[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A little question about ZXID and SimpleSAML



Andris_Roldan <andres.roldan@xxxxxxxxxxxxxxx> said:
> Thank you for the information, it was really helpful. I now have a new
> problem that I haven't been able to bdiagnose. After configuring the IdP
> (SimpleSAML) with the - I hope so - required info, I try again to use it
> with my ZXID simple SP but get a digest mismatch error. These are the
> excerpts of the error:

You are not supplying version number information for neither SP nor IdP. How
do you expect us to help you?

>  zxsig.c:271 zxsig_validate   \tzxidp E Message
> digest(cbNxWQolXJGAzYPCrOqHGspnf8g=) mismatch at
> sref(#pfx6da05746-5e2c-4e07-d27d-2b74298b6b4d), canon blob(<samlp:Response
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="pfx6da05746-5e2c-4e07-d27d-2b74298b6b4d" Version="2.0"
> IssueInstant="2010-11-29T21:39:55Z" Destination="
> http://50.16.241.205/cgi-bin/zxididp?o=P";
> InResponseTo="NMnwUY0E4XZatWVM3R7GLd7WA"><saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxx</saml:Issuer><samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="pfxd444d690-4708-0310-c486-985606e2d60c" Version="2.0"
> IssueInstant="2010-11-29T21:39:55Z"><saml:Issuer>http://xxxxx</saml:Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> 
> 
> And then:
> 
> zxidsso.c:343 zxid_sigres_map  \tzxidp E Bad digest. Canon problem? 3
> zxidlib.c:785 zxid_chk_sig     \tzxidp d Response sigres(3)
> 
> 
> I'm using a couple of SSL certificates issued by the same CA on the IdP and
> SP sides. I already put the CA cert file "ca.pem" file on /var/zxid/pem
> 
> Again, I'd be really thankful if you enlighten me a little.

To debug signature canonicalization problems, you need the canonical
form from the sending end and see how it is different.

Basically you need to figure out from simpleSAMLphp documentation
how to make it print the canonicalization to a log and then compare
the canonicalization from the IdP end to the canonicalization from SP end (which
is available in the log message you quoted above).

> Thank you in advance.

Please do not thank in advance. Its rude and annoys me.

> PS: I sent the message to the list but it rejects non-users messages.

Consider subsrcibing to the list?

Cheers,
--Sampo

> AndrC)s RoldC!n
> Ingeniero de Proyectos
> DD - Official Debian Developer
> C|EH - Certified Ethical Hacker
> Fluidsignal Group S.A.
> Where security meets business
> http://www.fluidsignal.com/
> TelC)fono: +57 (4) 4442637
> MC3vil: +57 313-6463678
> PGP Key-ID: 0xB29396EB
> 
> 
> On Mon, Nov 22, 2010 at 7:39 PM, <sampo@xxxxxxxxx> wrote:
> 
> > AndrC)s_RoldC!n <andres.roldan@xxxxxxxxxxxxxxx> said:
> > > Hello,
> > >
> > > I'm sorry if I bother you with this dumb question but I haven't found any
> >
> > Support requests should be made on the zxid.user@xxxxxxxxxxxxx mailing
> > list so that
> > others can learn from the answers.
> >
> > > information on Internet on this regard. I'm trying to setup a simple
> > > scenario where a ZXID SP application is trying to use a SimpleSAML IdP.
> > The
> > > ZXID application is basically the same as the code written in the file
> > > zxidhlo.pl of the ZXID distribution file.  I think I may be wrong with
> > the
> > > configuration about the AssertionCustomerService needed by SimpleSAML:
> > >
> > > $metadata["http://xxx/cgi-bin/zxidhlo.pl?o=B";] = array(
> > >         'AssertionConsumerService'   => "
> > > http://75.101.139.85/cgi-bin/zxidhlo.pl";,
> > > );
> >
> > ZXID is configured using SAML metadata. You can see your metadata with
> > one of the following commands:
> >
> > curl http://xxx/cgi-bin/zxidhlo.pl?o=B
> >
> > or
> >
> > zxcot -m
> >
> > In the metadata you can locate the assertion consumer stanza (hint: the URL
> > you
> > are looking for ends in o=P).
> >
> > SAML metadata was specified so that configuration of IdP and SP can be made
> > more automatic, i.e. you should not have to edit any arrays in source code.
> > Unfortunately
> > the simpleSAMLphp folks do not provide any metadata import tool. You should
> > complain
> > to them. In zxid distribution the zxcot is that tool.
> >
> > Or you can use zxididp (see zxid-idp.pd for documentation).
> >
> > Cheers,
> > --Sampo
> >
> > > Any little input is really greatly appreciated. If you require, I can
> > send
> > > you the logs of the apache server.
> > >
> > > Thank you in advance.
> > >
> > > AndrC)s RoldC!n
> > > Ingeniero de Proyectos
> > > DD - Official Debian Developer
> > > C|EH - Certified Ethical Hacker
> > > Fluidsignal Group S.A.
> > > Where security meets business
> > > http://www.fluidsignal.com/
> > > TelC)fono: +57 (4) 4442637
> > > MC3vil: +57 313-6463678
> > > PGP Key-ID: 0xB29396EB