Canonicalization flow c14n/SAML2ProxyTransform was not applicable: reason unknown

Tomas Stenlund tomas.stenlund at telia.com
Mon Jan 3 06:28:41 UTC 2022


Hi,

I missed some vital parts. The setup is Keycloak 1.6.0 (IdP brokering) 
=> Shibboleth Idp 4.1.4 (proxying) => Two upstream IdP:s. And I 
accidentally missed cutting out the entire signature block in one of the 
Assert examples in case you are wondering ;-)

/Tomas

On 2022-01-03 07:02, Tomas Stenlund via users wrote:
> Hi,
>
> I have a problem with one IdP out of two when I use 
> c14n/SAML2ProxyTransform for the PostLoginSubjectCanonicalizationFlows 
> during SelectSubjectCanonicalizationFlow. It does not say much, more 
> than the statement above in the email subject.
>
> I have added urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to 
> the ProxyNameTransformFormats and added the entityID:s in the 
> ProxyNameTransformPredicate:s. And the 
> SAMLSubjectCanonicalizationFlows looks like this.
>
>     <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
>
>         <!-- The next four are for handling transient IDs (in-storage 
> and stateless variants). -->
>         <ref bean="c14n/SAML2Transient" />
>         <ref bean="c14n/SAML2CryptoTransient" />
>         <ref bean="c14n/SAML1Transient" />
>         <ref bean="c14n/SAML1CryptoTransient" />
>
>         <!-- Handle a SAML 2 persistent ID, provided a stored strategy 
> is in use. -->
>         <!-- <ref bean="c14n/SAML2Persistent" /> -->
>
>         <!--
>         Finally we have beans for decoding arbitrary SAML formats 
> directly. By default, these are turned off,
>         having *no* circumstances for which they apply (see 
> shibboleth.TransformNamePredicate below).
>         -->
>         <ref bean="c14n/SAML2Transform" />
>         <ref bean="c14n/SAML1Transform" />
>     </util:list>
>
>
> Any idea where I should start looking, there is something I am 
> obviously missing :-)
>
> This is the assert that fails:
>
> <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion 
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> ID="_d29f82767d25f25d81dd7c8d00f7304f" 
> IssueInstant="2022-01-03T05:26:33.516Z" Version="2.0" 
> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <saml2:Issuer>https://dev.connector.swedenconnect.se/eidas</saml2:Issuer>
>     <saml2:Subject>
>         <saml2:NameID 
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
> NameQualifier="https://dev.connector.swedenconnect.se/eidas" 
> SPNameQualifier="https://galatea.stenlund.eu/proxy">HhZkCxP7GkZ2zOCAIqyu+U5/8wk=</saml2:NameID>
>         <saml2:SubjectConfirmation 
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>             <saml2:SubjectConfirmationData Address="XXXXXXXXX" 
> InResponseTo="_311311a20c67645d7a7a780618e773a5" 
> NotOnOrAfter="2022-01-03T05:31:33.552Z" Recipient="XXXXXXXXXXXXXXX"/>
>         </saml2:SubjectConfirmation>
>     </saml2:Subject>
>     <saml2:Conditions NotBefore="2022-01-03T05:26:33.516Z" 
> NotOnOrAfter="2022-01-03T05:31:33.516Z">
>         <saml2:AudienceRestriction>
> <saml2:Audience>https://galatea.stenlund.eu/proxy</saml2:Audience>
>         </saml2:AudienceRestriction>
>     </saml2:Conditions>
>     <saml2:AuthnStatement AuthnInstant="2022-01-03T05:26:32.938Z" 
> SessionIndex="_034a622b0c5a0d2d177d81b91187c03b">
>         <saml2:SubjectLocality Address="XXXXXXXXXX"/>
>         <saml2:AuthnContext>
> <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/eidas-nf-sub</saml2:AuthnContextClassRef> 
>
> <saml2:AuthenticatingAuthority>https://xa.testnode.eidastest.se/EidasNode/ServiceMetadata</saml2:AuthenticatingAuthority> 
>
>         </saml2:AuthnContext>
>     </saml2:AuthnStatement>
>     <saml2:AttributeStatement>
>         <saml2:Attribute FriendlyName="c" Name="urn:oid:2.5.4.6" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">XA</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="pridPersistence" 
> Name="urn:oid:1.2.752.201.3.5" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">A</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="givenName" 
> Name="urn:oid:2.5.4.42" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">Bernt Olof</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="transactionIdentifier" 
> Name="urn:oid:1.2.752.201.3.2" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">_6w_0xAkmYOld5rgYIBHG-HsrpcCmPK4vqp.LHcrArv336yD6MHTpzt8ks9wzq53</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="eidasPersonIdentifier" 
> Name="urn:oid:1.2.752.201.3.7" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">XA/SE/193911137077</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="prid" 
