Decoding encrypted attributes from an IDP

Rob Whitener rob.whitener at audaxhealth.com
Fri Jul 20 14:28:47 EDT 2012


Hi Yannick,

Thank you for the reply.  I have shibd.logger set to be DEBUG already, is
there a way to increase the logging even further?

Since you have done this before, did you have to do anything with the
attribure mapping to force decryption?

Thanks

Rob

On Fri, Jul 20, 2012 at 1:36 PM, Yannick Béot <yannick.beot at gmail.com>wrote:

> Perhaps, you should rise the debug level in the shibd.logger file:
>
> At some point, you should have the attributestatement decrypted
>
> I have tested with an encrypted assertion and in the logs I get:
> 2012-07-10 06:50:31 DEBUG Shibboleth.SSO.SAML2 [16]: decrypted Assertion:
> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_e7ce8557-1069-4684-bfc9-36db796f8d21"
> IssueInstant="2012-07-10T04:50:29.711Z" Version="2.0"><Issuer>
> http://adfsxv.erp2.manitowoc.com/adfs/services/trust</Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMeth...
>
>
> On Fri, Jul 20, 2012 at 7:32 PM, Rob Whitener <
> rob.whitener at audaxhealth.com> wrote:
>
>> Thanks for getting back to me.  The saml prefix is indeed defined based
>> on the smal2 namespace.  Also, I did see in the logs what looks like the
>> encrypted attributes getting unpacked:
>>
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject.Builder [1]: located
>> XMLObjectBuilder for element name: saml:EncryptedAttribute
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> element (saml:EncryptedAttribute)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling DOM
>> element (saml:EncryptedAttribute)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> nodes of DOM element (saml:EncryptedAttribute)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject.Builder [1]: located
>> XMLObjectBuilder for element name: {
>> http://www.w3.org/2001/04/xmlenc#}EncryptedData
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> element ({http://www.w3.org/2001/04/xmlenc#}EncryptedData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling DOM
>> element (EncryptedData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling
>> attributes for DOM element (EncryptedData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: processing generic
>> attribute
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: processing generic
>> attribute
>>
>> ...
>>
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject.Builder [1]: located
>> XMLObjectBuilder for element name: {
>> http://www.w3.org/2001/04/xmlenc#}CipherData
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> element ({http://www.w3.org/2001/04/xmlenc#}CipherData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling DOM
>> element (CipherData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> nodes of DOM element (CipherData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject.Builder [1]: located
>> XMLObjectBuilder for element name: {
>> http://www.w3.org/2001/04/xmlenc#}CipherValue
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> element ({http://www.w3.org/2001/04/xmlenc#}CipherValue)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling DOM
>> element (CipherValue)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> nodes of DOM element (CipherValue)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: processing text
>> content at position (0)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject.Builder [1]: located
>> XMLObjectBuilder for element name: {
>> http://www.w3.org/2001/04/xmlenc#}CipherData
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> element ({http://www.w3.org/2001/04/xmlenc#}CipherData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling DOM
>> element (CipherData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> nodes of DOM element (CipherData)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject.Builder [1]: located
>> XMLObjectBuilder for element name: {
>> http://www.w3.org/2001/04/xmlenc#}CipherValue
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> element ({http://www.w3.org/2001/04/xmlenc#}CipherValue)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling DOM
>> element (CipherValue)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: unmarshalling child
>> nodes of DOM element (CipherValue)
>> 2012-07-20 17:21:50 DEBUG XMLTooling.XMLObject [1]: processing text
>> content at position (0)
>>
>> and then after the last one of those, I see:
>>
>> 012-07-20 17:22:02 INFO Shibboleth.Listener [1]: detected socket closure,
>> shutting down worker thread
>>
>> I don't see any actual errors anywhere, but I do know from looking at the
>> transaction log that none of the encrypted data is being used for anything
>> (the transaction log shows no activity).  Do I have to do something on the
>> Attribute definitions (in my extractor) to tell them to decrypt attributes,
>> or does that happen automagically?
>>
>> Thanks,
>>
>> Rob
>>
>> On Fri, Jul 20, 2012 at 12:54 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>
>>> > So there appear to be attributes, but my SP is unable to decrypt them.
>>> From
>>> > reading the docs, I found that the <AttributeExtractor> will support
>>> > <saml2:EncryptedAttribute> elements, but I see we are getting
>>> > <saml:EncryptedAttribute>. Could this be causing us to not properly
>>> handle
>>> > the elements?
>>>
>>> No, not unless that prefix isn't declared somewhere to be the right
>>> namespace. If it's not handling them, there should be logs indicating why,
>>> but I don't know that this has ever been tested. I can't recall whether I
>>> ever tried it in an interop event, and the IdP we have doesn't support the
>>> feature (only at the assertion level).
>>>
>>> > Also, on ApplicationDefaults, I have encrypted=true (which I
>>> > think only applies to outbound messages though)
>>>
>>> It does.
>>>
>>> > PS: I would like to add that of all the open source message boards I
>>> have
>>> > used, the shib folks respond the fastest, hands down. Thank you for
>>> that.
>>>
>>> Thank you for noticing.
>>>
>>> -- Scott
>>>
>>> --
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>>
>>
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120720/3777a525/attachment-0001.html 


More information about the users mailing list