IdP implementation roadmap
Yakov Revyakin
yrevyakin at gmail.com
Wed Apr 24 05:31:01 EDT 2019
Thanks to you I have finished my POC with Cyberark SAML SP. And, Scott, yes
- you are right. It works with emailAddress instead of unspecified.
On Tue, 23 Apr 2019 at 08:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:
> > probably not the last you'll have to work around.
> You are right. I have got a completely equal responses but onelogin works,
> my IdPs doesn't.
>
> <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="R3d7e92dd685f70c498cd0b9896e1a7f783c0e604" Version="2.0" IssueInstant="2019-04-23T05:06:34Z"
> Destination="{recipient}" InResponseTo="_40773862-3b39-4893-95bf-ab4bae437d35">
>
> <saml:Issuer>https://app.onelogin.com/saml/metadata/bb75756b-c825-43e2-80aa-9e057695f31c</saml:Issuer>
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0"
> ID="pfxe3cf1738-b942-11c0-36a4-cc746e4274f5" IssueInstant="2019-04-23T05:06:34Z">
> <saml:Issuer>https://app.onelogin.com/saml/metadata/bb75756b-c825-43e2-80aa-9e057695f31c</saml:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#pfxe3cf1738-b942-11c0-36a4-cc746e4274f5">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>GCG1xw+LA/Ux/Y+YTCimQY8VH1E=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> C5/p1yiry3g9RKcLvVaYNWOGvlTvK0+EAQr4hmUoPaH3oVW6iQ2D8dalbmyLZcmnCoU2T6ksC53dHJlIHTOJIwtP/u2cjAec9xHCtIdgoSXqgtFO8IjgIinCxfTFCd7yATxVga34waAwhDlTXpcw63V890PqSwPxrFDbKIVniFXBKVxHhdZ/uXKzoWb02LgOEiE0ISuU7SwEkOrBQO/POBVjwavATZhy+ph3LNdyIT6b1Ig2HNDud6XPsHiuPjdzmPAYWFWC3vDwx/2PoeUO9HKFBVqWlqdeadIVT0dgwi109KU+8cXij+lqegoqCSNQbXaOHwwVfYASOMER6i+0YQ==
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> MIID6DCCAtCgAwIBAgIUGMQTIN+xMpATICP7HqdVVmS6SuwwDQYJKoZIhvcNAQEFBQAwSTEUMBIGA1UECgwLMmNvbXBseS5iaXoxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCAwHhcNMTkwMzAxMTUzMTQ3WhcNMjQwMzAxMTUzMTQ3WjBJMRQwEgYDVQQKDAsyY29tcGx5LmJpejEVMBMGA1UECwwMT25lTG9naW4gSWRQMRowGAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVcsDoZhfo5ro/2Ch4zoGfm9mwIhmwbzNtiTvHfjWbcm+qOZqjCydVmME4QIojOBB4LTPZRQgtZiqm3bjLH9ATcPMvLEiKMpEaooV/pHGlVpcx4PmwGjCCfolH+8GYgo9WMKCydbCkoD5psQ/h66LV6wx+hBgl0xzJAaRnuJ+hYL0bzRiAd9K2A37GJHVVMMFo+senVhhRw2LGuKsNlzFAbBRoHBODqXi1P/NCUqewBvl5YxD3VemtlwzPTzi2rWKLV7/bcGpSrStGdJNbeBVFNHRneX5qS6FPG1tzivWMdBbkcX5A9NF7LMPsZf4V5AhddrSIkBv3XlULei3WbzMMCAwEAAaOBxzCBxDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQjyql3UuxdmVumup/YRibCATp3JzCBhAYDVR0jBH0we4AUI8qpd1LsXZlbprqf2EYmwgE6dyehTaRLMEkxFDASBgNVBAoMCzJjb21wbHkuYml6MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgghQYxBMg37EykBMgI/sep1VWZLpK7DAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAEL/U5PCpefjG2ZP1qjImDKpJvyJl6PXZqwNQzK3B21UroFzezECJ5DqIuUvhqs2uDaHGVzehZzl04i06RI83ODqYNJ5Av/CsEVEzrG/qsvFHYFQ0/D0I3q8biGxdBCvWG4Duoa+TBamSKD+s2Z5wfTE7A42xiBdUtXsCPAVoGlysCOW44ehsZorxwBoMoQlSBRnw/5r+JgB9TcpCvHcy4L31PcrqWeOrfVLGOJ4bWNBz0xR1MpIOV7jcaLrnHFNfVgWqmvEVbjGIgEdv0yi18SgoFRBnxQxfTBjGsLgEi6mXMd+neKSV6dx2EuQgsI8wsMuF1EoIn+nLCAYYQWRLyM=
