IdP implementation roadmap
Yakov Revyakin
yrevyakin at gmail.com
Mon Apr 22 15:34:39 EDT 2019
I hope you'll help me. The first response is by onelogin IdP with
successful authentication to Cyberark. The second one is by my shib and
Cyberark answer is
{"ErrorCode":"PASWS011E","ErrorMessage":"Missing mandatory parameter
[username]."}
It looks like Cyberark doesn't recognize NameID section.
Both responses go to SP non encrypted.
Could you point me to fundamental differences between responses which can
influence on the result?
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="R70efd3bb8c5642dedc3d13281b252e45ae6f391c"
Version="2.0" IssueInstant="2019-04-22T10:21:46Z"
Destination="{recipient}"
InResponseTo="_d1bffb73-b0dc-4669-84be-063dde26c6e0">
<saml:Issuer>https://app.onelogin.com/saml/metadata/bb75756b-c825-43e2-80aa-9e057695f31c</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0"
ID="pfxc653590e-2dcf-5bd2-8462-4d303b331093"
IssueInstant="2019-04-22T10:21:46Z">
<saml:Issuer>https://app.onelogin.com/saml/metadata/bb75756b-c825-43e2-80aa-9e057695f31c</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfxc653590e-2dcf-5bd2-8462-4d303b331093">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>aX7OQImbjHweqKUgq/BmoS6mqwg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
K/iHA+ZqKlrE5IIkjBNKqI26FAkLDBBSzDMtFahXMDWHA+Kk3QfsxiYY+7kwCGDfu8+k6rXLAxyowQ+VbYIhfJQ4Zq01aWB/UfdLk20VTbqRh0eKFGSmYAZoSCgsNml0Br/BMtJNEgUpaXzGTTM403eAuzC08QgePweshu1U3ackOagyS/6Sizds1L2GqB4hV6h+rqbjfsam0xGwPAxGNIXLrEWEyr8nw+pYxuSVqC41oxuuh0dSe6C2PHBD0wK3i6FE1tvQL2NQUHIDkK6+Cxx2+3G5IPP6bBDquGbEQD0mhy+Kwc2kWCSGMiAAFaahJYIxsnzNdpWRPc3/SKWJ0Q==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIID6DCCAtCgAwIBAgIUGMQTIN+xMpATICP7HqdVVmS6SuwwDQYJKoZIhvcNAQEFBQAwSTEUMBIGA1UECgwLMmNvbXBseS5iaXoxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCAwHhcNMTkwMzAxMTUzMTQ3WhcNMjQwMzAxMTUzMTQ3WjBJMRQwEgYDVQQKDAsyY29tcGx5LmJpejEVMBMGA1UECwwMT25lTG9naW4gSWRQMRowGAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVcsDoZhfo5ro/2Ch4zoGfm9mwIhmwbzNtiTvHfjWbcm+qOZqjCydVmME4QIojOBB4LTPZRQgtZiqm3bjLH9ATcPMvLEiKMpEaooV/pHGlVpcx4PmwGjCCfolH+8GYgo9WMKCydbCkoD5psQ/h66LV6wx+hBgl0xzJAaRnuJ+hYL0bzRiAd9K2A37GJHVVMMFo+senVhhRw2LGuKsNlzFAbBRoHBODqXi1P/NCUqewBvl5YxD3VemtlwzPTzi2rWKLV7/bcGpSrStGdJNbeBVFNHRneX5qS6FPG1tzivWMdBbkcX5A9NF7LMPsZf4V5AhddrSIkBv3XlULei3WbzMMCAwEAAaOBxzCBxDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQjyql3UuxdmVumup/YRibCATp3JzCBhAYDVR0jBH0we4AUI8qpd1LsXZlbprqf2EYmwgE6dyehTaRLMEkxFDASBgNVBAoMCzJjb21wbHkuYml6MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgghQYxBMg37EykBMgI/sep1VWZLpK7DAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAEL/U5PCpefjG2ZP1qjImDKpJvyJl6PXZqwNQzK3B21UroFzezECJ5DqIuUvhqs2uDaHGVzehZzl04i06RI83ODqYNJ5Av/CsEVEzrG/qsvFHYFQ0/D0I3q8biGxdBCvWG4Duoa+TBamSKD+s2Z5wfTE7A42xiBdUtXsCPAVoGlysCOW44ehsZorxwBoMoQlSBRnw/5r+JgB9TcpCvHcy4L31PcrqWeOrfVLGOJ4bWNBz0xR1MpIOV7jcaLrnHFNfVgWqmvEVbjGIgEdv0yi18SgoFRBnxQxfTBjGsLgEi6mXMd+neKSV6dx2EuQgsI8wsMuF1EoIn+nLCAYYQWRLyM=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">yrevyakin at 2comply.biz
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2019-04-22T10:24:46Z" Recipient="{recipient}"
