Canonicalization flow c14n/SAML2ProxyTransform was not applicable: reason unknown
Tomas Stenlund
tomas.stenlund at telia.com
Mon Jan 3 06:28:41 UTC 2022
Hi,
I missed some vital parts. The setup is Keycloak 1.6.0 (IdP brokering)
=> Shibboleth Idp 4.1.4 (proxying) => Two upstream IdP:s. And I
accidentally missed cutting out the entire signature block in one of the
Assert examples in case you are wondering ;-)
/Tomas
On 2022-01-03 07:02, Tomas Stenlund via users wrote:
> Hi,
>
> I have a problem with one IdP out of two when I use
> c14n/SAML2ProxyTransform for the PostLoginSubjectCanonicalizationFlows
> during SelectSubjectCanonicalizationFlow. It does not say much, more
> than the statement above in the email subject.
>
> I have added urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to
> the ProxyNameTransformFormats and added the entityID:s in the
> ProxyNameTransformPredicate:s. And the
> SAMLSubjectCanonicalizationFlows looks like this.
>
> <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
>
> <!-- The next four are for handling transient IDs (in-storage
> and stateless variants). -->
> <ref bean="c14n/SAML2Transient" />
> <ref bean="c14n/SAML2CryptoTransient" />
> <ref bean="c14n/SAML1Transient" />
> <ref bean="c14n/SAML1CryptoTransient" />
>
> <!-- Handle a SAML 2 persistent ID, provided a stored strategy
> is in use. -->
> <!-- <ref bean="c14n/SAML2Persistent" /> -->
>
> <!--
> Finally we have beans for decoding arbitrary SAML formats
> directly. By default, these are turned off,
> having *no* circumstances for which they apply (see
> shibboleth.TransformNamePredicate below).
> -->
> <ref bean="c14n/SAML2Transform" />
> <ref bean="c14n/SAML1Transform" />
> </util:list>
>
>
> Any idea where I should start looking, there is something I am
> obviously missing :-)
>
> This is the assert that fails:
>
> <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_d29f82767d25f25d81dd7c8d00f7304f"
> IssueInstant="2022-01-03T05:26:33.516Z" Version="2.0"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <saml2:Issuer>https://dev.connector.swedenconnect.se/eidas</saml2:Issuer>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> NameQualifier="https://dev.connector.swedenconnect.se/eidas"
> SPNameQualifier="https://galatea.stenlund.eu/proxy">HhZkCxP7GkZ2zOCAIqyu+U5/8wk=</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData Address="XXXXXXXXX"
> InResponseTo="_311311a20c67645d7a7a780618e773a5"
> NotOnOrAfter="2022-01-03T05:31:33.552Z" Recipient="XXXXXXXXXXXXXXX"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2022-01-03T05:26:33.516Z"
> NotOnOrAfter="2022-01-03T05:31:33.516Z">
> <saml2:AudienceRestriction>
> <saml2:Audience>https://galatea.stenlund.eu/proxy</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
> <saml2:AuthnStatement AuthnInstant="2022-01-03T05:26:32.938Z"
> SessionIndex="_034a622b0c5a0d2d177d81b91187c03b">
> <saml2:SubjectLocality Address="XXXXXXXXXX"/>
> <saml2:AuthnContext>
> <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/eidas-nf-sub</saml2:AuthnContextClassRef>
>
> <saml2:AuthenticatingAuthority>https://xa.testnode.eidastest.se/EidasNode/ServiceMetadata</saml2:AuthenticatingAuthority>
>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="c" Name="urn:oid:2.5.4.6"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">XA</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="pridPersistence"
> Name="urn:oid:1.2.752.201.3.5"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">A</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="givenName"
> Name="urn:oid:2.5.4.42"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">Bernt Olof</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="transactionIdentifier"
> Name="urn:oid:1.2.752.201.3.2"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">_6w_0xAkmYOld5rgYIBHG-HsrpcCmPK4vqp.LHcrArv336yD6MHTpzt8ks9wzq53</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="eidasPersonIdentifier"
> Name="urn:oid:1.2.752.201.3.7"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">XA/SE/193911137077</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="prid"
