[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need help with encryptedAssertion



Hi Sampo,
     I looked into the logs and found this :

t7f16e67ec700 zxlibdec.c:209 zx_chk_el_ord mas I chkuid: Unknown <DigestMethod> token(0xffffff) as 1. child of <EncryptionMethod> 0x490740 (0,2) t7f16e67ec700 zxidsso.c:642 zxid_sp_sso_finalize mas E chkuid: ssof: SSO failed: no assertion supplied, or assertion didn't contain AuthnStatement. 0x7f1684003f60 t7f16e67ec700 zxidsso.c:779 zxid_sp_sso_finalize mas E chkuid: ssof: SSO fail (S)

So it looks like the SAML response xml does not conform to the xmlenc schema. I've replied to the IDP team to look at it. The IDP is a home grown one by a different organization that I'm trying to work with.

As always, thanks for your input. I hope after the xml gets fixed, I would be able to move forward and create the session on the SP.

Regards,
Karthik

On 11/22/2013 3:54 PM, sampo@xxxxxxxxx wrote:
Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
+Users list

Hi all,
    Further, I see the following error in the Apache logs : "SSO failed: no
assertion supplied, or assertion didn't contain AuthnStatement". Is there
any configuration that I need to set to get mod_auth_saml to recognize the
encryptedAssertion?
Encrypted assertions are recognized by default, provided that the
decryption is successful. Typically decryption would fail if
your metadata (which contanins public key in cert) at IdP end
does not match your private key.

Which IdP are you testing with?

Have you looked in Apache errorlog?

If the errorlog is not informative enough, consider adding debug flag,
such as ZXIDDebug "0x7f" in your httpd.conf or DEBUG=0x7f in your
zxid.conf.

Cheers,
--Sampo

-Karthik


On Fri, Nov 22, 2013 at 12:27 PM, Karthik Sudarshan
<ksudarshan@xxxxxxxxxx>wrote:

Hi Sampo,
     I have setup the mod_auth_saml.so and I am able to send an Authrequest
to the IDP. The IDP after authentication sends a success response with an
encryptedAssertion. After this I don't see any session created on the SP
(no cookies created for the SP domain, only the ones for IDP domain), and
the page just loads the IDP selection page with the url "?o=P".

I am a bit stuck here, since I don't know what to check for. The SAML
response is of the form below :

<samlp:Response ID="_0bc852b1-de7e-44d1-bc17-c237c2f0e19b"
                 Version="2.0"
                 IssueInstant="2013-11-22T16:55:03.621Z"
                 Destination="https://hostname:1443/protected/saml?o=P";
                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                 InResponseTo="keyValue"
                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                 >
     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idpHost/trust</Issuer>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
     </samlp:Status>
     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element";
                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
                             >
             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
                 <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
                     </e:EncryptionMethod>
                     <KeyInfo>
                         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
                             <ds:X509IssuerSerial>
                                 <ds:X509IssuerName>C=PT, S=Lisboa, L=Lisboa, O=Unspecified ORG_NAME conf variable, OU=SSO Dept ZXID Auto-Cert, CN=hostname</ds:X509IssuerName>
                                 <ds:X509SerialNumber>3602989903</ds:X509SerialNumber>
                             </ds:X509IssuerSerial>
                         </ds:X509Data>
                     </KeyInfo>
                     <e:CipherData>
                         <e:CipherValue>..</e:CipherValue>
                     </e:CipherData>
                 </e:EncryptedKey>
             </KeyInfo>
             <xenc:CipherData>
                 <xenc:CipherValue>..</xenc:CipherValue>
             </xenc:CipherData>
         </xenc:EncryptedData>
     </EncryptedAssertion>
</samlp:Response>


Is there something that stands out here? I'm in the testing mode, and hence use the default keys shipped with ZXID.


-Karthik


--

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/> <http://www.virtual-dba.com/><http://www.virtual-asa.com/>
 <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <http://www.linkedin.com/company/xtivia>
 <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you believe you have received this e-mail in error, please notify the sender by reply e-mail and then delete this e-mail immediately.