This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to ~generate~ Validate a SAML Assertion using Apigee

Posted on 04-03-2022 09:36 PM
Sivakrishna_G
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I got a new requirement to Generate and Validate SAML 2.0 token using keyclock idp server. I need to implement this requirement for api authentication flow(Not for SSO). Kindly help me to implement this, Please share if any sample proxy or jar files you have. 

Thanks.

0 3 549
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am not clear whether you want to Generate a SAML token, or verify a SAML token that has been generated by a third-party IDP. 

Just a week ago I answered a question regarding how to Generate a SAML token. Find that discussion here.

0 Likes

Posted on --/--/---- --:-- AM
Sivakrishna_G
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dchiesa1. Thanks for replying. i am trying to use apigee as service provider. i have generated the SAML response from Oauth0 IDP. Now i am trying to validate the saml response using apigee. But i am getting below error.

"fault": {
        "faultstring""ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Digital Signature Validation Failed",
        "detail": {
            "errorcode""steps.saml.validate.SignatureValidationFailed"
        }
    }
}
i am using the correct certificate which is added in trust store. But i am getting the above error. Please find the SAMLValidationAssertion configured in my api.
 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ValidateSAMLAssertion ignoreContentType="false" name="Validate-SAML-Assertion-1">
<DisplayName>Validate SAML Assertion-1</DisplayName>
<Source name="request" ignoreContentType="true">
<Namespaces>
<Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace>
<Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
</Namespaces>
<XPath>/samlp:Response/saml:Assertion</XPath>
</Source>
<TrustStore>Oauth0</TrustStore>
<RemoveAssertion>true</RemoveAssertion>
</ValidateSAMLAssertion>
 
Please help me to resolve this issue. If possible please share sample api.
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Where is the SAML Response with the assertion?  Have you examined it to verify that it is of the form you expect?  Can you show it here? Does it have the expected namespaces Is the XPath that you specified correct? 

Is the assertion encoded? Often SAML assertions provided by IDPs are compressed and then base64-encoded, and then embedded in an HTTP Header called SAMLResponse.  The ValidateSAMLAssertion policy is not able to handle that form of a SAML Assertion.  ValidateSAMLAssertion expects the SAML Assertion to be present in a plaintext XML document, not base64 encoded, and not compressed. If you need to decode the compressed-then-base64-encoded form of a SAML Assertion into plaintext XML, you can use this Java callout to do so. 

0 Likes