> Name="urn:oid:1.2.752.201.3.4" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">XA:193911137077</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="dateOfBirth" 
> Name="urn:oid:1.3.6.1.5.5.7.9.1" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">1939-11-13</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">Larsson</saml2:AttributeValue>
>         </saml2:Attribute>
>     </saml2:AttributeStatement>
> </saml2:Assertion>
>
> This is the assert that works:
>
> <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion 
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> ID="_2416d5c8a2d5038bc017234e5cd7c0cd" 
> IssueInstant="2022-01-03T04:42:45.353Z" Version="2.0" 
> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <saml2:Issuer>http://dev.test.swedenconnect.se/idp</saml2:Issuer>
>
>     </ds:Signature>
>
>     <saml2:Subject>
>         <saml2:NameID 
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
> NameQualifier="http://dev.test.swedenconnect.se/idp"
> SPNameQualifier="https://galatea.stenlund.eu/proxy">VIVQWeo4duddDJ3B+ELb5++cjiI=</saml2:NameID> 
>
>         <saml2:SubjectConfirmation 
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>             <saml2:SubjectConfirmationData Address="XXXXXXXXXXXXXX" 
> InResponseTo="_45fbbe69b6537b8ffb3fe61fcce30ba1" 
> NotOnOrAfter="2022-01-03T04:47:45.398Z" Recipient="XXXXXXXXXXXXX"/>
>         </saml2:SubjectConfirmation>
>     </saml2:Subject>
>
>     <saml2:Conditions NotBefore="2022-01-03T04:42:45.353Z" 
> NotOnOrAfter="2022-01-03T04:47:45.353Z">
>         <saml2:AudienceRestriction>
> <saml2:Audience>https://galatea.stenlund.eu/proxy</saml2:Audience>
>         </saml2:AudienceRestriction>
>     </saml2:Conditions>
>
>     <saml2:AuthnStatement AuthnInstant="2022-01-03T04:42:45.308Z" 
> SessionIndex="_6870321ff2f05f504901161781ec19e9">
>         <saml2:SubjectLocality Address="XXXXXXXXXXXXXXX"/>
>         <saml2:AuthnContext>
> <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef> 
>
>         </saml2:AuthnContext>
>     </saml2:AuthnStatement>
>
>     <saml2:AttributeStatement>
>         <saml2:Attribute FriendlyName="personalIdentityNumber" 
> Name="urn:oid:1.2.752.29.4.13" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">197802031877</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="displayName" 
> Name="urn:oid:2.16.840.1.113730.3.1.241" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">Tryggve Bäckström</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="givenName" 
> Name="urn:oid:2.5.4.42" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">Tryggve</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="dateOfBirth" 
> Name="urn:oid:1.3.6.1.5.5.7.9.1" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">1978-02-03</saml2:AttributeValue>
>         </saml2:Attribute>
>         <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>             <saml2:AttributeValue 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xsd:string">Bäckström</saml2:AttributeValue>
>         </saml2:Attribute>
>     </saml2:AttributeStatement>
>
> </saml2:Assertion>
>
>
> /Tomas
>
> Failure LOG:
>
> 2022-01-03 05:26:33,998 - 192.168.1.1 - TRACE 
> [net.shibboleth.idp.saml.authn.principal.impl.MapDrivenAuthnContextTranslationStrategy:100] 
> - Passing unmapped value 
> 'http://id.elegnamnden.se/loa/1.0/eidas-nf-sub' through
> 2022-01-03 05:26:33,998 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:317] 
> - Profile Action ValidateSAMLAuthentication: Added translated 
> AuthnContext Principals: [http://id.elegnamnden.se/loa/1.0/eidas-nf-sub]
> 2022-01-03 05:26:33,999 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:340] 
> - Profile Action ValidateSAMLAuthentication: Adding filtered inbound 
> attributes to Subject
> 2022-01-03 05:26:34,000 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:281] 
> - Profile Action ValidateSAMLAuthentication: Resetting authentication 
> time to proxied value: 2022-01-03T05:26:32.938Z
> 2022-01-03 05:26:34,019 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] 
> - Profile Action PopulateSubjectCanonicalizationContext: Installing 1 
> canonicalization flows into SubjectCanonicalizationContext
> 2022-01-03 05:26:34,020 - 192.168.1.1 - INFO 
> [Shibboleth-Audit.SSO:283] - 
> 192.168.1.1||2022-01-03T05:26:34.020782Z||https://dev.connector.swedenconnect.se/eidas|_d29f82767d25f25d81dd7c8d00f7304f|http://id.elegnamnden.se/loa/1.0/eidas-nf-sub|2022-01-03T05:26:32.938Z|prid,givenName,sn|HhZkCxP7GkZ2zOCAIqyu+U5/8wk=|persistent||false||Redirect|POST||Success|||Mozilla/5.0 
> (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
> 2022-01-03 05:26:34,041 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] 
> - Profile Action SelectSubjectCanonicalizationFlow: Checking 