InResponseTo="_d1bffb73-b0dc-4669-84be-063dde26c6e0"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-04-22T10:18:46Z"
NotOnOrAfter="2019-04-22T10:24:46Z">
<saml:AudienceRestriction>
<saml:Audience>{audience}</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2019-04-22T10:21:45Z"
SessionNotOnOrAfter="2019-04-23T10:21:46Z"
SessionIndex="_5b51d6c0-4716-0137-1631-41795c24e7e6">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://components.cyberark.local/PasswordVault/api/auth/saml/logon"
ID="_b5f7a07c447238a59a676fa8bb538e85"
InResponseTo="_dac48053-333d-453c-968e-8b8f707b2a43"
IssueInstant="2019-04-22T19:11:39.815Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://testidp.hide.com/idp/shibboleth
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_b5f7a07c447238a59a676fa8bb538e85">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>foW8KwDHz7E/n2MI/pvjSet35U7q9OdIiXL32BqFb8w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
b2BJBQieWF9NOX2zMJDdODosnDo/RPt72hu3fU/5vXCKuZmJPgdq9/M3duDFDTTaxpDn7bhYdwFke4ckJa4cImgR34hOyaZcL08z8DvS4c6HfYDOrTz+EHUE+jz6GkndrhDZAOMKsqmx/mDgkUjK9uIOWUD487TnCzgPyrSqq1BcH9AoekcVfkb2FpBx5OHGh4bE1c+kO6I2vFsDxg7696fpwM+FFOLW2/4K3V07/ZKgTWA6fPyE3vFYjRlmf5Z0JliyktSQhcAbWE5hMu6yrq3iTQxvA/V3MIb2GEIJRVgp/QH7g/6QJB9HWuxeLFf4CXty5tszfskN8EGF9pnNzQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID7zCCAtegAwIBAgIULGxdGH853pK5v+jzfL8J719EOK0wDQYJKoZIhvcNAQELBQAwgYYxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIDAJUWDEOMAwGA1UEBwwFVGV4YXMxDzANBgNVBAoMBkhpZGVlejEO
MAwGA1UECwwFQXV0aE4xGzAZBgNVBAMMEnRlc3RpZHAuaGlkZWV6LmNvbTEcMBoGCSqGSIb3DQEJ
ARYNeXJAaGlkZWV6LmNvbTAeFw0xOTA0MTkxMDAxMjdaFw0yMDA0MTgxMDAxMjdaMIGGMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCVFgxDjAMBgNVBAcMBVRleGFzMQ8wDQYDVQQKDAZIaWRlZXoxDjAM
BgNVBAsMBUF1dGhOMRswGQYDVQQDDBJ0ZXN0aWRwLmhpZGVlei5jb20xHDAaBgkqhkiG9w0BCQEW
DXlyQGhpZGVlei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzIuNJSzZ/2rZF
BP+tB5h1/L8hcmxmvsrfrj5+F3XjIv3W9vXbkZGFuFFEMZO9iQ/1OtdvMStpaA8XqL09JUaBvUPj
3muInGrY5mujCt/TY+EyWwfy1oDKsX/1FihuuRdXoz3s1auzZ6pcs6PTAe/cDy3P3VzG2Owyrf5p
xUEsx37UGPx76o1EX7SjYvYF11478MNWAfOhqDTclWEqORSS+LSh3ZraSgfAg3FXJ3hE4Bcuz3vA
LimxgbppkDhEa0cOJngSiOicwfrLvNx+l+zV+qDp9x2y/MbbaglgZTBLTRaZ/+uaLOcO4YbIAJ
2Ny7T+vQ28tnL4dnxxqItA0HAgMBAAGjUzBRMB0GA1UdDgQWBBR9ttycbSZnqD8f6A3UYCKg6WrI
vTAfBgNVHSMEGDAWgBR9ttycbSZnqD8f6A3UYCKg6WrIvTAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBxDJAaAar4puAJRaGcPX+pqqqjCmuKp5DkdVMkaA58vGEF9gbomA3mah48
enXJ1bpaVJPlqBASpD47NcxpevWs6gBY/r+CaD9UbEpwkw1/Qwm8FmIvgMNjCS0141lEQ53Kzsec
8b9PNygi+XVaszxznWYrkcqGlvJpt6GMM76/gfsxqNyVwsvXrZ2Q5SoQsB0YATi2sLie9pWHg5zu
eIr8Gd9mq29P7drXUeXSiK+bTIH7EqEJ2oust0tsU1EDPPEQDHmKa8i0i67Xsp7ndGvOytJKtkKX
aAzr9vKGgVb7be4C1qesygS6XrJJFVHKIPOr6vNqD2/9EoYmt7kX1BQl
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_57d2423c0341ec88e915479cd366c851"
IssueInstant="2019-04-22T19:11:39.815Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://testidp.hide.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_57d2423c0341ec88e915479cd366c851">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>uR8QDONYQLKQXkcSublFYE9w6oFqbTFF/Gt6iI9mnlw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
