Solved: Re: SAML signed authn request (generateSamlAsserti...

apigee-4 · 08-01-2017 04:26 AM

Hi all,

We would like to use APIGEE as the tool to generate an authn request to a SAML SSO platform. Let the user login and if the response is valid, we generate an oAuth token.

I have been playing around with the GenerateSAMLAssertion policy, which enables me to sign a saml:assertion.

I have not found a way to sign a authn XML (or a metadata XML for that matter) with this policy.

Is this something that can be done by this policy? (Or at least out of the box by Apigee?)

Below a sample signed authn request, which I want to achieve.

Hope that someone can point me in the right direction.

Thanks,

Gijs

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

davidmehi

Hi Gjis, after taking a closer look at your question, Apigee doesn't support signing an AuthnRequest. It only supports signing Assertions. In many cases, signing an AuthnRequest is not needed - however, in your case, it sounds like it's a requirement.

There is a Java library that you can use called OpenSAML to sign the AuthnRequest. Or there are other java libraries that will let you sign XML. You can call the library through the Java callout policy. You will likely need to create a java callout that leverages the library

View solution in original post

williamssean

@Gijs

Were you able to get this to work? I think this is possible with Apigee and it should work.

davidmehi

Hi Gijs, yes you can sign the assertion with this policy. You will have to load the certificate in the Keystore first. In the SAML policy, there is a KeyStore field where you can specify which certificate to sign the message with. There is also the SignatureAlgorithm that you'll need to set.

To load the cert into the keystore, take a look at this link:

http://docs.apigee.com/api-services/content/keystores-and-truststores

For more about the SAML policy, see this link:

http://docs.apigee.com/api-services/reference/saml-assertion-policy

apigee-4

Hi @David Mehi,

I know signing is possible, but so fare I am only able to sign an Assertion and not anything that looks any different then an assertion such as something specified above. I have working samples with signed assertions with my own keys, but are unable to sign a request as specified above.

I created a "complete" assertion and a assertion using a message (signing a specific part), but am not able to sign anything like above.

If still possible, can you please point in a right direction with any description or an example?

Thanks for the help.

Report Inappropriate Content

As @David Mehi implies to sign this message with the specified public key you would need to add it to the Keystore. Signing is only possible with keys in the Keystore.

Further, to my knowledge the public key included in a given assertion would be ignored on validation. Rather the expectation is the keys are available via the Keystore. In cases where assertions that include a public key are validating it is likely that the Keystore contains a suitable key.

davidmehi

Hi Gjis, after taking a closer look at your question, Apigee doesn't support signing an AuthnRequest. It only supports signing Assertions. In many cases, signing an AuthnRequest is not needed - however, in your case, it sounds like it's a requirement.

There is a Java library that you can use called OpenSAML to sign the AuthnRequest. Or there are other java libraries that will let you sign XML. You can call the library through the Java callout policy. You will likely need to create a java callout that leverages the library

apigee-4

Hi @David Mehi,

We now created a solution based on OpenSAML, but this uses a lot of other libraries, which on their behalf also use "Java security internals" which are not available in an Apigee container.

Is there a way to make a callout access these internals to make this possible? Otherwise many, many libraries will not work when doing encryption and decription in Java.

Hope you can shine some light on this as well!

dchiesa1

New comment to an old answer. Interested readers may want to try this callout.

apigee-4

Hi David, thanks for your response! I was just opening the issue to add my sample and saw your answer "1 minute ago".

That is a clear answer, we will find an alternative way (Java callout) to sign the AuthnRequest.

sarsisod

@Gijs Zonneveld

Finally how you achieved this i also have the same problem statement

could you plz help

apigee-4

Hi!,

We created a Java Callout, where we do all the request generation and signing and use that in our flow. Sadly this still is an external dependancy.

Best regards,

Gijs

sartajsisodiya

Thanks for an update.

apigee-4

We use a small JAR with Tomcat to do it.

With OpenSaml, (I think we still use V2, which is EOL now...)

https://wiki.shibboleth.net/confluence/display/OS30/Home

We have not published the actual implementation anywhere and the V2 is not current anymore.

dchiesa1

Resuscitating this old question, I produced a Java callout to create a signed AuthnRequest.

It does not rely on OpenSAML and a bunch of other libraries. It does rely on BouncyCastle 1.62.

It works in Apigee Edge.

Works with HTTP POST and HTTP Redirect bindings.

Many options. Let me know how it works for you.

SAML signed authn request (generateSamlAssertion policy)