> canonicalization flow c14n/SAML2ProxyTransform for applicability...
> 2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167] 
> - Attempting to match format 
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185] 
> - NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform: 
> format matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> 2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:106] 
> - Profile Action SelectSubjectCanonicalizationFlow: Canonicalization 
> flow c14n/SAML2ProxyTransform was not applicable: reason unknown
> 2022-01-03 05:26:34,042 - 192.168.1.1 - ERROR 
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - 
> Profile Action SelectSubjectCanonicalizationFlow: No potential flows 
> left to choose from, canonicalization will fail
> 2022-01-03 05:26:34,044 - 192.168.1.1 - INFO 
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:142] - Profile 
> Action SelectAuthenticationFlow: Moving incomplete flow authn/SAML to 
> intermediate set
> 2022-01-03 05:26:34,044 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile 
> Action SelectAuthenticationFlow: No specific Principals requested
> 2022-01-03 05:26:34,044 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:277] - Profile 
> Action SelectAuthenticationFlow: Forced authentication requested, 
> selecting an inactive flow
> 2022-01-03 05:26:34,044 - 192.168.1.1 - INFO 
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:281] - Profile 
> Action SelectAuthenticationFlow: No potential flows left to choose 
> from, authentication failed
>
> Success LOG:
>
> 2022-01-03 04:42:45,767 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:317] 
> - Profile Action ValidateSAMLAuthentication: Added translated 
> AuthnContext Principals: [http://id.elegnamnden.se/loa/1.0/loa3]
> 2022-01-03 04:42:45,768 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:340] 
> - Profile Action ValidateSAMLAuthentication: Adding filtered inbound 
> attributes to Subject
> 2022-01-03 04:42:45,769 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:281] 
> - Profile Action ValidateSAMLAuthentication: Resetting authentication 
> time to proxied value: 2022-01-03T04:42:45.308Z
> 2022-01-03 04:42:45,786 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] 
> - Profile Action PopulateSubjectCanonicalizationContext: Installing 1 
> canonicalization flows into SubjectCanonicalizationContext
> 2022-01-03 04:42:45,788 - 192.168.1.1 - INFO 
> [Shibboleth-Audit.SSO:283] - 
> 192.168.1.1||2022-01-03T04:42:45.788013Z||http://dev.test.swedenconnect.se/idp|_2416d5c8a2d5038bc017234e5cd7c0cd|http://id.elegnamnden.se/loa/1.0/loa3|2022-01-03T04:42:45.308Z|sn,personalIdentityNumber,displayName,givenName|VIVQWeo4duddDJ3B+ELb5++cjiI=|persistent||false||Redirect|POST||Success|||Mozilla/5.0 
> (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
> 2022-01-03 04:42:45,810 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] 
> - Profile Action SelectSubjectCanonicalizationFlow: Checking 
> canonicalization flow c14n/SAML2ProxyTransform for applicability...
> 2022-01-03 04:42:45,811 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167] 
> - Attempting to match format 
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 2022-01-03 04:42:45,811 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185] 
> - NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform: 
> format matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> 2022-01-03 04:42:45,812 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - 
> Profile Action SelectSubjectCanonicalizationFlow: Selecting 
> canonicalization flow c14n/SAML2ProxyTransform
> 2022-01-03 04:42:45,853 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167] 
> - Attempting to match format 
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 2022-01-03 04:42:45,854 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185] 
> - NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform: 
> format matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> 2022-01-03 04:42:45,858 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.session.impl.DetectIdentitySwitch:148] - Profile 
> Action DetectIdentitySwitch: No previous session found, nothing to do
> 2022-01-03 04:42:45,858 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.FinalizeAuthentication:116] - Profile 
> Action FinalizeAuthentication: Canonical principal name was 
> established as 'VIVQWeo4duddDJ3B+ELb5++cjiI='
> 2022-01-03 04:42:45,859 - 192.168.1.1 - DEBUG 
> [net.shibboleth.idp.authn.impl.FinalizeAuthentication:173] - Profile 
> Action FinalizeAuthentication: Request did not have explicit 
> authentication requirements, result is accepted
>


More information about the users mailing list