[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Configuring SAML for Apache



Gutschi Gerhard Alfred HCMS sIT
  <GerhardAlfred.Gutschi@xxxxxxxxxxxxxxxx> said:
> Dear Mr. Kellomdki,
> 
> my problem is, that SAML doesn't recognize the IdP Server.
> Please find attached the steps I've done:
> 
> 1.)   I entered the metadata.xml with command: zxcot -a <MyMetdataFile.xml
> This is the content of my metadata:
> <md:EntitiesDescriptor validUntil="2022-03-20T12:03:28.807Z"
>     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>     xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xm
> ldsig>"
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>     xmlns:alfa="acns:alfa"
>     xmlns:mdui="urn:oasis:names:tc:SAM:metadata:ui">
> 
> <!-- this IDP -->
>     <md:EntityDescriptor entityID="acns:AlfaTicket_E">
>         <md:Extensions>
>             <alfa:context app="IDP" env="E"/>
>         </md:Extensions>

Consider removing the Extensions element, i.e. edit the file manually
and reimport it using zxcot -a
I am not sure what will happen with unknown extensions so it would
be safest to remove it.

Another slightly odd thing is that the entityID of the IdP is not
resolvable URL pointing to the metadata. It should still work
if you manually import metadata using zxcot -a.

Also the subject cn field of the certificate does not look like a URL
so the certificate will not work as web site TLS certificate.

Out of curiosity, which IdP software are they running and why
do they have such a weird entityID? Why do they need the Extension?

