[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A little question about ZXID and SimpleSAML



Andris_Roldan <andres.roldan@xxxxxxxxxxxxxxx> said:
> The versions of the software used are:
> 
> SP: ZXID 0.71 1290467692
> IdP: SimpleSAMLphp: 1.6.2

Thanks.

> I checked the canonical XML messages from both the IdP and the SP and
> I only found a couple of differences:

While I appreciate judiciously trimming logs, in this case I need the entire canonicalized
XML blob. I can not run fragments through my parser to check behaviour or create
test cases.

> SimpleSAML:
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

simpleSAMLphp is wrong to include xmlns:saml declaration this early in the
document. Namespace declarations should only appear in the element
where the namespace is first used.

> ID="pfx2b4723fc-bdbe-af7b-ca16-6c02b640812c" Version="2.0"
> IssueInstant="2010-11-30T16:42:17Z"
> Destination="http://75.101.139.85/cgi-bin/zxid.pl?o=P";
> InResponseTo="Nr_3JcEFrw8eVEEgd4JUXc_bp">
>  <saml:Issuer>https://fi-midsec.fluidsignal.com</saml:Issuer>

The saml namespace declaration should appear in Issuer as that
is where it is first used. It should appear again in Assertion.

> <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> ID="pfxb70edfb1-7fb0-9b47-1956-8acdc1d403d9" Version="2.0"
> IssueInstant="2010-11-30T16:42:17Z">

Need the rest of this blob for full analysis.

At any rate the canonicalization errors so far seen are so grave
that I am incredulous whether simpleSAMLphp really would have
so grave bugs. Are you using latest version of their code. I have
received various reports of successful interoperation between
simpleSAMLphp and ZXID so it is supposed to work.

