OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

-----Original Message-----
From: Brent Putman 
[mailto:]
 
Sent: Friday, March 20, 2009 4:48 PM
To: 

Subject: Re: [OpenSAML] Testing SAML relying party browser post profile


Just to confirm: you are intending to do SAML 1.1, right, not SAML 2?

[Pantvaidya, Vishwajit] Correct.

>
> So it seems like it is not using my key from the profile. Am I doing 
> anything wrong here?
>   

The IdP is signing the response with its key, not yours.  You need to
validate the signature with the IdP's key, which you obtain via some
out-of-band mechanism, for example by getting the metadata that it
publishes about itself.


[Pantvaidya, Vishwajit] Ok thanks. I changed my code to do that. Now as I 
understand, a key in base64binary format should be wrapped in the "----BEGIN 
KEY-----" "--------END KEY-------" signature. The saml I get has the key as:

<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYDVQQKEwhUZXN0U2hpYjEZMBcG
A1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcx
CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gx
ETAPBgNVBAoTCFRlc3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7CyVTDClcp
u93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe3OQ01Ow3yT4I+Wdg1tsT
pSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aTNPFmDixzUjoYzbGDrtAyCqA8f9CN2txI
fJnpHE6q6CmKcoLADS4UrNPlhHSzd614kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB
5/9nb0yh/ojRuJGmgMWHgWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HE
MIHBMB0GA1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ869nh8
3KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET
MBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNoaWIxGTAXBgNVBAMTEGlkcC50ZXN0
c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5M
FfSVk98t3CT9jHZoYxd8QMRLI4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpk
OAvZZUosVkUo93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
/SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAjGeka8nz8Jjwx
pUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr8K/qhmFT2nIQi538n6rVYLeW
j8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>

How do I load it? Right now I am manually adding the begin key, end key 
wrappers and the signature validation works fine.


> Also I see that it is not sending any attributes in the assertion. Can I 
> configure my profile to have it send those?
>   

In Shibboleth with SAML 1, the default is to not send an attribute
statement in the SSO assertion, because in the absence of encryption
support in SAML 1, those would be in the clear and that's an undesirable
default.  Instead the SP is expected to do an AttributeQuery to the
IdP's AttributeAuthority using the Subject from the SSO assertion.  It
*can* be configured to send attributes on SSO in SAML 1, but I'm not
sure whether or how TestShib in particular can be requested to be
configured to do that for a particular SP.   Nate can hopefully tell us
if that's possible

[Pantvaidya, Vishwajit] Ok thanks. If the request is https, this should be 
fine right? Anyway, if tesshib does not do it, I would need to figure out 
another way of doing it.


FYI, the Shib IdP default on SAML 2 SSO is to send an encrypted
Assertion, since SAML supports XML Encryption. That can also be changed
- either the default or on a relying-party specific basic - to not
encrypt and/or not include the attribute statement at all.  For that it
needs your encryption key, whcih btw can't be DSA b/c that doesn't
support encryption.  Pretty much have to use RSA for that.

[Pantvaidya, Vishwajit] This info will be very useful since our immediate 
next project after OpenSAML migration completes is to upgrade to SAML2. 
Thanks a lot.


--Brent