Quantcast
Channel: Spring Community Forums - SAML
Viewing all 52 articles
Browse latest View live

Using SAML for stateless REST services

July 2, 2013, 11:21 pm
$
0
0
Hello,

I am looking into using spring-security-saml for securing a system built up of stateless REST services spread out over several web contexts (potentially also several servers).

Is it possible to use spring-security-saml with the create-session="stateless" options as described e.g. here:
http://static.springsource.org/sprin...chains-with-ns

Or are there other good examples of using this extension with this kind of architecture?

/Daniel
Search

Release schedule?

July 5, 2013, 5:15 am
$
0
0
Hi,

I have now successully built a prototype on IdP initiated SSO using Spring Security SAML extension and integrated it into our sales Application :cool:.

We are now in a phase where we are planning the next steps.

One of our concerns right now is that the "up-stairs security guys" might have objections on using a pre-release security component in a solution which opens up our application for external access.

Is there a release schedule for Spring Security SAML extension?

Best regards,
-ttjarl

SecurityContext null in index.jsp because SecurityContextHolder cleared too early

July 17, 2013, 8:06 am
$
0
0
I have a spring-security-saml2 based SP webapp that uses Shibboleth 2 IdP.
Web SSO is successful. I am now working on a custom index.jsp and finding that within the index.jsp I am getting a null SecurityContext as evident by a println in index.jsp that print "INFO: XXX authentication: null" at the end of the listing below. An earlier debug log "SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed" indicates why he SecurityContext is null.

The following thread seems related:

http://forum.springsource.org/showth...ight=index.jsp

However, the bug it references, SEC-2027, seems to be fixed in spring-security 3.1.2. I am using 3.1.4.RELEASE.

What am I doing wrong to get the SecurityContextHolder to be cleared too early and before index.jsp has been processed? Thanks for your help.


Code:

INFO: 10:51:09,892 DEBUG WebSSOProfileConsumerImpl:559 - Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3b74be74 against requested null

INFO: 10:51:09,898  INFO SAMLDefaultLogger:94 - AuthNResponse;SUCCESS;127.0.0.1

INFO: 10:51:09,900 DEBUG SAMLProcessingFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1e9961c6: Principal: org.springframework.security.core.userdetails.User@e1bdedc7: Username: Developer1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: urn:test:Role:TestSubmittingOrg1Developer; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@e1bdedc7: Username: Developer1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: urn:test:Role:TestSubmittingOrg1Developer; Granted Authorities: urn:test:Role:TestSubmittingOrg1Developer

INFO: 10:51:09,901 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /index.jsp

INFO: 10:51:09,902 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/omar-server/index.jsp'

INFO: 10:51:09,903 DEBUG HttpSessionSecurityContextRepository:292 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@1e9961c6: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1e9961c6: Principal: org.springframework.security.core.userdetails.User@e1bdedc7: Username: Developer1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: urn:test:Role:TestSubmittingOrg1Developer; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@e1bdedc7: Username: Developer1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: urn:test:Role:TestSubmittingOrg1Developer; Granted Authorities: urn:test:Role:TestSubmittingOrg1Developer'

INFO: 10:51:09,904 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed

INFO: 10:51:09,944 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/web/**'

INFO: 10:51:09,945 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/logout.jsp'

INFO: 10:51:09,946 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/login.jsp'

INFO: 10:51:09,947 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/index.jsp'

INFO: 10:51:09,948 DEBUG FilterChainProxy:180 - /index.jsp has an empty filter list

INFO: XXX authentication: null
Relevant parts of my index.jsp are below...

Code:
...
            <div id="content">   
                <h1>My Application</h1>

                <%
                    SAMLCredential credential = null;
                    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                    System.out.println("XXX authentication: " + authentication);
                    if (authentication != null) {
                        System.out.println("XXX authentication.isAuthenticated: " + authentication.isAuthenticated());
                        Object o = authentication.getCredentials();
                        System.out.println("XXX authentication.getCredentials(): " + o );
                        if (o != null) {
                            if (o instanceof SAMLCredential) {
                                System.out.println("XXX Got SAMLCredential");
                                credential = (SAMLCredential)o;
                            } else {
                                System.out.println("XXX Got credential of type " + o.getClass());
                            }
                        } else {
                            System.out.println("XXX Got null credential");
                        }
                    }

                    pageContext.setAttribute("credential", credential);
                %>

...

401 - Authentication Failed: Error validating SAML message

July 25, 2013, 11:26 am
$
0
0
I'm having a recurring issue with SAML authentication failing. We've had this bug before but mysteriously it went away and only comes back after we update code and redeploy.

I have tried the ntp sync, and also downloaded the latest jar for spring-security-saml2-core-1.0.0.RC2.jar.

The error we are getting is very generic. And everything before that looks successful.

In the browser: 401 - Authentication Failed: Error validating SAML message

In the logs:


Code:
INFO  SAMLDefaultLogger - AuthNResponse;FAILURE;10.33.114.42org.opensaml.common.SAMLException: Error validating SAML response
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:246)
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

does the spring security saml 1.0.0.RC2 not support WAYF/SAMLDS

August 7, 2013, 8:20 am

Logout - Incoming SAML message is invalid

August 19, 2013, 4:20 am
$
0
0
Hi all,

I have problem with logout functionallity. My app sends logout request to IDp:
Code:
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                      Destination="https://accounts400.sap.com/saml2/idp/slo/accounts.sap.com"
                      ID="a37j4j32f57c3hfa3g160f3if31cjja"
                      IssueInstant="2013-08-19T11:07:21.625Z"
                      Version="2.0"
                      >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localcrs.sap.com</saml2:Issuer>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                  >C5134682</saml2:NameID>
    <saml2p:SessionIndex>S-SP-7480a29e-b22c-4568-a2ac-e86a9476ea7b</saml2p:SessionIndex>
</saml2p:LogoutRequest>
and receive response from IDp:

Code:
<ns3:LogoutResponse Version="2.0"
                    IssueInstant="2013-08-19T11:07:21.760Z"
                    InResponseTo="a37j4j32f57c3hfa3g160f3if31cjja"
                    ID="S1f928fbe-dd56-4596-a4d7-85633482dba1"
                    Destination="http://localhost:8080/crs/saml/SingleLogout/alias/defaultAlias"
                    xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
                    xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
                    xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
    <Issuer>accounts.sap.com</Issuer>
    <ns3:Status>
        <ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </ns3:Status>
</ns3:LogoutResponse>
but after that next message appear on my app "org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid". In the log file I see:

Code:
[INFO ] MetadataGeneratorFilter at 14:07:10 | Created default metadata for system with entityID: localcrs.sap.com
[INFO ] SAMLDefaultLogger at 14:07:17 | AuthNRequest;SUCCESS;127.0.0.1
[INFO ] SAMLProtocolMessageXMLSignatureSecurityPolicyRule at 14:07:19 | SAML protocol message was not signed, skipping XML signature processing
[INFO ] SAMLDefaultLogger at 14:07:19 | AuthNResponse;SUCCESS;127.0.0.1
[INFO ] SAMLDefaultLogger at 14:07:21 | LogoutRequest;SUCCESS;127.0.0.1
Aug 19, 2013 2:07:21 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [/crs] threw exception
org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid
        at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:130)
        at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:93)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
        at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:217)
        at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72)
        at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
        at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
        at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:120)
        ... 37 more

[INFO ] BaseSAMLSimpleSignatureSecurityPolicyRule at 14:07:21 | Validation of request simple signature succeeded
[INFO ] BaseSAMLSimpleSignatureSecurityPolicyRule at 14:07:21 | Authentication via request simple signature succeeded for context issuer entity ID accounts.sap.com
[INFO ] SAMLProtocolMessageXMLSignatureSecurityPolicyRule at 14:07:21 | SAML protocol message was not signed, skipping XML signature processing
[ERROR] BaseSAMLMessageDecoder at 14:07:21 | SAML message intended destination endpoint 'http://localhost:8080/crs/saml/SingleLogout/alias/defaultAlias' did not match the recipient endpoint 'https://10.25.11.139/crs/saml/SingleLogout/alias/defaultAlias'
I guess that error related to storage factory as it was in this thread InResponseToField.

