Solved: Generate SAML Not working

rraghuna · 03-28-2022 05:58 AM

Hello,

I am getting the below error when i try to generate the SAML .

{
    "fault": {
        "faultstring": "GenerateSAMLAssertion[SAML]: Error transforming assertion into message.",
        "detail": {
            "errorcode": "steps.saml.generate.ErrorUpdatingPayload"
        }
    }
}

I have created a POST Request to generate a SAML

Assign Message ->SAML ; I have put this in request flow.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
<DisplayName>Assign Message-1</DisplayName>
<Properties/>
<Set>
<Payload contentType="application/xml"/>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateSAMLAssertion name="SAML" ignoreContentType="false">
<CanonicalizationAlgorithm/>
<Issuer ref="reference">Issuer name</Issuer>
<KeyStore>
<Name ref="reference">ftfdevts</Name>
<Alias ref="reference">ftfdevts</Alias>
</KeyStore>
<OutputVariable>
<FlowVariable>assertion.content</FlowVariable>
<Message name="request">
<Namespaces>
<Namespace prefix="test">http://www.example.com/test</Namespace>
</Namespaces>
<XPath>/envelope/header</XPath>
</Message>
</OutputVariable>
<SignatureAlgorithm/>
<Subject ref="reference">Subject name</Subject>
<Template ignoreUnresolvedVariables="false">
<!-- A lot of XML goes here, in CDATA, with {} around
each variable -->
</Template>
</GenerateSAMLAssertion>

dchiesa1

That isn't going to work. The configuration for the SAML policy is a bit involved, so let me try to explain it. Here's an example.

<GenerateSAMLAssertion name="SAML-1" ignoreContentType="false">
  <!-- 1. data elements that might be included in the assertion -->
  <Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</Issuer>
  <Subject>dinochiesa</Subject>

  <!-- 2. algorithms to use when signing -->
  <DigestMethod>SHA256</DigestMethod>
  <SignatureAlgorithm>rsa-sha256</SignatureAlgorithm>

  <!-- 3. key to use for signing -->
  <KeyStore>
    <Name>saml-example-keystore</Name>
    <Alias>saml-key</Alias> <!-- refers to cert and key -->
  </KeyStore>

  <!-- 4. where to put the signed assertion -->
  <OutputVariable>
    <FlowVariable>assertion_content</FlowVariable>
    <Message name="request">
      <Namespaces>
        <Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
        <Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
      </Namespaces>
      <XPath>/soap:Envelope/soap:Header/wsse:Security</XPath>
    </Message>
  </OutputVariable>

  <!-- 5. the content of the assertion that will be signed-->
  <Template ignoreUnresolvedVariables="false">
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="{saml.id}" Version="2.0" IssueInstant="{saml.issueInstant}">
      <saml:Issuer>{saml.issuer}</saml:Issuer>
      <saml:Subject>
        <saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID>
      </saml:Subject>
      <saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>{saml.authnContextClassRef}</saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </Template>
</GenerateSAMLAssertion>

In the above there are distinct sections with numbered comments. I'll explain each here.

The Issuer and Subject specify data elements that will be used later, in the Template.
These items define which algorithms to use during signature generation
this defines the key to use for signing. This says to use keystore named "saml-example-keystore", and the key alias named "saml-key".
This defines where to put the signed assertion, after it is generated. This says to use the message named "request" - that is to say, the inbound request. And, this configuration says to insert the assertion into the WS-Security header. That location is specified by the XPath here. (This is a typical location for a SAML assertion in a SOAP message).
The template to generate the signed information. The things inside curly braces are just references to variables, that get replaced at runtime.

The result is that request.content, if it is an XML document AND if it has a WS Security header, will get the assertion injected into it.

If the request message is not an XML doc, or if the XPath does not resolve to a node, then the policy will fail.

attached please find a working example API Proxy, and some tools to help provision the keystore. (Works on Apigee X)

View solution in original post

dchiesa1

That isn't going to work. The configuration for the SAML policy is a bit involved, so let me try to explain it. Here's an example.

<GenerateSAMLAssertion name="SAML-1" ignoreContentType="false">
  <!-- 1. data elements that might be included in the assertion -->
  <Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</Issuer>
  <Subject>dinochiesa</Subject>

  <!-- 2. algorithms to use when signing -->
  <DigestMethod>SHA256</DigestMethod>
  <SignatureAlgorithm>rsa-sha256</SignatureAlgorithm>

  <!-- 3. key to use for signing -->
  <KeyStore>
    <Name>saml-example-keystore</Name>
    <Alias>saml-key</Alias> <!-- refers to cert and key -->
  </KeyStore>

  <!-- 4. where to put the signed assertion -->
  <OutputVariable>
    <FlowVariable>assertion_content</FlowVariable>
    <Message name="request">
      <Namespaces>
        <Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
        <Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
      </Namespaces>
      <XPath>/soap:Envelope/soap:Header/wsse:Security</XPath>
    </Message>
  </OutputVariable>

  <!-- 5. the content of the assertion that will be signed-->
  <Template ignoreUnresolvedVariables="false">
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="{saml.id}" Version="2.0" IssueInstant="{saml.issueInstant}">
      <saml:Issuer>{saml.issuer}</saml:Issuer>
      <saml:Subject>
        <saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID>
      </saml:Subject>
      <saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>{saml.authnContextClassRef}</saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </Template>
</GenerateSAMLAssertion>

In the above there are distinct sections with numbered comments. I'll explain each here.

The Issuer and Subject specify data elements that will be used later, in the Template.
These items define which algorithms to use during signature generation
this defines the key to use for signing. This says to use keystore named "saml-example-keystore", and the key alias named "saml-key".
This defines where to put the signed assertion, after it is generated. This says to use the message named "request" - that is to say, the inbound request. And, this configuration says to insert the assertion into the WS-Security header. That location is specified by the XPath here. (This is a typical location for a SAML assertion in a SOAP message).
The template to generate the signed information. The things inside curly braces are just references to variables, that get replaced at runtime.

The result is that request.content, if it is an XML document AND if it has a WS Security header, will get the assertion injected into it.

If the request message is not an XML doc, or if the XPath does not resolve to a node, then the policy will fail.

attached please find a working example API Proxy, and some tools to help provision the keystore. (Works on Apigee X)

rraghuna

Thanks Dino.