Hello,
I am getting the below error when i try to generate the SAML .
{
"fault": {
"faultstring": "GenerateSAMLAssertion[SAML]: Error transforming assertion into message.",
"detail": {
"errorcode": "steps.saml.generate.ErrorUpdatingPayload"
}
}
}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
<DisplayName>Assign Message-1</DisplayName>
<Properties/>
<Set>
<Payload contentType="application/xml"/>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateSAMLAssertion name="SAML" ignoreContentType="false">
<CanonicalizationAlgorithm/>
<Issuer ref="reference">Issuer name</Issuer>
<KeyStore>
<Name ref="reference">ftfdevts</Name>
<Alias ref="reference">ftfdevts</Alias>
</KeyStore>
<OutputVariable>
<FlowVariable>assertion.content</FlowVariable>
<Message name="request">
<Namespaces>
<Namespace prefix="test">http://www.example.com/test</Namespace>
</Namespaces>
<XPath>/envelope/header</XPath>
</Message>
</OutputVariable>
<SignatureAlgorithm/>
<Subject ref="reference">Subject name</Subject>
<Template ignoreUnresolvedVariables="false">
<!-- A lot of XML goes here, in CDATA, with {} around
each variable -->
</Template>
</GenerateSAMLAssertion>
Solved! Go to Solution.
That isn't going to work. The configuration for the SAML policy is a bit involved, so let me try to explain it. Here's an example.
<GenerateSAMLAssertion name="SAML-1" ignoreContentType="false">
<!-- 1. data elements that might be included in the assertion -->
<Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</Issuer>
<Subject>dinochiesa</Subject>
<!-- 2. algorithms to use when signing -->
<DigestMethod>SHA256</DigestMethod>
<SignatureAlgorithm>rsa-sha256</SignatureAlgorithm>
<!-- 3. key to use for signing -->
<KeyStore>
<Name>saml-example-keystore</Name>
<Alias>saml-key</Alias> <!-- refers to cert and key -->
</KeyStore>
<!-- 4. where to put the signed assertion -->
<OutputVariable>
<FlowVariable>assertion_content</FlowVariable>
<Message name="request">
<Namespaces>
<Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
<Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
</Namespaces>
<XPath>/soap:Envelope/soap:Header/wsse:Security</XPath>
</Message>
</OutputVariable>
<!-- 5. the content of the assertion that will be signed-->
<Template ignoreUnresolvedVariables="false">
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{saml.id}" Version="2.0" IssueInstant="{saml.issueInstant}">
<saml:Issuer>{saml.issuer}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}">
<saml:AuthnContext>
<saml:AuthnContextClassRef>{saml.authnContextClassRef}</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</Template>
</GenerateSAMLAssertion>
In the above there are distinct sections with numbered comments. I'll explain each here.
The result is that request.content, if it is an XML document AND if it has a WS Security header, will get the assertion injected into it.
If the request message is not an XML doc, or if the XPath does not resolve to a node, then the policy will fail.
attached please find a working example API Proxy, and some tools to help provision the keystore. (Works on Apigee X)
That isn't going to work. The configuration for the SAML policy is a bit involved, so let me try to explain it. Here's an example.
<GenerateSAMLAssertion name="SAML-1" ignoreContentType="false">
<!-- 1. data elements that might be included in the assertion -->
<Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</Issuer>
<Subject>dinochiesa</Subject>
<!-- 2. algorithms to use when signing -->
<DigestMethod>SHA256</DigestMethod>
<SignatureAlgorithm>rsa-sha256</SignatureAlgorithm>
<!-- 3. key to use for signing -->
<KeyStore>
<Name>saml-example-keystore</Name>
<Alias>saml-key</Alias> <!-- refers to cert and key -->
</KeyStore>
<!-- 4. where to put the signed assertion -->
<OutputVariable>
<FlowVariable>assertion_content</FlowVariable>
<Message name="request">
<Namespaces>
<Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
<Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
</Namespaces>
<XPath>/soap:Envelope/soap:Header/wsse:Security</XPath>
</Message>
</OutputVariable>
<!-- 5. the content of the assertion that will be signed-->
<Template ignoreUnresolvedVariables="false">
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{saml.id}" Version="2.0" IssueInstant="{saml.issueInstant}">
<saml:Issuer>{saml.issuer}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}">
<saml:AuthnContext>
<saml:AuthnContextClassRef>{saml.authnContextClassRef}</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</Template>
</GenerateSAMLAssertion>
In the above there are distinct sections with numbered comments. I'll explain each here.
The result is that request.content, if it is an XML document AND if it has a WS Security header, will get the assertion injected into it.
If the request message is not an XML doc, or if the XPath does not resolve to a node, then the policy will fail.
attached please find a working example API Proxy, and some tools to help provision the keystore. (Works on Apigee X)
Thanks Dino.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |