java - Validate IDP initiated SAML2.0 Response -


saml experts please help!!!!

am new saml , jsp. wanna validate idp(identity provider) initiated saml response token using opensaml library in java(environment linux,tomcat6.0) , retrieve attribute information sent such userid,username,email.the saml response not encrypted , have idp's trust certificate installed in java keystore.the saml token profile "web browser sso" , uses http-post binding.the certificate has public key in it.do need private key validate?what steps done succesful validation?just digital signature validation enough trust source?should profile validation or else? below given saml response receiving idp. please let me know if need more information?sorry if did not give enough information.please me...thanks in advance.

<samlp:response xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" id="xyz" version="2.0" issueinstant="2013-07-10t16:43:54z" destination="http://www.testsp.com">   <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion">http://www.testidp.com:8080/opensso</saml:issuer>  - <samlp:status xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol">   <samlp:statuscode xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" value="urn:oasis:names:tc:saml:2.0:status:success" />    </samlp:status> - <saml:assertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" id="xyz" issueinstant="2013-07-10t16:43:51z" version="2.0">   <saml:issuer>http://www.testidp.com:8080/opensso</saml:issuer>  - <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> - <ds:signedinfo>   <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />    <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />  - <ds:reference uri="#xyz"> - <ds:transforms>   <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />    <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />    </ds:transforms>   <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />    <ds:digestvalue>...hdfb3454jh545dfbj545423df....=</ds:digestvalue>    </ds:reference>   </ds:signedinfo>   <ds:signaturevalue>..................hsdgysgdyyusgfdfb98738e43hjrg874y474h7y8r............=</ds:signaturevalue>  - <ds:keyinfo> - <ds:x509data>   <ds:x509certificate>............./kpm0qlp8vcohyi76aue6jl nfetlcae3b6hodfkciu+ethezc2i/8jf1rhdnpey4ts1mqj/....... </ds:x509certificate>    </ds:x509data>   </ds:keyinfo>   </ds:signature> - <saml:subject>   <saml:nameid format="urn:oasis:names:tc:saml:2.0:nameid-format:transient" namequalifier="http://www.testidp.com:8080/opensso" spnamequalifier="http://www.testsp.com">....zeq8nhjkrkdxuwx67ytuynwj4n...</saml:nameid>  - <saml:subjectconfirmation method="urn:oasis:names:tc:saml:2.0:cm:bearer">   <saml:subjectconfirmationdata notonorafter="2013-07-10t16:53:51z" recipient="http://www.testsaml.com/tespsamlmodule" />    </saml:subjectconfirmation>   </saml:subject> - <saml:conditions notbefore="2013-07-10t16:33:51z" notonorafter="2013-07-10t16:53:51z"> - <saml:audiencerestriction>   <saml:audience>http://www.testsaml.com/tespsamlmodule</saml:audience>    </saml:audiencerestriction>   </saml:conditions> - <saml:authnstatement authninstant="2013-07-10t16:36:35z" sessionindex="......erer54t54y45y75666y65y65y...."> - <saml:authncontext>   <saml:authncontextclassref>urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport</saml:authncontextclassref>    </saml:authncontext>   </saml:authnstatement> - <saml:attributestatement> - <saml:attribute name="uid">   <saml:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">ab123</saml:attributevalue>    </saml:attribute> - <saml:attribute name="uname">   <saml:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">robert</saml:attributevalue>    </saml:attribute> - <saml:attribute name="emailaddress">   <saml:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">robert@example.com</saml:attributevalue>    </saml:attribute>   </saml:attributestatement>   </saml:assertion>   </samlp:response>

you need validate responce according saml spec. there functionaliy doing in opensaml seems safest bet write own validation code. see. http://marc.info/?t=137354098500007&r=1&w=2

you must validate signature. signature verification use public key. here wrote on blog opensaml signatur verification. http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html

i have more on signing , encryption using opensaml in book, a guide opensaml


Comments

Post a Comment

Popular posts from this blog

curl - PHP fsockopen help required -

i trying work on cloudflare api , have found in documentation. unfortunately have no idea how can use in fsockopen or through curl. here example of post request. need know how can make request below data post using curl or fsockopen curl https://www.cloudflare.com/api_json.html -d 'a=cache_lvl' \ -d 'tkn=8afbe6dea02407989af4dd4c97bb6e25' \ -d 'email=sample@example.com' \ -d 'z=example.com' \ -d 'v=agg' here link cloudflare https://www.cloudflare.com/docs/client-api.html#s4.2 try one: $ch = curl_init("https://www.cloudflare.com/api_json.html"); curl_setopt($ch, curlopt_returntransfer,1); curl_setopt($ch, curlopt_followlocation, 1); curl_setopt($ch, curlopt_ssl_verifypeer,false); // handling of -d curl parameter here. $param = array( 'a' => 'cache_lvl', 'tkn' => '8afbe6dea02407989af4dd4c97bb6e25', 'email' => 'sample@example.com', 'z' =...
Read more

HTTP/1.0 407 Proxy Authentication Required PHP -

i working in restricted network/limited access internet. since have use proxy make web service call. here php code calling web service , response . $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' => $proxy_host, 'proxy_port' => $proxy_port, 'proxy_login' => $proxy_login, 'proxy_password' => $proxy_password)); response is fatal error: uncaught soapfault exception: [wsdl] soap-error: parsing wsdl: couldn't load ' http://www.xyz.com/abc/wsdls/login.wsdl ' : failed load external entity if copy url error message , paste in browser(with same proxy settings) works. 2nd scenario is, if pass values instead of variables giving me diffarant response $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' ...
Read more

c# - Resource not found error -

i have problem accessing method on homecontroller. show code of method : [httpget] public actionresult decriptidentifiantetredirige(string login_crypter, string mdp_crypter) { string loginacrypter = _globalmanager.protegemotdepasse(login_crypter); string mdpacrypter = _globalmanager.protegemotdepasse(mdp_crypter); user userapp = new models.user(login_crypter, mdp_crypter); if (userapp.authentificationvalidee(userapp.userlogin, userapp.password)) { session["name"] = userapp.userlogin; return redirecttoaction("accueil", "home"); } else { return redirecttoaction("validerauthentification", "home"); } } then in routeconfig.cs wrote route : routes.maproute( name: "authentificationapresdecryptage", url: "{controller}/{action}/{login_crypter}/{mdp_crypter}", defaults: new...
Read more