mace-opensaml-users - Question regarding general SAML receiver framework
Subject: OpenSAML user discussion
List archive
- From: "roy" <>
- To: <>
- Subject: Question regarding general SAML receiver framework
- Date: Mon, 5 Jan 2004 23:55:37 -0800
Okay, I got OpenSAML all compiled and accessible in my project earlier this
afternoon (many thanks!). Now I'm wondering how to
tackle the problem I'm trying to solve with the toolkit. :)
The problem is this: I will be receiving a signed SAML Response from a 3rd
party, that looks like the following (this will be hard
to read)
---------------------------------
<?xml version="1.0" encoding="UTF-8" ?><samlp:Response
IssueInstant="2003-12-08T22:52:41Z" MajorVersion="1" MinorVersion="0"
Recipient="https://rkim00:443/pub/agent.dll?qscr=sson&gpid=79DD726F3E22"
ResponseID="aeOh0NYdo4bvK469rvw47Q=="
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI=""><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>XdsJQcSJkDT59kJ813Sb2BbOXAI=</ds:DigestValue></ds:Reference></ds
:SignedInfo><ds:SignatureValue>piaz0T9pmpQ81GUeb5U2HbYadpx40QcsK/tTRDCamKZsQ4w2tNeGGfF4GbhxlAvijOXZAJ2U
YjIWtrBlkZPUjPJwFHNjVuaxm014KzR4mr+ek1p77spGbNvPYhqgxQpqglmVvZA+M2WdNbuH
hjHaWar6SvR9ucfojDNDhIs+wHE=</ds:SignatureValue></ds:Signature><samlp:Status><samlp:StatusCode
Value="samlp:Success"/></samlp:Status><saml:Assertion
AssertionID="yxD5Y2YOGDcRSzSHD7Of9w==" IssueInstant="2003-12-08T22:52:41Z"
Issuer="plsw002.hostingdev.unknown.net" MajorVersion="1" MinorVersion="0"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions
NotBefore="2003-7-8T0:0:0Z"
NotOnOrAfter="2004-7-8T0:0:0Z"/><saml:AuthenticationStatement
AuthenticationInstant="2003-12-08T22:52:08Z"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.0:assertion#WindowsQualifiedDomainName"
NameQualifier="dc=icr,dc=hostingdev,dc=unknown,dc=net">u161727</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMeth
od>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:SubjectLocality
IPAddress="10.145.21.95"/></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.0:assertion#WindowsQualifiedDomainName"
NameQualifier="dc=icr,dc=hostingdev,dc=unknown,dc=net">u161727</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMeth
od>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute
AttributeName="EmpUID"><saml:AttributeValue>u161727</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion
></samlp:Response>
---------------------------------
The response above contains an attribute named "EmpUID" which will be used in
a single sign on solution. I merely need to implement
a SAML receiver that can validate responses, and spit out relevant attributes.
The initial approach I thought of was to use some functions available
SAMLPOSTProfile. More precisely..
1. feed base64 encoded SAMLResponse to SAMLPostProfile::accept.
2. take resulting SAMLResponse object and verify it with stored public
key/cert associated with the 3rd party.
3. retrieve attributes in SAMLResponse.
Does this sound about right? I've already run into an issue with
SAMLPOSTProfile::accept. I pass in the base64 encoded version of
the above SAML response, and I get an error on the ResponseId, as follows.
As far as I know, the Response is valid.
---------------------------------
1073373407 ERROR SAML.XML.ParserPool handleError: error on line 2, column
253, message: Datatype error:
Type:InvalidDatatypeValueException, Message:Value 'aeOh0NYdo4bvK469rvw47Q=='
is not valid NCName .
caught a SAML exception:
<Status xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><StatusCode
Value="samlp:Responder"/><StatusMessage>
XML::Parser detected an error during parsing: Datatype error:
Type:InvalidDatatypeValueException, Message:Value
'aeOh0NYdo4bvK469rvw47Q==' is not valid NCName .
</StatusMessage><StatusDetail><ExceptionClass
xmlns="http://www.opensaml.org">org.opensaml.MalformedException</ExceptionClass></StatusDetail></Status>
---------------------------------
Any ideas about what I may be doing wrong, or about how I can better tackle
the problem? Either would be *greatly* appreciated :)
- roy
- Question regarding general SAML receiver framework, roy, 01/06/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/06/2004
- Re: Question regarding general SAML receiver framework, roy, 01/09/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/09/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/09/2004
- Re: Question regarding general SAML receiver framework, roy, 01/09/2004
- Re: Question regarding general SAML receiver framework, Walter Hoehn, 01/06/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/06/2004
Archive powered by MHonArc 2.6.16.