mace-opensaml-users - RE: SAML Assertion ids and interop
Subject: OpenSAML user discussion
List archive
- From: Ted Toth <>
- To: Scott Cantor <>,
- Subject: RE: SAML Assertion ids and interop
- Date: Thu, 23 Jun 2005 15:45:22 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=QAEmO2Jmj/WHrq4vy6y+3HDA3Z+yaiSl8jrtVhMLsu+/OiDMwJIdqFa7hULP5J+QfB/TL1HN1MfddEI0xw7i5muwJa5oUgNnFnXedxIthVFPehSFDNCp9fXSAilq/zeXvSkyV4CLzHl0zt+89ceXiOl5jbgeDtC0igDdtXENahI= ;
Bluntness is cool. However we don't live in a perfect
world and ok the toolkits (and MS) aren't following
the specs but what is a poor shmuck coder like me
supposed to do when my customer wants a .Net clent to
talk to their 'secure' Java service? Well I'm going to
talk to anyone who'll listen and try and get something
put together that works even if it is only until the
next release when it is broken again. One thing I do
know for certain MS ain't going to do nothin about
this issue anytime soon and my only hope lies is in
the open source world.
Ted
--- Scott Cantor
<>
wrote:
> > By interop I mean between .NET and Java web
> services
> > and clients. My .NET client is failing to validate
> the
> > response from a Java server (which uses opensaml)
> > because the WSE SecurityInputFilter is trying
> > to validate the signature of the element with the
> id
> > id-12374346 however for a SAML Assertion it is
> > comparing against the AssertionID and not the
> wsu:Id.
>
> Let me be blunt so there's no misunderstanding...a
> lot of these WSS tools
> are broken. They don't follow the official WSS and
> WSS-SAML specs or the
> SAML 1.1 spec and they produce invalid XML, your
> example being an
> illustration of that.
>
> Using SAML in WSS requires wrapping it in additional
> elements and signing
> the outer wrapper into the message because WSS has a
> questionable
> requirement that the only permitted ID attributes
> you can sign are wsu:Ids.
> So you can't directly reference an assertion in your
> WSS signature and any
> tool trying to do so is probably outdated.
>
> With respect to your example...
>
> > <Assertion
> > AssertionID="c3d50b725586474de4e411e597933763"
> > IssueInstant="2005-06-23T15:53:51.125Z"
> > Issuer="CN=www.foo.com, OU=Other, OU=PKI, OU=XxX,
> > O=U.S. Government, C=US" MajorVersion="1"
> > MinorVersion="1" wsu:Id="id-12374346">
>
> That's invalid SAML. The SAML schema does not allow
> wsu:Id to appear inside
> the Assertion element. Any SAML library is free to
> be overly permissive, but
> mine would spit it out, for example (though see my
> note at the end).
>
> > If these ids contained the same value then I think
> > this would work. Does opensaml add the wsu:Id?
>
> No. Whatever did is broken.
>
> > I know that you can create a SAMLAssertion with an
> id
> > (AssertionID) but for the .Net client to
> interoperate
> > with a Java based service the ids probably need to
> > match.
>
> Actually, the wsu:Id simply can't be there, so it's
> immaterial what it is.
> When the WSS layer signs, it's supposed to wrap it
> in some element, STR
> maybe, and then the wsu:Id is inside that. I think.
> Not my expertise, but
> you can trust me on the SAML part.
>
> > I'm saying this because in the request
> > generated by the .Net client match and the Java
> server
> > seems to have no problem digesting them and
> validating
> > the signature.
>
> Any tool that accepts an assertion that looks like
> that is playing with
> fire. But my guess is the Java server is just
> parsing blind, and
> mechanically verifying the signature.
>
> In that scenario, OpenSAML would have a hard time
> detecting the error
> because it's probably being handed a pre-parsed DOM,
> and if it outputs the
> same DOM, it wouldn't know to delete the illegal
> attribute either.
>
> XML kinda blows for protocol stuff.
>
> -- Scott
>
>
____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com
- SAML Assertion ids and interop, Ted Toth, 06/23/2005
- RE: SAML Assertion ids and interop, Scott Cantor, 06/23/2005
- RE: SAML Assertion ids and interop, Ted Toth, 06/23/2005
- RE: SAML Assertion ids and interop, Scott Cantor, 06/23/2005
- RE: SAML Assertion ids and interop, Ted Toth, 06/23/2005
- RE: SAML Assertion ids and interop, Scott Cantor, 06/23/2005
Archive powered by MHonArc 2.6.16.