[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AuthnStatement is required in assertion failure



Hi Sampo / users,
     I have the below pasted response from the IDP for the AuthnRequest,
and this looks to be a valid saml assertion (as per the schema), but zxid
complains that the assertion does not contain an AuthnStatement in the
sso_finalize method and fails to create the session on the SP.

<samlp:Response ID="id"
                Version="2.0"
                IssueInstant="2013-12-02T19:39:31.007Z"
                Destination="https://sphost:1443/protected/saml?o=P";
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="requestId"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp/url</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="assertionId"
               IssueInstant="2013-12-02T19:39:31.007Z"
               Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               >
        <Issuer>http://idp/url</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            ....
        </ds:Signature>
        <Subject>
            <NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">username</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="requestId"
                                         NotOnOrAfter="2013-12-02T19:44:31.007Z"

Recipient="https://sphost:1443/protected/saml?o=P";
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2013-12-02T19:39:31.006Z"
                    NotOnOrAfter="2013-12-02T20:39:31.006Z"
                    >
            <AudienceRestriction>
                <Audience>https://sphost:1443/protected/saml</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userid";>
                <AttributeValue>userId</AttributeValue>
            </Attribute>
            <Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/test";>
                <AttributeValue>testing</AttributeValue>
            </Attribute>
        </AttributeStatement>
    </Assertion>
</samlp:Response>

The SAML 2 assertion schema has this :


<complexType name="AssertionType">
<sequence>
<element ref="saml:Issuer"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="saml:Subject" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="saml:Advice" minOccurs="0"/>
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Statement"/>
<element ref="saml:AuthnStatement"/>
<element ref="saml:AuthzDecisionStatement"/>
<element ref="saml:AttributeStatement"/>
</choice>
</sequence>
<attribute name="Version" type="string" use="required"/>
<attribute name="ID" type="ID" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>
<element name="Subject" type="saml:SubjectType"/>


As you can see, just sending an AttributeStatement is a valid
assertion (w.r.t schema) without sending an AuthnStatement. Is the
AuthnStatement mandatory for the zxid SSO to work since the
"inResponseTo" and the "status" together give the appropriate values
to identify and assert the original authnRequest?

Also, for testing purposes, is there a way that I can bypass this
(like the option with SIG_FATAL configuration values)?

-Karthik

-- 

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/> <http://www.virtual-dba.com/><http://www.virtual-asa.com/>
  <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <http://www.linkedin.com/company/xtivia>
  <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you 
believe you have received this e-mail in error, please notify the sender by 
reply e-mail and then delete this e-mail immediately.