Skip to Content.
Sympa Menu

shibboleth-dev - Re: signed assertions

Subject: Shibboleth Developers

List archive

Re: signed assertions


Chronological Thread 
  • From: Ian Young <>
  • To:
  • Subject: Re: signed assertions
  • Date: Tue, 21 Feb 2006 22:40:41 +0000

Scott Cantor wrote:

I don't think the assertion got signed. I attach what I think is your one. I went through Example State myself and got something very similar (again unsigned).

You're right. I corrected the metadata and it signed it now. Check yor log.

Here is your new assertion and some trailing wordage:

----------
2006-02-21 21:17:34 DEBUG SAML.libcurl [36] sessionGet: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soap:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_41ef4bdc10240f8ea0592e822da8f4f4" IssueInstant="2006-02-21T21:17:34.033Z" MajorVersion="1" MinorVersion="1" ResponseID="_dc5af77a4a9f4372dcc9d2a74cdba13a"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_e54c783e7a22e13f1d4ca3ad77bdaa9f" IssueInstant="2006-02-21T21:17:33.925Z" Issuer="urn:mace:inqueue:example.edu" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2006-02-21T21:17:33.925Z" NotOnOrAfter="2006-02-21T21:47:33.925Z"><AudienceRestrictionCondition><Audience>urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk</Audience><Audience>urn:mace:inqueue</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="urn:mace:inqueue:example.edu">_47cc958b8e5287b877397cd122fb5e98</NameIdentifier></Subject><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue xsi:type="typens:AttributeValueType">urn:mace:example.edu:exampleEntitlement</AttributeValue><AttributeValue xsi:type="typens:AttributeValueType">urn:mace:incommon:entitlement:common:1</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="example.edu" xsi:type="typens:AttributeValueType">member</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="example.edu" xsi:type="typens:AttributeValueType">demo</AttributeValue></Attribute></AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
2006-02-21 21:17:34 DEBUG SAML.libcurl [36] sessionGet: Closing connection #0
2006-02-21 21:17:34 DEBUG SAML.libcurl [36] sessionGet: SSLv3, TLS alert, Client hello (1):
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Basic [36] sessionGet: validating signature with KeyDescriptors
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Basic [36] sessionGet: failed to validate signature with KeyDescriptors
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Shibboleth [36] sessionGet: validating signature using certificate from within the signature
2006-02-21 21:17:34 INFO Shibboleth.Trust.Shibboleth [36] sessionGet: signature verified with key inside signature, attempting certificate validation...
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Basic [36] sessionGet: comparing certificate to KeyDescriptors
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Basic [36] sessionGet: failed to find an exact match for certificate in KeyDescriptors
2006-02-21 21:17:34 INFO Shibboleth.Trust.Shibboleth [36] sessionGet: certificate subject: CN=wayf.internet2.edu,O=Internet2,C=US
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Shibboleth [36] sessionGet: unable to match DN, trying TLS subjectAltName match
2006-02-21 21:17:34 DEBUG Shibboleth.Trust.Shibboleth [36] sessionGet: unable to match subjectAltName, trying TLS CN match
2006-02-21 21:17:34 ERROR Shibboleth.Trust.Shibboleth [36] sessionGet: cannot match certificate subject against acceptable key names based on KeyDescriptors
2006-02-21 21:17:34 WARN shibtarget.SessionCache [36] sessionGet: signed assertion failed to validate, removing it
----------

I read this to be saying that it managed to check the signature on the basis of the certs in the signature itself, but that it failed to find a KeyDescriptor that matched that in the metadata. The SP then stripped the assertion, so this is having the same effect as the thing I'm seeing, but for different reasons (see below). In this case it turns out to be because the metadata I have for example.edu's AA *does not* have the appropriate metadata on it, although I thought it did. I guess I should have double-checked. I want to put this on one side, though, and come back to it: but at least we know what it looks like when the metadata is absent.

