Hi
I'm working in SAML generator and validate but when invoking the apigee endpoint getting this error in postman
{ "fault": { "faultstring": "GenerateSAMLAssertion[SAML]: Error transforming assertion into message.", "detail": { "errorcode": "steps.saml.generate.ErrorUpdatingPayload" } } }
please find the screenshot for the same
Any kind of help and suggestions will be appreciated.
Thanks.
I don't see the screenshot. But that's ok, I don't need to see it.
What would help is to see your GenerateSAMLAssertion policy configuration. Also, can you examine the "saml.error" context variable? What does it contain? That might give you a hint.
Without having any further information, I'm going to guess. "ErrorUpdatingPayload" could indicate that the policy can sign the SAML assertion, but cannot insert the signed assertion into the message at the XPath you supplied. That means you may have an incorrect XPath, or you may have incorrect namespaces. Can you show the content of the message into which you are inserting the signed assertion?
If you are using the Message output... maybe swap to using FlowVariable. That will simply insert the assertion into a flow variable and you can eliminate the xpath as a source of problems.
If that does not help you solve the problem, check the contents of the keystore and truststore. Do they contain the key and cert you think they contain? Use the Admin API to query it and show what you get out of those queries.
Thanks for your reply @Dino-at-Google
In saml.error I'm getting java.lang.NullPointerException
Saml generator code
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <GenerateSAMLAssertion name="SAML" ignoreContentType="false"> <CanonicalizationAlgorithm/> <KeyStore> <Name>demoKeyStore</Name> <Alias>alias</Alias> </KeyStore> <Subject>ApigeeUser</Subject> <Issuer>Apigee</Issuer> <OutputVariable> <FlowVariable>assertion.content</FlowVariable> <Message name="message"> <Namespaces> <Namespace prefix="Envelop">http://www.w3.org/2001/12/soap-envelope</Namespace> <Namespace prefix="encodingStyle">http://www.w3.org/2001/12/soap-encoding</Namespace> <Namespace prefix="Body">http://www.xyz.org/quotation</Namespace> </Namespaces> <XPath>/SOAP-ENV:Envelope/SOAP-ENV:Body/m:GetQuotationResponse/m:Quotation</XPath> </Message> </OutputVariable> <SignatureAlgorithm/> <Subject>Subject name</Subject> <Template ignoreUnresolvedVariables="false"> <!-- A lot of XML goes here, in CDATA, with {} around each variable --> </Template> </GenerateSAMLAssertion>
Input message
<SOAP-ENV:Envelope xmlns:SOAP-ENV = "http://www.w3.org/2001/12/soap-envelope" SOAP-ENV:encodingStyle = "http://www.w3.org/2001/12/soap-encoding"> <SOAP-ENV:Body xmlns:m = "http://www.xyz.org/quotation"> <m:GetQuotationResponse> <m:Quotation>Here is the quotation</m:Quotation> </m:GetQuotationResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
I apologize, the state of the documentation for this particular policy is currently not very good. Not only does it not explain the precedence of various configuration elements, the example configuration is broken and otherwise unhelpful or misleading.
I think you want to create a SAML assertion and inject it into a SOAP message. The GenerateSAMLAssertion policy can do that .
A configuration that I have, which works, is:
<GenerateSAMLAssertion name="SAML-2" ignoreContentType="false"> <!-- set issuer and subject to hard-coded values --> <Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</Issuer> <Subject>dinochiesa</Subject> <!-- specify the digest and signature methods for the assertion --> <DigestMethod>SHA256</DigestMethod> <SignatureAlgorithm>rsa-sha256</SignatureAlgorithm> <!-- the key and cert for signing --> <KeyStore> <Name>20191028-rzt9q2ppa6e</Name> <Alias>key1</Alias> <!-- cert and key --> </KeyStore> <!-- where to put the assertion --> <OutputVariable> <Message name="request"> <Namespaces> <Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace> <Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace> </Namespaces> <XPath>/soap:Envelope/soap:Header/wsse:Security</XPath> </Message> </OutputVariable> <!-- the shape of the assertion to sign --> <Template ignoreUnresolvedVariables="false"> <!-- the content of the assertion --> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{saml.id}" Version="2.0" IssueInstant="{saml.issueInstant}"> <saml:Issuer>{saml.issuer}</saml:Issuer> <saml:Subject> <saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID> </saml:Subject> <saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}"> <saml:AuthnContext> <saml:AuthnContextClassRef>{saml.authnContextClassRef}</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </Template> </GenerateSAMLAssertion>
Some notes:
This sample unsigned SOAP message includes the required empty wsse:Security element, as well as a correct SOAP 1.1 namespace:
<SOAP-ENV:Envelope xmlns:SOAP-ENV = "http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <SOAP-ENV:Header> <wsse:Security/> </SOAP-ENV:Header> <SOAP-ENV:Body xmlns:m = "http://www.xyz.org/quotation"> <m:GetQuotationResponse> <m:Quotation>Here is the quotation</m:Quotation> </m:GetQuotationResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Thanks for your reply. If you can please provide me a working Soap message with its proper Xpath and Namespaces.
