[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need help with encryptedAssertion



+Users list

Hi all,
   Further, I see the following error in the Apache logs : "SSO failed: no
assertion supplied, or assertion didn't contain AuthnStatement". Is there
any configuration that I need to set to get mod_auth_saml to recognize the
encryptedAssertion?

-Karthik


On Fri, Nov 22, 2013 at 12:27 PM, Karthik Sudarshan
<ksudarshan@xxxxxxxxxx>wrote:

> Hi Sampo,
>     I have setup the mod_auth_saml.so and I am able to send an Authrequest
> to the IDP. The IDP after authentication sends a success response with an
> encryptedAssertion. After this I don't see any session created on the SP
> (no cookies created for the SP domain, only the ones for IDP domain), and
> the page just loads the IDP selection page with the url "?o=P".
>
> I am a bit stuck here, since I don't know what to check for. The SAML
> response is of the form below :
>
> <samlp:Response ID="_0bc852b1-de7e-44d1-bc17-c237c2f0e19b"
>                 Version="2.0"
>                 IssueInstant="2013-11-22T16:55:03.621Z"
>                 Destination="https://hostname:1443/protected/saml?o=P";
>                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
>                 InResponseTo="keyValue"
>                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                 >
>     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idpHost/trust</Issuer>
>     <samlp:Status>
>         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>     </samlp:Status>
>     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element";
>                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
>                             >
>             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
>             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
>                 <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
>                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
>                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>                     </e:EncryptionMethod>
>                     <KeyInfo>
>                         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                             <ds:X509IssuerSerial>
>                                 <ds:X509IssuerName>C=PT, S=Lisboa, L=Lisboa, O=Unspecified ORG_NAME conf variable, OU=SSO Dept ZXID Auto-Cert, CN=hostname</ds:X509IssuerName>
>                                 <ds:X509SerialNumber>3602989903</ds:X509SerialNumber>
>                             </ds:X509IssuerSerial>
>                         </ds:X509Data>
>                     </KeyInfo>
>                     <e:CipherData>
>                         <e:CipherValue>..</e:CipherValue>
>                     </e:CipherData>
>                 </e:EncryptedKey>
>             </KeyInfo>
>             <xenc:CipherData>
>                 <xenc:CipherValue>..</xenc:CipherValue>
>             </xenc:CipherData>
>         </xenc:EncryptedData>
>     </EncryptedAssertion>
> </samlp:Response>
>
>
> Is there something that stands out here? I'm in the testing mode, and hence use the default keys shipped with ZXID.
>
>
> -Karthik
>
>

-- 

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/> <http://www.virtual-dba.com/><http://www.virtual-asa.com/>
  <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <http://www.linkedin.com/company/xtivia>
  <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you 
believe you have received this e-mail in error, please notify the sender by 
reply e-mail and then delete this e-mail immediately.