> Name="urn:oid:1.2.752.201.3.4"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">XA:193911137077</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="dateOfBirth"
> Name="urn:oid:1.3.6.1.5.5.7.9.1"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">1939-11-13</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">Larsson</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
>
> This is the assert that works:
>
> <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_2416d5c8a2d5038bc017234e5cd7c0cd"
> IssueInstant="2022-01-03T04:42:45.353Z" Version="2.0"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <saml2:Issuer>http://dev.test.swedenconnect.se/idp</saml2:Issuer>
>
> </ds:Signature>
>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> NameQualifier="http://dev.test.swedenconnect.se/idp"
> SPNameQualifier="https://galatea.stenlund.eu/proxy">VIVQWeo4duddDJ3B+ELb5++cjiI=</saml2:NameID>
>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData Address="XXXXXXXXXXXXXX"
> InResponseTo="_45fbbe69b6537b8ffb3fe61fcce30ba1"
> NotOnOrAfter="2022-01-03T04:47:45.398Z" Recipient="XXXXXXXXXXXXX"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
>
> <saml2:Conditions NotBefore="2022-01-03T04:42:45.353Z"
> NotOnOrAfter="2022-01-03T04:47:45.353Z">
> <saml2:AudienceRestriction>
> <saml2:Audience>https://galatea.stenlund.eu/proxy</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
>
> <saml2:AuthnStatement AuthnInstant="2022-01-03T04:42:45.308Z"
> SessionIndex="_6870321ff2f05f504901161781ec19e9">
> <saml2:SubjectLocality Address="XXXXXXXXXXXXXXX"/>
> <saml2:AuthnContext>
> <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="personalIdentityNumber"
> Name="urn:oid:1.2.752.29.4.13"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">197802031877</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="displayName"
> Name="urn:oid:2.16.840.1.113730.3.1.241"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">Tryggve Bäckström</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="givenName"
> Name="urn:oid:2.5.4.42"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">Tryggve</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="dateOfBirth"
> Name="urn:oid:1.3.6.1.5.5.7.9.1"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">1978-02-03</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string">Bäckström</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
>
> </saml2:Assertion>
>
>
> /Tomas
>
> Failure LOG:
>
> 2022-01-03 05:26:33,998 - 192.168.1.1 - TRACE
> [net.shibboleth.idp.saml.authn.principal.impl.MapDrivenAuthnContextTranslationStrategy:100]
> - Passing unmapped value
> 'http://id.elegnamnden.se/loa/1.0/eidas-nf-sub' through
> 2022-01-03 05:26:33,998 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:317]
> - Profile Action ValidateSAMLAuthentication: Added translated
> AuthnContext Principals: [http://id.elegnamnden.se/loa/1.0/eidas-nf-sub]
> 2022-01-03 05:26:33,999 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:340]
> - Profile Action ValidateSAMLAuthentication: Adding filtered inbound
> attributes to Subject
> 2022-01-03 05:26:34,000 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:281]
> - Profile Action ValidateSAMLAuthentication: Resetting authentication
> time to proxied value: 2022-01-03T05:26:32.938Z
> 2022-01-03 05:26:34,019 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75]
> - Profile Action PopulateSubjectCanonicalizationContext: Installing 1
> canonicalization flows into SubjectCanonicalizationContext
> 2022-01-03 05:26:34,020 - 192.168.1.1 - INFO
> [Shibboleth-Audit.SSO:283] -
> 192.168.1.1||2022-01-03T05:26:34.020782Z||https://dev.connector.swedenconnect.se/eidas|_d29f82767d25f25d81dd7c8d00f7304f|http://id.elegnamnden.se/loa/1.0/eidas-nf-sub|2022-01-03T05:26:32.938Z|prid,givenName,sn|HhZkCxP7GkZ2zOCAIqyu+U5/8wk=|persistent||false||Redirect|POST||Success|||Mozilla/5.0
> (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
> 2022-01-03 05:26:34,041 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100]
> - Profile Action SelectSubjectCanonicalizationFlow: Checking
> canonicalization flow c14n/SAML2ProxyTransform for applicability...