Also I tried wrote something like this:

Code:
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
        <constructor-arg ref="successLogoutHandler"/>
        <constructor-arg ref="logoutHandler"/>
        <constructor-arg ref="logoutHandler"/>
        <property name="contextProvider">
                    <bean class="org.springframework.security.saml.context.SAMLContextProviderLB">
                                <property name="scheme" value="${saml-scheme}"/>
                                <property name="serverName" value="${saml-server-name}"/>
                                <property name="serverPort" value="${saml-server-port}"/>
                                <property name="includeServerPortInRequestURL" value="false"/>
                                <property name="contextPath" value="${saml-context-path}"/>
                                <property name="storageFactory">
                                      <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
                            </property>
                        </bean>
            </property>
    </bean>
and like this:
Code:
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
        <constructor-arg ref="successLogoutHandler"/>
        <constructor-arg ref="logoutHandler"/>
        <constructor-arg ref="logoutHandler"/>
        <property name="contextProvider" ref="contextProvider">
    </bean>
but it doesn't work. I attached application-сontext-security file for more information.
Attached Files

SAML authentication via a batch process

August 20, 2013, 8:49 am
$
0
0
I have a batch process written in java, that access multiple web services during its execution. Some of these services are soap based and other are REST based.
My requirement is that when batch process wants to invoke the services, it should first pragmatically obtain a SAML authentication token and in case of REST, an oauth2.0 access token.
I am aware of SAML SSO Browser profile, but that seems to require an actual user entering user id and password. IS there a way that my batch process can simply submit user id/password to SAML server and obtain authentication token?

Logout (between several application)

August 21, 2013, 4:35 am
$
0
0
Hi all,

I would like implement logout workflow between several applications. It means when I click on logout link in my app and go to another app, the another app makes logout too. Currently It works for another app from my system, however when I am authenticated in a few app and click on logout link in the another app after that my app doesn't logout user from system.

As I understood I have to configure Assertion comsumer.
Could you please explain how to do this?
Search

AuthnResponse - Authentication Failed: Incoming SAML message is invalid

August 31, 2013, 3:00 am
$
0
0
Hi Guys,

As a SP, I'm trying to integrate SAML with a partner who has IDP setup. We imported below IDP metadata and its x.509 public key into our keystore.

Code:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="XXXX">
<md:IDPSSODescriptor WantAuthnRequestsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
            <ds:X509Certificate>XXXX</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX" index="0" isDefault="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="XXXX"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="XXXX"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="XXXX"/>
<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="XXXX"/>
<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="XXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="XXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
            <ds:X509Certificate>XXXX</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</md:KeyDescriptor>
<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
</md:AttributeAuthorityDescriptor>
</md:EntityDescriptor>
Upon accessing a resource, below authentication request assertion is sent to IDP. I've replaced sensitive tokens with XXXXX

Code:
<saml2p:AuthnRequest AssertionConsumerServiceURL="XXXXX"
                    Destination="XXXXX"
                    ForceAuthn="false"
                    ID="a2g0c8dfedgde265408jh9204657aei"
                    IsPassive="false"
                    IssueInstant="2013-08-31T08:51:32.098Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">XXXXX</saml2:Issuer>
    <saml2p:Scoping ProxyCount="2" />
</saml2p:AuthnRequest>
IDP prompts for login and send back below successful assertion to SP.I've replaced sensitive tokens with XXXXX

Code:
<samlp:Response ID="_10346b23-8a4e-403a-8876-7f3df1dda226"
                Version="2.0"
                IssueInstant="2013-08-31T08:52:06Z"
                Destination="XXXXX"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">XXXXX</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_10346b23-8a4e-403a-8876-7f3df1dda226">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"
                                            xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"
                                            />
                    </Transform>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>XXXXX</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>XXXXX</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>XXXXX</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0"
                    ID="_ceb08452-bc35-4383-853d-4c7e936f44fa"
                    IssueInstant="2013-08-31T08:52:06Z"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    >
        <saml:Issuer>XXXXX</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">XXXXX</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2013-08-31T10:52:06Z"
                                              Recipient="XXXXX"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2013-08-31T08:51:06Z"
                        NotOnOrAfter="2013-08-31T10:52:06Z"
                        >
            <saml:AudienceRestriction>
                <saml:Audience/>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2013-08-31T08:52:06Z"
                            SessionIndex="Ac5234d15"
                            >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>
Problem

HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid

Logging from both opensaml and spring saml

Code:
2013-08-30 13:25:30,286 [http-apr-XXXX-exec-98] DEBUG o.o.w.m.decoder.BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
2013-08-30 13:25:30,295 [http-apr-XXXX-exec-98] DEBUG o.o.w.m.decoder.BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
2013-08-30 13:25:30,295 [http-apr-XXXX-exec-98] DEBUG o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
2013-08-30 13:25:30,296 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2013-08-30 13:25:30,308 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2013-08-30 13:25:30,308 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
2013-08-30 13:25:30,312 [http-apr-XXXX-exec-98] DEBUG o.s.s.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
Can anyone please provide some pointers on how to debug this issue? What exactly is missing in above flow?

Thanks in advance!

ConcurrentSessionFilter not working with SAML

September 2, 2013, 2:43 am
$
0
0
Hi ,

I am using Spring Security SAML extension with ADFS to establish WS-Trust.
I have successfully received the SAML2.0 response.

I have included ConcurrentSessionControlStrategy and ConcurrentSessionFilter in my security-context.xml for implementing User Concurrency.

Below is a part of security context.xml for concurrency.

HTML Code:
<!-- Secured pages -->
        <security:http entry-point-ref="samlEntryPoint">
                <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <!--<security:custom-filter before="FIRST" ref="metadataGeneratorFilter" /> -->
                <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" />
                <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
                <security:session-management session-authentication-strategy-ref="sessAuthStrategy"/>
                <security:session-management session-authentication-strategy-ref="concurrencySessionControl"/>
        </security:http>

<bean id="concurrencySessionControl" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <property name="maximumSessions" value="1" />
    <property name="exceptionIfMaximumExceeded" value="true" />
</bean>

 <bean id="concurrencyFilter"
      class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry" />
    <property name="expiredUrl" value="/" />

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
 </bean>
I dont have any custom implementation for UserDetails and User classes.

I read in below posts saying we need to override equals() and hashcode() of the UserDetails class so that sessionRegistry can identify the Users.

http://stackoverflow.com/questions/3...y-control-work
http://stackoverflow.com/questions/1...multiple-times

Since Spring security SAML extension is using custom UserDetails, Do we still need to override equals() and hashcode() of UserDetails service? Can you tell how to do this?

We have SAMLUserDetails class already what we need to in that class in such a way , so that ConcurrencySessiopnFilter will work ?

If somebody say this in steps that will be very helpful for my understanding.

Thanks,
Selvakumar

Missing SAML request if not "apollo" certificate.

September 3, 2013, 12:27 pm
$
0
0
Hi folks,
I got the Spring SAML sample running and I was able to make first steps to protect my own application. However, it only works with the "apollo" for the application. If I create my own certificate it seams a call to the IDP without SAML message is initiated. I have put the logging to the DEBUG level. But no error message is shown. The log messages show the encryption with my private key and the creation of a SAML message, but then it is not sent, but only a call to the IDP with the URL as specified in the "Destination"tag of the SAMLRequest. I have compared the apollo certificate and my own certificate. i can not see any difference.

Any advice?

Christian

index.jsp without content

September 5, 2013, 8:43 am
$
0
0
Hi,

My spring saml sample is working fine in regards to authentication. At least i am getting this message on the console:

- Authentication success. Updating SecurityContextHolder to contain: org.springf
ramework.security.providers.ExpiringUsernameAuthen ticationToken@fe2506ee:
Principal: org.opensaml.saml2.core.impl.NameIDImpl@323766; Credentials: [PROTECTED];
Authenticated: true; Details: null; Not granted any authorities

The index.jsp page is getting displayed, but only with the static content and text, but all the credential information that are requested by the jsp with credential.xxx such as user name are missing.

In addition the question of how I could retrieve the SAML authentcation token in a Java class (e.g. in a servlet) after a successful authentication. Is the SAML token somewhere stored in the session?

regards
Christian
Viewing all 52 articles
Browse latest View live
Search