I provided that in the answer that you are commenting on. I provided the policy configuration and the SOAP message I sent in. The resulting message with the signed SAML Assertion inserted into it, is like this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns1="urn://67A38C49-9CF8-4277-A070-D410D667620C"> <SOAP-ENV:Header> <wsse:Security> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_432c47cd3165e7ccf007e89901b189c9" IssueInstant="2021-02-09T00:29:12.954Z" Version="2.0"> <saml:Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_432c47cd3165e7ccf007e89901b189c9"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>NFaV7RtKKYYIG53x7vW0bTmytaSBpuAIoisdpyYSaoc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IyV2CiwP+uzBJ75x8sfr4dAGifcXMOQ7p4r93ttnrjJ3Kjvrkk6YO2oPaduA5O8qBva98WPzOITgyxHLAA/xxby8wY7HkECRlMnm9K+XwkZFczrYglIqv6azJBxgFGFJSKiKYmlh8qwixjf02Ooak1AwKeBHq0OiTwyb5WljG0H+OERMPChZPrxH2vg9YT+88pDBOiVSLBIB5kFaKN235jHkt3G054xLkgylF/6epIuMNs94pGt7zRD1/DH8cONKzlE7r/2ODR7eBr5meLiCdYUOn3mjnUXd5xHsheEM98kCykj8/r5psLL3la/7Bz6HMTjlOlndFnamKbtVKJZm2g==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDqDCCApACCQCG/xVb7Yzw3zANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xETAPBgNVBAcMCEtpcmtsYW5kMQ8wDQYDVQQKDAZHb29nbGUxDzANBgNV BAsMBkFwaWdlZTEaMBgGA1UEAwwRYXBpZ2VlLmdvb2dsZS5jb20xIDAeBgkqhkiG9w0BCQEWEWdv ZGlub0Bnb29nbGUuY29tMB4XDTE5MTAyODE3MDY0NFoXDTI5MTAyNTE3MDY0NFowgZUxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwG R29vZ2xlMQ8wDQYDVQQLDAZBcGlnZWUxGjAYBgNVBAMMEWFwaWdlZS5nb29nbGUuY29tMSAwHgYJ KoZIhvcNAQkBFhFnb2Rpbm9AZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAL31OdfuXzgtIjvkNzFFECS94rsXo0BQEl0EEhAKrmBwpSkRBnesB8ca+a8zHn/DUapjdeZx ++kWCznDWUzXRjZCy7wEHhK+keeoq5QOy6fDecVWcreqBpjEHq5dg0K+xyt0AAc3J6eDNFakJb76 ULgS6H5jDGN2b5WDwRKCKM3cMJOWLjV/1rlpvWC79ODP82A+MO5Il7SGexXP9vSVeaDifG41vSUU vTBPSrQQEhuqztov6rg19yGNO8BMAVK84ZJ5XuABzsLvy+R1Y1ucYp9EFA+YGKs4ebCX/T7qJhj7 ocoJQ/Zx025DbG2ZdOkPfTzY8UFGR2u/p75Md2IH4RECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA WU4tlq/tS3ccwvldb1W5RQwzdZVdmySiE9OotoN0v+1pTRu6DR8LTKI6U73e7Z+wwt66InHuxnTo gYf2z660KQ11PDLbSYCftlcfuklFtK/2c2rHg/VvDft97RvRSzIhJ5iUdS4/TPOPdF5mWB3cMaJq sqDsBoVe/G/aB+0wtqiX976uwrqydocOC2/FEGDgen9VmnOxZ0+efa1flw5vQ9TBumIFoI+oP2a9 SFBbEfU7jOzcYjBaZuNUDVLGvbTSRgWG5lwm85Jar2zeCBcxFDwqyZFvVNV9SfoWF/LgVVpK54n8 rknZ17USb0ob51ckxPTENmF2DUHBzgptiw10Yw==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dinochiesa</saml:NameID> </saml:Subject> <saml:AuthnStatement AuthnInstant="2021-02-09T00:29:12.954Z" SessionIndex="NoSessionIndex"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body xmlns:m="http://www.xyz.org/quotation"> <m:GetQuotationResponse> <m:Quotation>Here is the quotation</m:Quotation> </m:GetQuotationResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope> <br>
Thank you Dino-at-Google ♦♦