EHs6jZXKT5dRL0VHJxos1TgymJjZSn1tIXExZ42JllDxWVmxMcb2lg7AigO6+ke3AcbuEyj6QG56lnt+Q28s01PPEAqjNSlm6fYng3AQSV7mz3WoH5nLKuj3HaVCuTwXHgrK0G48i1yzM2reYKQSOPO0LBv7VCB1SFuhgg8FNT22MP0dtFlLY3suJPYH1siuQI4fErejv2YcZN1Xwfh8ky+wgz7UNoNFiMLUs44uzU7eJS2aos2Bhr61fXQoJwHJ1Ocw62J6AigQt15TwEBOnjgGF1pyEwZYw3xBDuLh3f+Cs/FAX+GnBP1qhnP8kV+/SaAGbSubPSlL3yJCLY+MUw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID7zCCAtegAwIBAgIULGxdGH853pK5v+jzfL8J719EOK0wDQYJKoZIhvcNAQELBQAwgYYxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIDAJUWDEOMAwGA1UEBwwFVGV4YXMxDzANBgNVBAoMBkhpZGVlejEO
MAwGA1UECwwFQXV0aE4xGzAZBgNVBAMMEnRlc3RpZHAuaGlkZWV6LmNvbTEcMBoGCSqGSIb3DQEJ
ARYNeXJAaGlkZWV6LmNvbTAeFw0xOTA0MTkxMDAxMjdaFw0yMDA0MTgxMDAxMjdaMIGGMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCVFgxDjAMBgNVBAcMBVRleGFzMQ8wDQYDVQQKDAZIaWRlZXoxDjAM
BgNVBAsMBUF1dGhOMRswGQYDVQQDDBJ0ZXN0aWRwLmhpZGVlei5jb20xHDAaBgkqhkiG9w0BCQEW
DXlyQGhpZGVlei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzIuNJSzZ/2rZF
BP+tB5h1/L8hcmxmvsrfrj5+F3XjIv3W9vXbkZGFuFFEMZO9iQ/1OtdvMStpaA8XqL09JUaBvUPj
3muInGrY5mujCt/TY+EyWwfy1oDKsX/1FihuuRdXoz3s1auzZ6pcs6PTAe/cDy3P3VzG2Owyrf5p
xUEsx37UGPx76o1EX7SjYvYF11478MNWAfOhqDTclWEqORSS+LSh3ZraSgfAg3FXJ3hE4Bcuz3vA
LimxgbppkDhEa0cOJngSiOicwfrLvNx+l+zV+qDp9x2y/MbbaglgZTBLTRaZ/+uaLOcO4YbIAJ
2Ny7T+vQ28tnL4dnxxqItA0HAgMBAAGjUzBRMB0GA1UdDgQWBBR9ttycbSZnqD8f6A3UYCKg6WrI
vTAfBgNVHSMEGDAWgBR9ttycbSZnqD8f6A3UYCKg6WrIvTAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBxDJAaAar4puAJRaGcPX+pqqqjCmuKp5DkdVMkaA58vGEF9gbomA3mah48
enXJ1bpaVJPlqBASpD47NcxpevWs6gBY/r+CaD9UbEpwkw1/Qwm8FmIvgMNjCS0141lEQ53Kzsec
8b9PNygi+XVaszxznWYrkcqGlvJpt6GMM76/gfsxqNyVwsvXrZ2Q5SoQsB0YATi2sLie9pWHg5zu
eIr8Gd9mq29P7drXUeXSiK+bTIH7EqEJ2oust0tsU1EDPPEQDHmKa8i0i67Xsp7ndGvOytJKtkKX
aAzr9vKGgVb7be4C1qesygS6XrJJFVHKIPOr6vNqD2/9EoYmt7kX1BQl
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="https://testidp.hide.com/idp/shibboleth"
SPNameQualifier="Cyberark4Hide">
yrevyakin at 2comply.biz
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="184.170.232.52"
InResponseTo="_dac48053-333d-453c-968e-8b8f707b2a43"
NotOnOrAfter="2019-04-22T19:16:40.135Z"
Recipient="https://components.cyberark.local/PasswordVault/api/auth/saml/logon"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-04-22T19:11:39.815Z"
NotOnOrAfter="2019-04-22T19:16:39.815Z">
<saml2:AudienceRestriction>
<saml2:Audience>Cyberark4Hide</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-04-22T19:11:34.254Z"
SessionIndex="_28472e83723394655f9fad2544e86fbe">
<saml2:SubjectLocality Address="184.170.232.52"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>yrevyakin at 2comply.biz</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Jake
On Mon, 22 Apr 2019 at 15:43, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 4/21/19, 10:09 AM, "users on behalf of Yakov Revyakin" <
> users-bounces at shibboleth.net on behalf of yrevyakin at gmail.com> wrote:
>
> > SP declares support of 'unspecified' for username in documentation.
>
> And that documentation is almost certainly wrong.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190422/9a718b00/attachment.html>
More information about the users
mailing list