OpenSAML user discussion

["Lawrence, Brad P" <>]

If anyone was following this thread, I forgot to post this portion of
the conversation in which Scott Cantor found the problem.

Thanks again Scott,

Brad

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Wednesday, May 17, 2006 3:02 PM
To: Lawrence, Brad P
Subject: RE: org.opensaml.MalformedException while Parsing Assertion

Hi,

There's a bug in the code processing a Subject without a NameID, I
spotted it once I looked. Unfortunately I don't have any time to even
think about releasing a new version of this, we're way behind on 2.0 as
it is.

I'll patch it in case any holes crop up that force a release and if you
want to get it from cvs you certainly can.

-- Scott

-----Original Message-----
From: Lawrence, Brad P 
Sent: Wednesday, May 17, 2006 2:29 PM
To: 'Scott Cantor'
Subject: RE: org.opensaml.MalformedException while Parsing Assertion



-----Original Message-----
From: Scott Cantor 
[mailto:]
 
Sent: Wednesday, May 17, 2006 2:05 PM
To: Lawrence, Brad P; 

Subject: RE: org.opensaml.MalformedException while Parsing Assertion

> I discovered what the problem was.  For some reason I was getting the
> parsing exception only when I created the SAMLAuthenticationStatement
> with an authentication method of
> SAMLAuthenticationStatement.AuthenticationMethod_X509_PublicKey.

>>Sorry, that's not making sense to me.

You are right that wasn't the problem.  I did some more testing and I
jumped the gun on that so you can ignore that.

> Any ideas why I can't seem to parse my SAMLAssertion with:
> new SAMLAssertion(element);
> When I use the
> SAMLAuthenticationStatement.AuthenticationMethod_X509_PublicKey??

>>Nope, that can't possibly be it based on the error. You may have
changed
>>something else indirectly, and my first comment still stands...your
>>KeyInfo
>>is in the wrong place anyway.

Sorry I forgot to mention that I did change the keyInfo as per your
request, but was still getting the error so I started trying many
different things.  And I think I jumped the gun on that authentication
method.  I did some more testing, and it seems to work if I create a
subject in this manner:

SAMLSubject authNSubject = new
SAMLSubject(nameId,confirmationMethods,null,key);

and it does not work if with this:

SAMLSubject authNSubject = new
SAMLSubject(null,confirmationMethods,null,key);

with this error occurring on parsing (basically same as before):
org.opensaml.MalformedException: Subject is invalid, requires either
NameIdentifier or at least one ConfirmationMethod
        at org.opensaml.SAMLSubject.checkValidity(SAMLSubject.java:360)
        at org.opensaml.SAMLSubject.fromDOM(SAMLSubject.java:166)
        at org.opensaml.SAMLSubject.<init>(SAMLSubject.java:111)

Again in both cases for the construction of a SAMLSubject I get no
exceptions upon construction of the SAMLSubject, but only with parsing.


My new SAML assertion that works for both construction and parsing looks
something like this:

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
AssertionID="_199054f978d365f990a05f26d0474635"
IssueInstant="2006-05-17T18:22:45.827Z" Issuer="CN=Brad P. Lawrence,
CN=Users, DC=gign, DC=kcl, DC=mtec, DC=mds, DC=lmco, DC=com"
MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2006-05-17T18:22:45.702Z"
NotOnOrAfter="2006-05-17T18:27:45.702Z"></Conditions><AuthenticationStat
ement AuthenticationInstant="2006-05-17T18:22:45.359Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"><Subject>
<NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Br
ad P.
Lawrence...</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn
:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod><ds:KeyInf
o xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
MIICzDCCAjUCBERkqXUwDQYJKoZIhvcNAQE... -- cert data
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></SubjectConfirmation></Subject></AuthenticationStatement><
ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Canonicalizatio
nMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMet
hod>
<ds:Reference URI="#_199054f978d365f990a05f26d0474635">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:T
ransform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespa
ces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code
ds kind rw saml samlp typens #default xsd
xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>874Eox0PKOA9UqnOWQmebHXV4yo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
rzdWkLEKvXhHE6pe9Mvq1gMiajV6NXWN+55UrIDEWo0+nwxXVopKo3eh/d9CxAnuGXrTXCqE
oUp9
XqAA/giYs/dmXU7pul1mi9LuF2MkcZZOdStykB7iK3qKXjepwoWvjao0sY1C2shfQ962GN6+
5Qb0
cdHG/nQCpoRZN4mJFo4=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICvDCCAiUCBERkqcIwDQYJKoZIhvcNAQ... -- cert data
p+KgBIPBn82618jlr2cjJNaycd0=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion>

Any reason why I shouldn't be able to create a Subject without a
NameIdentifier?  I was simply wanting to use all of the information in
the X.509 certificate in the ds:KeyInfo element as the user credential
information.  I can stick a user's FQDN in the name identifier if I need
to I suppose though.  Not really a large problem anymore, more of a
curiosity to me now.

Thanks,
Brad