IdP initiated SSO

Mike Flynn shibbolethlynda at yahoo.com
Thu Feb 7 17:26:57 EST 2013 

Removing holderofkey fixed it.


________________________________
 From: Marc Boorshtein <mboorshtein at gmail.com>
To: Shib Users <users at shibboleth.net> 
Sent: Thursday, February 7, 2013 2:04 PM
Subject: Re: IdP initiated SSO
 
Here's a working assertion:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 ID="fa211f99a41adcf1d07a81fce09fc0d43ce6da419"
                 IssueInstant="2013-02-07T22:02:58.160Z"
                 Version="2.0"
                 >
    <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost.localdomain:8443/auth/idp/test</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#fa211f99a41adcf1d07a81fce09fc0d43ce6da419">
                <ds:Transforms>
                    <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="ds saml2 saml2p xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>4EXOqwRKWTD8w5v1PwR2LlyZjws=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
Yh2HPrAGCWWahNVfSGenq+F5l89r23uKcZFwlsxvdlbziR+1U1UoUt4pVUv/bvP7kzI88Rlgg7MB
kx0uhd8fYwT7VRYkvJYj0+yIyahNe61GYnYrnqKWrlm+900THA4/8O4CoH6tYcTbYvlTPewwjbMi
HyfRf3iKXMYJF0zTQeM=
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>

<ds:X509Certificate>MIICsTCCAhqgAwIBAgIGATnVOZ4iMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhWaXJnaW5pYTESMBAGA1UEBxMJQXJsaW5ndG9uMR8wHQYDVQQKExZUcmVtb2xvIFNlY3Vy
aXR5LCBJbmMuMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1pZHAtc2FtbDItc2lnMB4XDTEy
MDkxNzE3MTQ0NloXDTIyMDkxNTE3MTQ0NlowfzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdp
bmlhMRIwEAYDVQQHEwlBcmxpbmd0b24xHzAdBgNVBAoTFlRyZW1vbG8gU2VjdXJpdHksIEluYy4x
EDAOBgNVBAsTB1Rlc3RpbmcxFjAUBgNVBAMTDWlkcC1zYW1sMi1zaWcwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAJIni3hDLjLak7lguCMjDFsHUso8qk+Xde2hveIGr4VIhGi6itWjLrf4XRRp
A3goOTBbm9nTj3iWHskmWm5ly1+OyOzkAxM7+Ws62bL5CfSmQwvVlw/YwaEmOEVAGdzTKcfZm+ju
rMv8Fw6UZ765Fny1I1KA1A1x7rhYpb3J/7t7AgMBAAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0P
AQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4GBAB0jGXs+
phEFdvOtqMP9yGvc0u7JN51ebmZr6aQ9nLrk1+YlsZgMfhzf4I7z+V3d42OOSTnB25O9+PB/z3MU
j7ui0CazW8VKnAzw1Cq9dvkaYqQz3JvTW4GryEC/vkeH/diPA/X1NDQJ2nBUsFxnhIH59XmJKOSh
36loeqE7/Xhc</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="f7f54e02482c3d5297c30d16e83a32eb8f4e4e69a"
                     IssueInstant="2013-02-07T22:02:58.160Z"
                     Version="2.0"
                     >
        <saml2:Issuer>https://localhost.localdomain:8443/auth/idp/test</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
            <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData
NotOnOrAfter="2013-02-07T22:07:58.160Z"

Recipient="https://www.tremolosecurity-test.com/auth/SAML2Auth"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2013-02-07T21:57:58.160Z"
                          NotOnOrAfter="2013-02-07T22:07:58.160Z"
                          >
            <saml2:AudienceRestriction>

<saml2:Audience>https://www.tremolosecurity-test.com/auth/SAML2Auth</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2013-02-07T22:02:58.160Z"

SessionIndex="f7f54e02482c3d5297c30d16e83a32eb8f4e4e69a"
                              >
            <saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="uid">
                <saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >admin</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

specifically the subject confirmation:

<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData
NotOnOrAfter="2013-02-07T22:07:58.160Z"

Recipient="https://www.tremolosecurity-test.com/auth/SAML2Auth"
                                               />
            </saml2:SubjectConfirmation>

I've tested this with shib, OIF, Ping, OpenAM, ADFS, ....

On Thu, Feb 7, 2013 at 4:45 PM, Brent Putman <putmanb at georgetown.edu> wrote:
> The NotOnOrAfter is an optional attribute, but I'm not sure whether
> legally it can be present but empty.  Semantically it is pointless to do
> that.
>
> But the real problem, as I said in the other message, is that the SAML
> strucgture is just flat out wrong.
>
>
>
>
> On 2/7/13 4:42 PM, Mike Flynn wrote:
>> Thanks, Marc.  I asked them to correct that but was not sure if that
>> was the issue based on the message.
>>
>> ------------------------------------------------------------------------
>> *From:* Marc Boorshtein <mboorshtein at gmail.com>
>> *To:* Shib Users <users at shibboleth.net>
>> *Sent:* Thursday, February 7, 2013 1:38 PM
>> *Subject:* Re: IdP initiated SSO
>>
>> NotOnorAfter is blank...
>>
>> On Thu, Feb 7, 2013 at 4:35 PM, Mike Flynn <shibbolethlynda at yahoo.com
>> <mailto:shibbolethlynda at yahoo.com>> wrote:
>> > This is what was sent:
>> >
>> > <saml:SubjectConfirmation
>> > Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
>> >      <saml:SubjectConfirmation
>> > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> >            <saml:SubjectConfirmationData NotOnOrAfter=""
>> > Recipient="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"/>
>> >      </saml:SubjectConfirmation>
>> > </saml:SubjectConfirmation>
>> >
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/e8ae7ba4/attachment.html

More information about the users mailing list