>         <md:IDPSSODescriptor WantAuthnRequestsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>             <md:KeyDescriptor>
>                 <ds:KeyInfo>
>                     <ds:X509Data>
>                         <!-- certificate AlfaTicket_E.4 -->
>                         <ds:X509Certificate>
> MIIF1TCCBL2gAwIBAgITegAB4567ehJyyMB71QABAAHjnjANBgkqhkiG9w0BAQUF
> ADBBMRMwEQYKCZImiZPyLGQBGRYDbmV0MRgwFgYKCZImiZPyLGQBGRYIcy1ncnVw
> cGUxEDAOBgNVBAMTB0lTMlAxQVQwHhcNMTQwNzAxMTMyMDIxWhcNMTUwNzEzMDky
> NjA4WjA9MQswCQYDVQQGEwJBVDEXMBUGA1UEChMOcyBJVCBTb2x1dGlvbnMxFTAT
> BgNVBAMUDEFsZmFUaWNrZXRfRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
> ggEBANcmHBJyyYlnAbP7Sd0JAMRrVxTLNd7bD9BmY7kRqV0aqMWbgbT3qLLgkh62
> Ate50RBp6k/vnZoodGt8nC9ed6Ym7m7glG8I9Z9YQDfOx2rS5vQGd6mL9xoys6ry
> 3p8YbtbOLchmhC4TPMd0tiuK7vjoz+qN3g/+75kuH3eeSLQvsN4te4lmIRVZ0oeA
> zpnrrtmfOPxTTZsz6VO0We9C3RUCZ1Bn+FlV18c/o+FdBuNue3tHJtJiIX4VJud+
> PoDw5xQas5qlTwfJ5C+Yx3Huus0nOJgqXnC1Uza4w5rU9uwbtuzvo2Q4OWMCRxI1
> j9UIrnbKeyd+mUS/iYiQDi1r2ocCAwEAAaOCAsgwggLEMAsGA1UdDwQEAwIFoDAd
> BgNVHQ4EFgQUL3SKcmEevjFvbzDo10huQ0Rc0PkwHwYDVR0jBBgwFoAUUIwz3hBd
> UOrh/cUR1GKJm0XpbkYwgfgGA1UdHwSB8DCB7TCB6qCB56CB5IY4aHR0cDovL3B1
> Ymxpc2gucGtpLmVyc3RlLWdyb3VwLm5ldC9jcmwvbXMvSVMyUDFBVCgxKS5jcmyG
> gadsZGFwOi8vL0NOPUlTMlAxQVQoMSksQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy
> MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cy1ncnVw
> cGUsREM9bmV0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
> bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCCAQEGCCsGAQUFBwEBBIH0MIHxMEUG
> CCsGAQUFBzAChjlodHRwOi8vcHVibGlzaC5wa2kuZXJzdGUtZ3JvdXAubmV0L2Nl
> cnQvbXMvSVMyUDFBVCgxKS5jcnQwgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1J
> UzJQMUFULENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
> aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXMtZ3J1cHBlLERDPW5ldD9jQUNlcnRp
> ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA/
> BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiGgrdQgZGuEIbNmQaE8u8i8oEdgXqF
> s5b1MYPegYEZAgFkAgEEMBUGA1UdJQQOMAwGCisGAQQBgjcKAwwwHQYJKwYBBAGC
> NxUKBBAwDjAMBgorBgEEAYI3CgMMMA0GCSqGSIb3DQEBBQUAA4IBAQAgrQoUzNRm
> 06u7eO55kdlHe0XjyTzxzQ7VtvbWQUHzFcjXzyL7B3zTPq5PXuOZJ6kZMM6XdIX9
> eVMATd7HWXJm1rgcXdl7ccEsjDQ/nMLi0cPTmgMaQqX2FrQEP/F+pFFSlQk5ifiM
> F+cGIZpWyV7yrdwc0E9t0eD4HMCPqZTcM64jPZDWOH2rlv+2a1VIzIDmPD6gabf8
> Tnl5vacN4D/25t9DEVrpwXuXww34FkRBE8AkHI+aD5aW7JeUjboi8QEBwfRUX673
> c0/NFLpcImqTZIf8w7RH6/7X88OMNOxJT4PfGxCSi2cHhks/skQyhG27Sf+PZ79u
> GNpDQNp3GmFn
>                         </ds:X509Certificate>
>                     </ds:X509Data>
>                 </ds:KeyInfo>
>             </md:KeyDescriptor>
>             <md:NameIDFormat>acns:alfaid</md:NameIDFormat>
>             <md:SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>                 Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/samlwebs
> so" />
>             <md:SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                 Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/samlwebs
> so" />
>         </md:IDPSSODescriptor>
>         <md:SPSSODescriptor WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>             <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                 Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/list";
> index="0" isDefault="true" />
>             <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                 Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/list?spI
> d=http://sp-e.s-mxs.net/testServiceProvider"; index="1" />
>         </md:SPSSODescriptor>
>         <md:ContactPerson contactType="technical">
>             <md:GivenName>Bernhard</md:GivenName>
>             <md:SurName>Gruber</md:SurName>
>             <md:EmailAddress>mailto:bernhard.gruber@xxxxxxxxxxxxxxxx</md:Emai
> lAddress<mailto:bernhard.gruber@xxxxxxxxxxxxxxxx%3c/md:EmailAddress>>
>             <md:TelephoneNumber>+43 (0)5 0100 - 15779</md:TelephoneNumber>
>         </md:ContactPerson>
>     </md:EntityDescriptor>
> 
> 
> </md:EntitiesDescriptor>
> 
> 
> 2.)   The metadata-file was stored in the dir.: /var/zxid/cot.
> As you can see in the screenshot there are five files in this dir. The file
> with the name: XFsCJLxzsSoO0iQVxxI_g2lprc8 is my metadata-file. The other 4
> files were installed by the make command.
> [cid:image001.jpg@01D04AD2.8822BD30]
> 
> 3.)   I created the zxid.conf file in dir: /var/zxid
> Content:
> [cid:image002.jpg@01D04AD2.8822BD30]
> 
> 4.)   When I enter the command: https://10.18.114.50/html_protected/ in my
> browser I get this page:
> [cid:image003.jpg@01D04AD2.8822BD30]
> There is no combo box for selecting the IdP?

This is because it fails to parse the IdP metadata file. For maximal
chances of success, first remove the Extension element, then remove
the <!-- comments -->, and finally remove all whitespace, except the
newlines in the certificate base64 data.

Cheers,
--Sampo

> 5.)   When I click on the link:
> https://10.18.115.50:443/html_protected/saml?o=B I get this page with my
> metdata:
> [cid:image004.jpg@01D04AD2.8822BD30]
> 
> No my question. What is missing, that I don't get the popup window with the
> selection of my IdP-Server?
> Is there anything I have to enter in the zxid.conf? I haven't found an example
> in the internet.
> Thank you for your help.
> 
> Best regards
> Gerhard Gutschi
> 
> [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]
> 
> [demime 1.01d removed an attachment of type image/jpeg which had a name of image002.jpg]
> 
> [demime 1.01d removed an attachment of type image/jpeg which had a name of image003.jpg]
> 
> [demime 1.01d removed an attachment of type image/jpeg which had a name of image004.jpg]