mace-opensaml-users - RE: [OpenSAML] Testing SAML relying party browser post profile
Subject: OpenSAML user discussion
List archive
- From: "Pantvaidya, Vishwajit" <>
- To: "" <>
- Subject: RE: [OpenSAML] Testing SAML relying party browser post profile
- Date: Fri, 20 Mar 2009 16:05:11 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
Finally I got back to this and am facing a problem with getting testshib to
use my key. I pasted my DSA key into my profile so that it looks like this:
<?xml version="1.0" encoding="UTF-16"?>
<md:EntityDescriptor entityID="https://64.161.158.31/shibboleth/testshib/sp";
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Certificate
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIIDDzCCAs0CBEk1/EQwCwYHKoZIzjgEAwUAMG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQ
MA4GA1UEBxMHU2FuSm9zZTESMBAGA1UEChMJU2VsZWN0aWNhMQwwCgYDVQQLEwNTQ00xHTAbBgNV
BAMTFFZpc2h3YWppdCBQYW50dmFpZHlhMB4XDTA4MTIwMzAzMjU1NloXDTA5MDMwMzAzMjU1Nlow
bTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTYW5Kb3NlMRIwEAYDVQQKEwlT
ZWxlY3RpY2ExDDAKBgNVBAsTA1NDTTEdMBsGA1UEAxMUVmlzaHdhaml0IFBhbnR2YWlkeWEwggG4
MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAi
UftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYV
DwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc
9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPo
TCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa
5Z8GkotmXoB7VSVkAUw7/s9JKgOBhQACgYEA2+ohVrn25xpzdVQgVFsxs+v+4lTa616BvaUxbqeg
rr8DPz7Jo7K8ZAPWSMgEmT17eH2zXEuH2/03k2As67GbhhfLNa+p98eE+szPVLJEFBgche9hXhg7
ukyUmruWrUQqnfCgOy6je7wBX0Aqu+jGmD5WQ8+gkeeLkVbsqxSMBLkwCwYHKoZIzjgEAwUAAy8A
MCwCFE2bIZayEWWIbJB3X3Cm4kCRYN15AhQsZD0jQfV4+CxsEJ1IEuMltnjtZA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://64.161.158.31/"; index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://64.161.158.31/Shibboleth.sso/SAML/Artifact"; index="2"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://64.161.158.31/"; index="3"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://64.161.158.31/Shibboleth.sso/SAML/Artifact"; index="4"/>
</md:SPSSODescriptor>
...
</md:EntityDescriptor>
When I get the saml response from testshib it looks like this:
<samlp:Response IssueInstant="2009-03-20T22:09:28.528Z" MajorVersion="1"
MinorVersion="1" Recipient="http://64.161.158.31/";
ResponseID="_546f4fc45c6a7cb8ddd11836497a56d0"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_546f4fc45c6a7cb8ddd11836497a56d0">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ds saml samlp"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>r78bWVR3/jfHpRFhnLuJuGeyqoE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I5RN2IMnOv1L02wOz4QJEb3OXg6cy5OZpvNEWI08ivutqUIlexyKs/ZwtGx+y9kAsKRZgvlPcby1
VSsCkKs/EPf7boElLZDYnIctCgM+Uyf45jeDEWGM+4VEZZbaJ4DIY+Cm4wD2zIRr2KzN6totCDkY
3hUE3eRTjQPQinQA7yXVib8XdgnVWfqdA1oAeZriCa1TaDCOW/1my2bbd6o/ZUH402wj0HG1gnr9
tAp2M0tbB42k+lBxKRqhq0lpSfmzposd8AcN69ztQ/sZhasN2kj1dk8OdFMokegm037jbrT3/rdg
otfDqEGTSv/B8jo04dKB4zlgQzONg7Jyu9bJdw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYDVQQKEwhUZXN0U2hpYjEZMBcG
A1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcx
CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gx
ETAPBgNVBAoTCFRlc3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7CyVTDClcp
u93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe3OQ01Ow3yT4I+Wdg1tsT
pSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aTNPFmDixzUjoYzbGDrtAyCqA8f9CN2txI
fJnpHE6q6CmKcoLADS4UrNPlhHSzd614kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB
5/9nb0yh/ojRuJGmgMWHgWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HE
MIHBMB0GA1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ869nh8
3KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET
MBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNoaWIxGTAXBgNVBAMTEGlkcC50ZXN0
c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5M
FfSVk98t3CT9jHZoYxd8QMRLI4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpk
OAvZZUosVkUo93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
/SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAjGeka8nz8Jjwx
pUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr8K/qhmFT2nIQi538n6rVYLeW
j8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
...
