[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need help with encryptedAssertion



Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
> +Users list
> 
> Hi all,
>    Further, I see the following error in the Apache logs : "SSO failed: no
> assertion supplied, or assertion didn't contain AuthnStatement". Is there
> any configuration that I need to set to get mod_auth_saml to recognize the
> encryptedAssertion?

Encrypted assertions are recognized by default, provided that the
decryption is successful. Typically decryption would fail if
your metadata (which contanins public key in cert) at IdP end
does not match your private key.

Which IdP are you testing with?

Have you looked in Apache errorlog?

If the errorlog is not informative enough, consider adding debug flag,
such as ZXIDDebug "0x7f" in your httpd.conf or DEBUG=0x7f in your
zxid.conf.

Cheers,
--Sampo

> -Karthik
> 
> 
> On Fri, Nov 22, 2013 at 12:27 PM, Karthik Sudarshan
> <ksudarshan@xxxxxxxxxx>wrote:
> 
> > Hi Sampo,
> >     I have setup the mod_auth_saml.so and I am able to send an Authrequest
> > to the IDP. The IDP after authentication sends a success response with an
> > encryptedAssertion. After this I don't see any session created on the SP
> > (no cookies created for the SP domain, only the ones for IDP domain), and
> > the page just loads the IDP selection page with the url "?o=P".
> >
> > I am a bit stuck here, since I don't know what to check for. The SAML
> > response is of the form below :
> >
> > <samlp:Response ID="_0bc852b1-de7e-44d1-bc17-c237c2f0e19b"
> >                 Version="2.0"
> >                 IssueInstant="2013-11-22T16:55:03.621Z"
> >                 Destination="https://hostname:1443/protected/saml?o=P";
> >                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> >                 InResponseTo="keyValue"
> >                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> >                 >
> >     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idpHost/trust</Issuer>
> >     <samlp:Status>
> >         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> >     </samlp:Status>
> >     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> >         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element";
> >                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> >                             >
> >             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
> >             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> >                 <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> >                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> >                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
> >                     </e:EncryptionMethod>
> >                     <KeyInfo>
> >                         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >                             <ds:X509IssuerSerial>
> >                                 <ds:X509IssuerName>C=PT, S=Lisboa, L=Lisboa, O=Unspecified ORG_NAME conf variable, OU=SSO Dept ZXID Auto-Cert, CN=hostname</ds:X509IssuerName>
> >                                 <ds:X509SerialNumber>3602989903</ds:X509SerialNumber>
> >                             </ds:X509IssuerSerial>
> >                         </ds:X509Data>
> >                     </KeyInfo>
> >                     <e:CipherData>
> >                         <e:CipherValue>..</e:CipherValue>
> >                     </e:CipherData>
> >                 </e:EncryptedKey>
> >             </KeyInfo>
> >             <xenc:CipherData>
> >                 <xenc:CipherValue>..</xenc:CipherValue>
> >             </xenc:CipherData>
> >         </xenc:EncryptedData>
> >     </EncryptedAssertion>
> > </samlp:Response>
> >
> >
> > Is there something that stands out here? I'm in the testing mode, and hence use the default keys shipped with ZXID.
> >
> >
> > -Karthik