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <saml:Subject>
> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">yrevyakin at 2comply.biz
> </saml:NameID>
> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml:SubjectConfirmationData NotOnOrAfter="2019-04-23T05:09:34Z" Recipient="{recipient}"
> InResponseTo="_40773862-3b39-4893-95bf-ab4bae437d35"/>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Conditions NotBefore="2019-04-23T05:03:34Z" NotOnOrAfter="2019-04-23T05:09:34Z">
> <saml:AudienceRestriction>
> <saml:Audience>{audience}</saml:Audience>
> </saml:AudienceRestriction>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2019-04-23T05:06:33Z" SessionNotOnOrAfter="2019-04-24T05:06:34Z"
> SessionIndex="_7d2a2290-47b3-0137-7e04-25ca174fabc5">
> <saml:AuthnContext>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> </saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> </saml:Assertion>
> </samlp:Response>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <saml2p:Response Destination="https://components.cyberark.local/PasswordVault/api/auth/saml/logon"
> ID="_3b858cb6f5771aadbbb9e979dacd393f" InResponseTo="_05b5a5dc-2735-474a-a56c-02dcf7a2f068"
> IssueInstant="2019-04-23T05:47:08.843Z" Version="2.0"
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://testidp.hide.com/idp/shibboleth
> </saml2:Issuer>
> <saml2p:Status>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </saml2p:Status>
> <saml2:Assertion ID="_d141f25362802c7b09276e8ab70ec134" IssueInstant="2019-04-23T05:47:08.843Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml2:Issuer>https://testidp.hide.com/idp/shibboleth</saml2:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#_d141f25362802c7b09276e8ab70ec134">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>KcdaZHp0T2LVbuovm75LGJrVp5A=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> ly51sEdM7whnx4ZzfPkD+84DkbQsnzNQCB6suDiyF6CbA7WMubEwJZwUik3eEVYKZHtbvmf8PKbUDcLuyylqQ8/FMWG+FaK/gehgLtd+2ogjH6WNOKKfcL9oB5zO7xAnJqD8PV2lNvyLjG/XlYXAB8nQETopQGswyNJrek+dy/jyIAhOWB7o3n4330mxCjgsaAPX3Hz1TTwRHj+qICL96wQSQaF2IQnvIbUolspOxlmcYaQ2xNR4RRl1sMaCFerh4D61x/dC29CbTJzY2oKwhZBP7gC9I4jM4QSXy+a2v7L65JX/SdsygGPqv4o+1+9GGqTcuo7mU7NwR+kIY0wIRA==
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>MIID7zCCAtegAwIBAgIULGxdGH853pK5v+jzfL8J719EOK0wDQYJKoZIhvcNAQELBQAwgYYxCzAJ
> BgNVBAYTAlVTMQswCQYDVQQIDAJUWDEOMAwGA1UEBwwFVGV4YXMxDzANBgNVBAoMBkhpZGVlejEO
> MAwGA1UECwwFQXV0aE4xGzAZBgNVBAMMEnRlc3RpZHAuaGlkZWV6LmNvbTEcMBoGCSqGSIb3DQEJ
> ARYNeXJAaGlkZWV6LmNvbTAeFw0xOTA0MTkxMDAxMjdaFw0yMDA0MTgxMDAxMjdaMIGGMQswCQYD
> VQQGEwJVUzELMAkGA1UECAwCVFgxDjAMBgNVBAcMBVRleGFzMQ8wDQYDVQQKDAZIaWRlZXoxDjAM
> BgNVBAsMBUF1dGhOMRswGQYDVQQDDBJ0ZXN0aWRwLmhpZGVlei5jb20xHDAaBgkqhkiG9w0BCQEW
> DXlyQGhpZGVlei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzIuNJSzZ/2rZF
> BP+tB5h1/L8hcmxmvsrfrj5+F3XjIv3W9vXbkZGFuFFEMZO9iQ/1OtdvMStpaA8XqL09JUaBvUPj