</samlp:Response>
So it seems like it is not using my key from the profile. Am I doing anything
wrong here?
Also I see that it is not sending any attributes in the assertion. Can I
configure my profile to have it send those?
-----Original Message-----
From: Pantvaidya, Vishwajit
[mailto:]
Sent: Wednesday, January 14, 2009 5:55 PM
To:
Subject: RE: [OpenSAML] Testing SAML relying party browser post profile
Thanks Brent. Back from vacation and fresh, I tried with the changed URL
based on your suggestions and I was able to receive the response from
testshib on my server. Now I will try to run it through the entire logic and
see how that goes.
- Vish.
> -----Original Message-----
> From: Pantvaidya, Vishwajit
> [mailto:]
> Sent: Thursday, December 04, 2008 9:12 PM
> To:
>
> Subject: RE: [OpenSAML] Testing SAML relying party browser post profile
>
>
>
> > -----Original Message-----
> > From: Brent Putman
> > [mailto:]
> > Sent: Wednesday, December 03, 2008 8:44 PM
> >
> > I'd suggest getting rid of all but one of those, just to avoid
> > confusion. I think you can delete your own entries via the "Edit"
>
> [Pantvaidya, Vishwajit] I deleted the 2 TestShib2 profiles.
>
> >
> > Pantvaidya, Vishwajit wrote:
> > > Thanks. Based on this, I tried the following browser requests:
> > >
> > >
> >
> https://idp.testshib.org/idp/profile/Shibboleth/SSO?providerId=https%3A%2F
> >
> %2Fvishsjlaptop.selectica.com%2Fshibboleth%2Ftestshib%2Fsp&shire=http%3A%2
> > F%2Fvishsjlaptop.selectica.com&target=login.jsp
> > > (i.e.
> > providerId=https://vishsjlaptop.selectica.com/shibboleth/testshib/sp,
> > shire=http://vishsjlaptop.selectica.com/, target=login.jsp)
> > >
> >
> > Yeah, your shire parameter there isn't correct, or at least doesn't jibe
> > with metadata. That should:
> > 1) be the endpoint to which the POST profile will post the SAML
> > response. Don't know what that is in your app. Maybe
> > http://vishsjlaptop.selectica.com/ is correct, but that looks a little
> > suspect. Probably should be a explicit path there.
>
> [Pantvaidya, Vishwajit] The endpoint is correct - that's where my Sp is
> available. I think I have forgotten the login.jsp at the end. I will add
> that.
>
> > 2) it needs to match one of the AssertionConsumerService endpoints for
> > the Browser POST binding in your metadata entry. Find the effective
> > metadata entry that you are using (easier if you get rid of all but one
> > of them) and in your EntityDescriptor/AssertionConsumerService entries'
> > Location attribute, make sure they match your SP implementation's
> > endpoint. The default values that are generated are for a Shibboleth
> > SP, certainly not the same as your SP. Here's what one of your entries
> > has, for example
> >
> >
> > <md:AssertionConsumerService
> > Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-
> > post"
> >
> > Location="https://vishsjlaptop.selectica.com/Shibboleth.sso/SAML/POST";
> > index="6"/>
> > <md:AssertionConsumerService
> > Binding="urn:oasis:names:tc:SAML:1.1:profiles:browser-
> > post"
> >
> > Location="http://vishsjlaptop.selectica.com/Shibboleth.sso/SAML/POST";
> > index="7"/>
> >
>
> [Pantvaidya, Vishwajit] Didn't know that testshib adds that at the end.
> Thanks. I will edit that to match my SP. Will let you know how that goes.
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 03/20/2009
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 03/20/2009
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 03/20/2009
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 03/20/2009
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 03/20/2009
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 03/20/2009
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 03/23/2009
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 03/20/2009
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 03/20/2009
Archive powered by MHonArc 2.6.16.