Here's the equivalent from my IdP to my SP:

-----------
2006-02-21 22:06:01 DEBUG SAML.libcurl [39] sessionGet: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soap:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_fbb3d839f464ecf4c97fc4a499c7e05d" IssueInstant="2006-02-21T22:06:00.998Z" MajorVersion="1" MinorVersion="1" ResponseID="_5002770b0ded193719397ae3d8baaca6"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_98e32df3c84a1f8109ceac5de8991623" IssueInstant="2006-02-21T22:06:00.957Z" Issuer="urn:mace:ac.uk:sdss.ac.uk:provider:identity:idp.iay.org.uk" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2006-02-21T22:06:00.956Z" NotOnOrAfter="2006-02-21T22:36:00.956Z"><AudienceRestrictionCondition><Audience>urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk</Audience><Audience>urn:mace:ac.uk:sdss.ac.uk:federation:sdss</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="urn:mace:ac.uk:sdss.ac.uk:provider:identity:idp.iay.org.uk">_518c3cc0cb748a235dad3c9fc8744710</NameIdentifier></Subject><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="morbius.iay.org.uk" xsi:type="typens:AttributeValueType">member</AttributeValue><AttributeValue Scope="disallowed.iay.org.uk" xsi:type="typens:AttributeValueType">member</AttributeValue><AttributeValue Scope="iay.org.uk" xsi:type="typens:AttributeValueType">member</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue xsi:type="typens:AttributeValueType">member</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:mail" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue xsi:type="typens:AttributeValueType"></AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue xsi:type="typens:AttributeValueType"><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:mace:ac.uk:sdss.ac.uk:provider:identity:idp.iay.org.uk" SPNameQualifier="urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">K7NvOr04HAt16Bx/IDvhipaMNKY=</NameID></AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="iay.org.uk" xsi:type="typens:AttributeValueType">ian</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="iay.org.uk" xsi:type="typens:AttributeValueType">K7NvOr04HAt16Bx/IDvhipaMNKY=</AttributeValue></Attribute></AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
2006-02-21 22:06:01 DEBUG SAML.libcurl [39] sessionGet: Closing connection #0
2006-02-21 22:06:01 DEBUG SAML.libcurl [39] sessionGet: SSLv3, TLS alert, Client hello (1):
2006-02-21 22:06:01 WARN SAML.SAMLAttribute [39] sessionGet: skipping AttributeValue without a single, non-empty text node
2006-02-21 22:06:01 DEBUG Shibboleth.Trust.Basic [39] sessionGet: validating signature with KeyDescriptors
2006-02-21 22:06:01 DEBUG Shibboleth.Trust.Basic [39] sessionGet: failed to validate signature with KeyDescriptors
2006-02-21 22:06:01 DEBUG Shibboleth.Trust.Shibboleth [39] sessionGet: validating signature using certificate from within the signature
2006-02-21 22:06:01 ERROR SAML.SAMLAssertion [39] sessionGet: signature failed to verify, error messages follow:
Reference URI="#_98e32df3c84a1f8109ceac5de8991623" failed to verify
2006-02-21 22:06:01 DEBUG Shibboleth.Trust.Shibboleth [39] sessionGet: failed to verify signature with embedded certificates
2006-02-21 22:06:01 WARN shibtarget.SessionCache [39] sessionGet: signed assertion failed to validate, removing it
-----------

Apologies for not dropping one of these in earlier, but I was having trouble cut-n-pasting from VNC into mail...

Note that *this* one fails the signature verification against the key from the cert, i.e., it is failing earlier than your one. Same result: assertion is stripped out. Different reason. And, in this case, a different message in there that I didn't notice before:

skipping AttributeValue without a single, non-empty text node

This comes out of OpenSAML, SAMLAttribute:valueFromDOM(). The only non-simple-text attribute value I can see is this one:

<Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<AttributeValue xsi:type="typens:AttributeValueType">
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:mace:ac.uk:sdss.ac.uk:provider:identity:idp.iay.org.uk" SPNameQualifier="urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">K7NvOr04HAt16Bx/IDvhipaMNKY=</NameID>
</AttributeValue>
</Attribute>

Sure enough, if I change my ARP to not include the new-style ePTI attribute, my IdP's signed attribute assertions are now validated by my SP. That attribute wasn't being released to your wiki, which explains why my IdP could talk to your SP and not mine.

So, OpenSAML signature verification bug when attribute values have complex contents?

-- Ian



Archive powered by MHonArc 2.6.16.

Top of Page