> 3muInGrY5mujCt/TY+EyWwfy1oDKsX/1FihuuRdXoz3s1auzZ6pcs6PTAe/cDy3P3VzG2Owyrf5p
> xUEsx37UGPx76o1EX7SjYvYF11478MNWAfOhqDTclWEqORSS+LSh3ZraSgfAg3FXJ3hE4Bcuz3vA
> LimxgbppkDhEa0cOJngSiOicwfrLvNx+l+zV+qDp9x2y/MbbaglgZTBLTRaZ/+uEZaLOcO4YbIAJ
> 2Ny7T+vQ28tnL4dnxxqItA0HAgMBAAGjUzBRMB0GA1UdDgQWBBR9ttycbSZnqD8f6A3UYCKg6WrI
> vTAfBgNVHSMEGDAWgBR9ttycbSZnqD8f6A3UYCKg6WrIvTAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
> SIb3DQEBCwUAA4IBAQBxDJAaAar4puAJRaGcPX+pqqqjCmuKp5DkdVMkaA58vGEF9gbomA3mah48
> enXJ1bpaVJPlqBASpD47NcxpevWs6gBY/r+CaD9UbEpwkw1/Qwm8FmIvgMNjCS0141lEQ53Kzsec
> 8b9PNygi+XVaszxznWYrkcqGlvJpt6GMM76/gfsxqNyVwsvXrZ2Q5SoQsB0YATi2sLie9pWHg5zu
> eIr8Gd9mq29P7drXUeXSiK+bTIH7EqEJ2oust0tsU1EDPPEQDHmKa8i0i67Xsp7ndGvOytJKtkKX
> aAzr9vKGgVb7be4C1qesygS6XrJJFVHKIPOr6vNqD2/9EoYmt7kX1BQl
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="https://testidp.hide.com/idp/shibboleth" SPNameQualifier="Cyberark4Hide">
> yrevyakin at 2comply.biz
> </saml2:NameID>
> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData Address="184.170.232.49"
> InResponseTo="_05b5a5dc-2735-474a-a56c-02dcf7a2f068"
> NotOnOrAfter="2019-04-23T05:52:09.007Z"
> Recipient="https://components.cyberark.local/PasswordVault/api/auth/saml/logon"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2019-04-23T05:47:08.843Z" NotOnOrAfter="2019-04-23T05:52:08.843Z">
> <saml2:AudienceRestriction>
> <saml2:Audience>Cyberark4Hide</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
> <saml2:AuthnStatement AuthnInstant="2019-04-23T05:47:03.295Z" SessionIndex="_b0e52cde1efc767980ef67a817c353eb">
> <saml2:SubjectLocality Address="184.170.232.49"/>
> <saml2:AuthnContext>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> </saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue>yrevyakin at 2comply.biz</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
> </saml2p:Response>
>
>
>
> On Mon, 22 Apr 2019 at 23:08, Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> On 4/22/19, 3:35 PM, "users on behalf of Yakov Revyakin" <
>> users-bounces at shibboleth.net on behalf of yrevyakin at gmail.com> wrote:
>>
>> > It looks like Cyberark doesn't recognize NameID section.
>>
>> I understand that you think it's a logical assumption that documentation
>> and error messages are going to be meaningful, but the reality isn't that
>> simple and I doubt that's what the error is.
>>
>> As for what's different, one has signed assertions and one has signed
>> responses and signed assertions. So the inference is that they break on
>> signed responses, which is a bug, probably not the last you'll have to work
>> around.
>>
>> And once it's working more or less, then the final step is to test it
>> with a real Format and see if it works, at which point you've proven you
>> don't need "unspecified".
>>
>> -- Scott
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190424/85d70db1/attachment.html>
More information about the users
mailing list