IDP sending empty SignatureValue in ArtifactResponse
Malo Toudic
malo.toudic at kereval.com
Tue Sep 17 09:54:23 EDT 2019
You will find the logs attached. I have anonymized the logs (URL and
certificates only).
Regards,
Malo
On 17/09/2019 14:57, Cantor, Scott wrote:
> On 9/17/19, 8:27 AM, "users on behalf of Malo Toudic" <users-bounces at shibboleth.net on behalf of malo.toudic at kereval.com> wrote:
>
>> The signature of the ArtifactResponse indeed has an empty value.
> And you can prove that with the IdP's log? Because I really don't buy it.
>
> -- Scott
>
>
-------------- next part --------------
2019-09-11 13:11:12,674 - INFO [Shibboleth-Audit.SSO:275] - 2019-09-11T13:11:12.674+00:00|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|a2ddf425fij2difba273j8137ifg3h|ch:ofac:abilis:epr:hpp:saml:sp:dev|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://fqdn/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact|_1d6bc6f3bb9eb112ff7cb04a300ecd37|aandrews|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,serialNumber,gender,displayName,surname,givenName,dateOfBirth|aandrews|_c65ea6ad89d1fd1473a47807577a2240|https://fqdn:4443/idp/profile/SAML2/POST/SSO|urn:oasis:names:tc:SAML:2.0:status:Success|
2019-09-11 13:11:13,233 - DEBUG [PROTOCOL_MESSAGE:127] -
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:ArtifactResolve
Destination="https://fqdn:4443/idp/profile/SAML2/SOAP/ArtifactResolution"
ID="a414i70cj6284gif456c1e7g38ibf0b"
IssueInstant="2019-09-11T13:11:12.618Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ch:ofac:abilis:epr:hpp:saml:sp:dev</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a414i70cj6284gif456c1e7g38ibf0b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5nxAtaDKgWycXoZ8gljnsdXp2sg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xRX3N/4s+xsrl8PCYu1XNTulJsRdivI28c4pY4mkFz1WX2nec56Zxfp2F8n2GyrxTYerlTfczynqyjTG1mU3ztwvdRx+e+ueAP1KJrvt3L869UJcNIe9pM8BTV17Wq5TN+2ByzFXzc1II6mHGRudjQmOgMWACdydkJTLx9tKHAM=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERT VALUE</ds:X509Certificate>
<ds:X509Certificate>CERT VALUE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Artifact>AAQAAqB1nQ4LSGR0FD3YXU2fBQEjnKoEl2nJXxmFkO5BWi0XeGO6PAeSYzc=</saml2p:Artifact>
</saml2p:ArtifactResolve>
</soap11:Body>
</soap11:Envelope>
2019-09-11 13:11:13,259 - DEBUG [PROTOCOL_MESSAGE:70] -
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:ArtifactResponse ID="_39e4eb1bb8420d0d99b73ffd7231cf3f"
InResponseTo="a414i70cj6284gif456c1e7g38ibf0b"
IssueInstant="2019-09-11T13:11:13.248Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://fqdn/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2p:Response
Destination="http://fqdn:10004/saml/SSO"
ID="_1d6bc6f3bb9eb112ff7cb04a300ecd37"
InResponseTo="a2ddf425fij2difba273j8137ifg3h"
IssueInstant="2019-09-11T13:11:12.652Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://fqdn/idp/shibboleth</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_1d6bc6f3bb9eb112ff7cb04a300ecd37">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
CERT VALUE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_c65ea6ad89d1fd1473a47807577a2240"
IssueInstant="2019-09-11T13:11:12.652Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://fqdn/idp/shibboleth</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_c65ea6ad89d1fd1473a47807577a2240">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>7GxCKoakT7N2OjF0sUKQXdplonFM6A8s6Kq2blH4BYg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
IqRYd6ryC1Z59hE4zy/eiRz30NbpXRR7J6w0acR6xTtGubb+zbNQoKm6FG/1uFeAZXVX641o55m0
gXzjusgsq4wZ4L6obVwLKWKMT+IMsJRCXLS0bA5q928v8h/dU1UE/8XfD0OKrNgtnX2UaIUm3PCU
q13ELZZfZIm8HqjSeJU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
CERT VALUE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
NameQualifier="https://fqdn/idp/shibboleth" SPNameQualifier="ch:ofac:abilis:epr:hpp:saml:sp:dev">aandrews</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="193.72.144.231"
InResponseTo="a2ddf425fij2difba273j8137ifg3h"
NotOnOrAfter="2019-09-11T13:16:12.658Z" Recipient="http://fqdn:10004/saml/SSO"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2019-09-11T13:11:12.652Z"
NotOnOrAfter="2019-09-11T13:16:12.652Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>ch:ofac:abilis:epr:hpp:saml:sp:dev</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2019-09-11T13:11:10.932Z"
SessionIndex="_004984b38c724ca4cd1c04c90cbfe495" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:SubjectLocality Address="193.72.144.231"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute FriendlyName="identno"
Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">aandrews</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="GLN" Name="GLN" NameFormat="urn:oasis:names:tc:ebcore:partyid-type:DataUniversalNumberingSystem:0060">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">7601002469191</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="gender"
Name="urn:oid:1.3.6.1.5.5.7.9.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">M</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Ann Andrews</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="familyname"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Andrews</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="firstname"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Ann</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="dateofbirth"
Name="urn:oid:1.3.6.1.5.5.7.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">19790329161118.392Z</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
</saml2p:ArtifactResponse>
</soap11:Body>
</soap11:Envelope>
More information about the users
mailing list