.getLogoutRequestXml();
samlRequestXml = samlRequestXml.replaceAll(" Format=\".+\"", "");
There plans to add LogoutRequest constructor accepting nameIdFormat as an argument. More details in https://github.com/onelogin/java-saml/issues/98.

Sign SOAP message in java using wss4j and X509KeyIdentifier method

I need to sign a SOAP message in java using X.509 certificate.
I already implemented it using libraries 'com.sun.org.apache.xml.internal.security' and 'java.security'.
This is how my signed SOAP message looks like:
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/*encoded value*/</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
/*signature value*/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
/*certificate*/
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
/*other encoded data*/
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</soapenv:Header>
<soapenv:Body>
/*SOAP message body*/
</soapenv:Envelope>
But I need my SOAP message to include 'wsse:SecurityTokenReference' and 'wsse:KeyIdentifier' instead of 'ds:X509Data' and 'ds:X509Certificate' tag.
Expected signed SOAP message is:
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-554C045BCDA442589F146244518693410" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-554C045BCDA442589F14624451869339">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/**encoded value/</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>/*signature value*/</ds:SignatureValue>
<ds:KeyInfo Id="KI-554C045BCDA442589F14624451869337">
<wsse:SecurityTokenReference wsu:Id="STR-554C045BCDA442589F14624451869338">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
/*certificate*/</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-554C045BCDA442589F14624451869339" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
/*message body*/
</soapenv:Body>
</soapenv:Envelope>
I googled and found that expected signed SOAP message is signed by using wss4j api.
But I am not able to implement this api successfully and get the desired result.
Could anybody please guide how to use wss4j to sign a SOAP message?

Google SAML SSO : This account cannot be accessed because the login credentials could not be verified

I've been trying to use SAML to authenticate google apps for our company. But I always get "This account cannot be accessed because the login credentials could not be verified." It seems my signature is good because I have it tested on https://www.samltool.com/validate_response.php
Response:
<?xml
version="1.0"
encoding="UTF-8"?>
<samlp:Response
ID="_fc7fc038e01043acd7d4"
IssueInstant="2015-12-28T04:57:37.087Z"
Version="2.0"
Destination="https://www.google.com/a/sellyx.com/acs"
InResponseTo="inkglhhncmbkicmioiiinchbbhepenfoemkcpiej"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#_fc7fc038e01043acd7d4">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
m0Lhn42KcGeOXuTdzMRY93MsPNY=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I7nlVY44KWeURB35YjOZ2Rt3kkN8zj1rzF66789U7diOaR4WJazv/i+38RkqlCc1DvSxy3uVsXCq11BmdA3k0r9vnhuKMsZUktrpIAhW93H1cs37PfuYoiu7FFaEgbCcg+OcyjyJ18JcvbgXqKbvv/i8ltRM7JUOr6V+OT/
U6l8=
</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion
ID="_bba47c30283081e8468c"
IssueInstant="2003-04-17T00:46:02Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://auth.sellyx.com/IDP</Issuer>
<Subject>
<NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">abc#sellyx.com
</NameID>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData
Recipient="https://www.google.com/a/sellyx.com/acs"
NotOnOrAfter="2015-12-28T05:00:57.087Z"
InResponseTo="inkglhhncmbkicmioiiinchbbhepenfoemkcpiej"/>
</SubjectConfirmation>
</Subject>
<Conditions
NotBefore="2015-12-28T04:54:17.087Z"
NotOnOrAfter="2015-12-28T05:00:57.087Z">
<AudienceRestriction>
<Audience>https://www.google.com/a/sellyx.com/acs</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement
AuthnInstant="2015-12-28T04:57:37.087Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Add another enveloped signature transform and then solve the problem.