> 2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167]
> - Attempting to match format
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185]
> - NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform:
> format matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> 2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:106]
> - Profile Action SelectSubjectCanonicalizationFlow: Canonicalization
> flow c14n/SAML2ProxyTransform was not applicable: reason unknown
> 2022-01-03 05:26:34,042 - 192.168.1.1 - ERROR
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] -
> Profile Action SelectSubjectCanonicalizationFlow: No potential flows
> left to choose from, canonicalization will fail
> 2022-01-03 05:26:34,044 - 192.168.1.1 - INFO
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:142] - Profile
> Action SelectAuthenticationFlow: Moving incomplete flow authn/SAML to
> intermediate set
> 2022-01-03 05:26:34,044 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile
> Action SelectAuthenticationFlow: No specific Principals requested
> 2022-01-03 05:26:34,044 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:277] - Profile
> Action SelectAuthenticationFlow: Forced authentication requested,
> selecting an inactive flow
> 2022-01-03 05:26:34,044 - 192.168.1.1 - INFO
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:281] - Profile
> Action SelectAuthenticationFlow: No potential flows left to choose
> from, authentication failed
>
> Success LOG:
>
> 2022-01-03 04:42:45,767 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:317]
> - Profile Action ValidateSAMLAuthentication: Added translated
> AuthnContext Principals: [http://id.elegnamnden.se/loa/1.0/loa3]
> 2022-01-03 04:42:45,768 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:340]
> - Profile Action ValidateSAMLAuthentication: Adding filtered inbound
> attributes to Subject
> 2022-01-03 04:42:45,769 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:281]
> - Profile Action ValidateSAMLAuthentication: Resetting authentication
> time to proxied value: 2022-01-03T04:42:45.308Z
> 2022-01-03 04:42:45,786 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75]
> - Profile Action PopulateSubjectCanonicalizationContext: Installing 1
> canonicalization flows into SubjectCanonicalizationContext
> 2022-01-03 04:42:45,788 - 192.168.1.1 - INFO
> [Shibboleth-Audit.SSO:283] -
> 192.168.1.1||2022-01-03T04:42:45.788013Z||http://dev.test.swedenconnect.se/idp|_2416d5c8a2d5038bc017234e5cd7c0cd|http://id.elegnamnden.se/loa/1.0/loa3|2022-01-03T04:42:45.308Z|sn,personalIdentityNumber,displayName,givenName|VIVQWeo4duddDJ3B+ELb5++cjiI=|persistent||false||Redirect|POST||Success|||Mozilla/5.0
> (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
> 2022-01-03 04:42:45,810 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100]
> - Profile Action SelectSubjectCanonicalizationFlow: Checking
> canonicalization flow c14n/SAML2ProxyTransform for applicability...
> 2022-01-03 04:42:45,811 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167]
> - Attempting to match format
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 2022-01-03 04:42:45,811 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185]
> - NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform:
> format matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> 2022-01-03 04:42:45,812 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] -
> Profile Action SelectSubjectCanonicalizationFlow: Selecting
> canonicalization flow c14n/SAML2ProxyTransform
> 2022-01-03 04:42:45,853 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167]
> - Attempting to match format
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 2022-01-03 04:42:45,854 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185]
> - NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform:
> format matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> 2022-01-03 04:42:45,858 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.session.impl.DetectIdentitySwitch:148] - Profile
> Action DetectIdentitySwitch: No previous session found, nothing to do
> 2022-01-03 04:42:45,858 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.FinalizeAuthentication:116] - Profile
> Action FinalizeAuthentication: Canonical principal name was
> established as 'VIVQWeo4duddDJ3B+ELb5++cjiI='
> 2022-01-03 04:42:45,859 - 192.168.1.1 - DEBUG
> [net.shibboleth.idp.authn.impl.FinalizeAuthentication:173] - Profile
> Action FinalizeAuthentication: Request did not have explicit
> authentication requirements, result is accepted
>
More information about the users
mailing list