Cheers,
--Sampo

> Here the attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> is in the <samlp:Response> tag
> 
> ZXID:
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="pfx2b4723fc-bdbe-af7b-ca16-6c02b640812c" Version="2.0"
> IssueInstant="2010-11-30T16:42:17Z"
> Destination="http://75.101.139.85/cgi-bin/zxid.pl?o=P";
> InResponseTo="Nr_3JcEFrw8eVEEgd4JUXc_bp">
>  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://fi-midsec.fluidsignal.com</saml:Issuer>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="pfxb70edfb1-7fb0-9b47-1956-8acdc1d403d9" Version="2.0"
> IssueInstant="2010-11-30T16:42:17Z">
> 
> And here the the attribute
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" is in the
> <saml:Issuer> tag
> 
> Besides, the <saml:Assertion> tag has different attributes on each
> side. The rest of the message is canonically the same. Maybe that
> means nothing but it's the only clue I have.
> 
> Cheers
> 
> PS: I already sent a subscription request to the mailing list
> 
> Andris Roldan
> Ingeniero de Proyectos
> DD - Official Debian Developer
> C|EH - Certified Ethical Hacker
> Fluidsignal Group S.A.
> Where security meets business
> http://www.fluidsignal.com/
> Telifono: +57 (4) 4442637
> Msvil: +57 313-6463678
> PGP Key-ID: 0xB29396EB
> 
> 
> 
> On Tue, Nov 30, 2010 at 5:51 AM,  <sampo@xxxxxxxxx> wrote:
> > Andris_Roldan <andres.roldan@xxxxxxxxxxxxxxx> said:
> >> Thank you for the information, it was really helpful. I now have a new
> >> problem that I haven't been able to diagnose. After configuring the IdP
> >> (SimpleSAML) with the - I hope so - required info, I try again to use it
> >> with my ZXID simple SP but get a digest mismatch error. These are the
> >> excerpts of the error:
> >
> > You are not supplying version number information for neither SP nor IdP. How
> > do you expect us to help you?
> >
> >>  zxsig.c:271 zxsig_validate   \tzxidp E Message
> >> digest(cbNxWQolXJGAzYPCrOqHGspnf8g=) mismatch at
> >> sref(#pfx6da05746-5e2c-4e07-d27d-2b74298b6b4d), canon blob(<samlp:Response
> >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> >> ID="pfx6da05746-5e2c-4e07-d27d-2b74298b6b4d" Version="2.0"
> >> IssueInstant="2010-11-29T21:39:55Z" Destination="
> >> http://50.16.241.205/cgi-bin/zxididp?o=P";
> >> InResponseTo="NMnwUY0E4XZatWVM3R7GLd7WA"><saml:Issuer
> >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxx</saml:Issuer><samlp:Status><samlp:StatusCode
> >> Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion
> >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> >> ID="pfxd444d690-4708-0310-c486-985606e2d60c" Version="2.0"
> >> IssueInstant="2010-11-29T21:39:55Z"><saml:Issuer>http://xxxxx</saml:Issuer><ds:Signature
> >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >>
> >>
> >> And then:
> >>
> >> zxidsso.c:343 zxid_sigres_map  \tzxidp E Bad digest. Canon problem? 3
> >> zxidlib.c:785 zxid_chk_sig     \tzxidp d Response sigres(3)
> >>
> >>
> >> I'm using a couple of SSL certificates issued by the same CA on the IdP and
> >> SP sides. I already put the CA cert file "ca.pem" file on /var/zxid/pem
> >>
> >> Again, I'd be really thankful if you enlighten me a little.
> >
> > To debug signature canonicalization problems, you need the canonical
> > form from the sending end and see how it is different.
> >
> > Basically you need to figure out from simpleSAMLphp documentation
> > how to make it print the canonicalization to a log and then compare
> > the canonicalization from the IdP end to the canonicalization from SP end (which
> > is available in the log message you quoted above).
> >
> >> Thank you in advance.
> >
> > Please do not thank in advance. Its rude and annoys me.
> >
> >> PS: I sent the message to the list but it rejects non-users messages.
> >
> > Consider subsrcibing to the list?
> >
> > Cheers,
> > --Sampo
> >
> >> Andris Roldan
> >> Ingeniero de Proyectos
> >> DD - Official Debian Developer
> >> C|EH - Certified Ethical Hacker
> >> Fluidsignal Group S.A.
> >> Where security meets business
> >> http://www.fluidsignal.com/
> >> Telifono: +57 (4) 4442637
> >> Msvil: +57 313-6463678
> >> PGP Key-ID: 0xB29396EB
> >>
> >>
> >> On Mon, Nov 22, 2010 at 7:39 PM, <sampo@xxxxxxxxx> wrote:
> >>
> >> > Andris_Roldan <andres.roldan@xxxxxxxxxxxxxxx> said:
> >> > > Hello,
> >> > >
> >> > > I'm sorry if I bother you with this dumb question but I haven't found any
> >> >
> >> > Support requests should be made on the zxid.user@xxxxxxxxxxxxx mailing
> >> > list so that
> >> > others can learn from the answers.
> >> >
> >> > > information on Internet on this regard. I'm trying to setup a simple
> >> > > scenario where a ZXID SP application is trying to use a SimpleSAML IdP.
> >> > The
> >> > > ZXID application is basically the same as the code written in the file
> >> > > zxidhlo.pl of the ZXID distribution file.  I think I may be wrong with
> >> > the
> >> > > configuration about the AssertionCustomerService needed by SimpleSAML:
> >> > >
> >> > > $metadata["http://xxx/cgi-bin/zxidhlo.pl?o=B";] = array(
> >> > >         'AssertionConsumerService'   => "
> >> > > http://75.101.139.85/cgi-bin/zxidhlo.pl";,
> >> > > );
> >> >
> >> > ZXID is configured using SAML metadata. You can see your metadata with
> >> > one of the following commands:
> >> >
> >> > curl http://xxx/cgi-bin/zxidhlo.pl?o=B
> >> >
> >> > or
> >> >
> >> > zxcot -m
> >> >
> >> > In the metadata you can locate the assertion consumer stanza (hint: the URL
> >> > you
> >> > are looking for ends in o=P).
> >> >
> >> > SAML metadata was specified so that configuration of IdP and SP can be made
> >> > more automatic, i.e. you should not have to edit any arrays in source code.
> >> > Unfortunately
> >> > the simpleSAMLphp folks do not provide any metadata import tool. You should
> >> > complain
> >> > to them. In zxid distribution the zxcot is that tool.
> >> >
> >> > Or you can use zxididp (see zxid-idp.pd for documentation).
> >> >
> >> > Cheers,
> >> > --Sampo
> >> >
> >> > > Any little input is really greatly appreciated. If you require, I can
> >> > send
> >> > > you the logs of the apache server.
> >> > >
> >> > > Thank you in advance.
> >> > >
> >> > > Andris Roldan
> >> > > Ingeniero de Proyectos
> >> > > DD - Official Debian Developer
> >> > > C|EH - Certified Ethical Hacker
> >> > > Fluidsignal Group S.A.
> >> > > Where security meets business
> >> > > http://www.fluidsignal.com/
> >> > > Telifono: +57 (4) 4442637
> >> > > Msvil: +57 313-6463678
> >> > > PGP Key-ID: 0xB29396EB