Hi All,
I have requirement to validate Saml assertion .So I am trying Saml Validation Policy and sending a saml assertion in body of post method in postman. I am getting below error{
"fault": {
"faultstring": "ValidateSAMLAssertion[2-VSA-ValidateSAML]: Error while evaluating xpath /samlp:Response",
"detail": {
"errorcode": "steps.saml.validate.ErrorEvaluatingXPath"
}
}
}
I have given xpath as /samlp:Response and also I have try with /Assertion and getting same error.
Solved! Go to Solution.
Your namespaces are incorrect in your policy. It should be -
<Namespaces>
<Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace>
<Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
</Namespaces>
XPath is correct.
<XPath>/samlp:Response/saml:Assertion</XPath>
I just tested this and it is working for me, however your token has already expired.
It is impossible to know why this isn't working without more information. Please share the SAML Validation policy and a sample SAML assertion you are testing with.
Hi @apickelsimer,
I have the same problem. This is my SAML Validation policy:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ValidateSAMLAssertion ignoreContentType="false" name="Validate-SAML-Assertion">
<DisplayName>Validate SAML Assertion</DisplayName>
<Source name="request">
<Namespaces>
<Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
<Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
<Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
</Namespaces>
<XPath>/samlp:Response/saml:Assertion</XPath>
</Source>
<Description/>
<TrustStore>saml-idp</TrustStore>
<RemoveAssertion>true</RemoveAssertion>
</ValidateSAMLAssertion>
Here a sample SAML assertion:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2dad8efec11eafc208c43087333f19d0698ad6a92" InResponseTo="a101ee8781f29g8b4jej79bcgebi192" Version="2.0" IssueInstant="2023-02-03T14:21:14Z" Destination="https://iit.authentication.eu20.hana.ondemand.com/saml/SSO/alias/iit.azure-live-eu20">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sso-ppd.my_company.com/idp/openam
</saml:Issuer>
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2afe1937676055d56d4734dd3ceb079ae65e019b0" IssueInstant="2023-02-03T14:21:14Z" Version="2.0">
<saml:Issuer>https://sso-ppd.my_company.com/idp/openam</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#s2afe1937676055d56d4734dd3ceb079ae65e019b0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>VooWgzv2r74obYCjt0IZx2+luEKfgy8Xr06bsUO6c8c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
S1Dfggyd9yTFcbpyqLzuDJc3fsS4z8FR7KYWUKxJNSIqH1xSMCDOjAnXnGCmhOh95oY5Ll2+4Xy3
CRpj9u94SlvdOVATWEnOnIoZniZ1RkeOEc3EKPqRqy8BIvSQFnH+vrSICfg6p+Qp4k5d6Ho+WojH
GDVqPckj+9AVYbqAvNhTbWwDVMry/TNNAaD8muJtY6kMkFC8HuZ/K/xqxKCPMirDwwnY7cxGIuw6
kdpkIqKnq55DZQAnHHENqiYqgA/2sDKaRLn5CPIRjPRiY+j5nyVKRtQoU26rir20kaTV0mTRkO5d
hbUvScBuNoIRNt5YH/AaqvvH3bqfkg2z/8/I5A==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDdTCCAl2gAwIBAgIEPA8XezANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJGUjEMMAoGA1UE
CBMDSURGMQ4wDAYDVQQHEwVNYXNzeTESMBAGA1UEChMJQ2FycmVmb3VyMQwwCgYDVQQLEwNHTlQx
HDAaBgNVBAMTE1NpZ25pbmcgS2V5IFByZVByb2QwHhcNMTYxMjI2MTI1NzI3WhcNMjYxMjI0MTI1
NzI3WjBrMQswCQYDVQQGEwJGUjEMMAoGA1UECBMDSURGMQ4wDAYDVQQHEwVNYXNzeTESMBAGA1UE
ChMJQ2FycmVmb3VyMQwwCgYDVQQLEwNHTlQxHDAaBgNVBAMTE1NpZ25pbmcgS2V5IFByZVByb2Qw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC//WFp7gJLGCa0+w4qBTESHF5nqqTYdSZM
qW0U1/s4aPg8BQvf7gDkjVsUMgcbix4m8kDhH0gVAjnvWPlBxJXWUMKf7l+eZUrmiEtWI2UP5uT4
hXN9FOy0m03looCi3K1faLfGTYN3zXFSnwBXbtxKalr6ZpCeAv8+lfnrPYlnvL3uviXHDvENY4+M
G6XnDOLZH3Bokv2vnc6l7sWbta0Rr8nUyzgxnTRBPK4+F4imUJm3ZR5VCv0RNwkZkOxnRujjHaKX
M0sP/+V32edlqPQB/IhrMndltbwr9n91dOq7G+ZH6uWJuLihZl2DCDa1+EAOVLN0QgQWOwQLFrrG
ejBTAgMBAAGjITAfMB0GA1UdDgQWBBTymeWZ3QWkMh4mySOR7gDzKUXLWzANBgkqhkiG9w0BAQsF
AAOCAQEAPlAUbh02pmiAbJ1U+GuIcinQLwdeD9Bz8R3+uTjKf63Av+Hxke9xlXV7ZPnRPNogYKAm
6lly72V6MJ052RDF9C6V22e21JAQReXB8hWGAIbD2HOf3nJhw3cB1CvAxvFPHiAzclpSoCiu/mUH
VX82zVLvB5M0fEStoi/95XMvdNTmEqbQuxiAbM6qCI8GXyK6oHhy8YqKfm18mDtNqNsuw0qTMf1H
MpivYMuczBusz/f46RtVkbhWlgYe5JYUkKt/m+2OD2K1NbH7DLZa+zy/QmBvvIxraovhmpW3U2j/
XAFtVXOL5Pln23c1L9c9BzqGMMDHu3v98w65aoJI1FMkiQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://sso-ppd.my_company.com/idp/openam" SPNameQualifier="https://iit.authentication.eu20.hana.ondemand.com">my_user</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="a101ee8781f29g8b4jej79bcgebi192" NotOnOrAfter="2023-02-03T14:31:14Z" Recipient="https://iit.authentication.eu20.hana.ondemand.com/saml/SSO/alias/iit.azure-live-eu20"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2023-02-03T14:11:14Z" NotOnOrAfter="2023-02-03T14:31:14Z">
<saml:AudienceRestriction>
<saml:Audience>https://iit.authentication.eu20.hana.ondemand.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2023-02-03T14:21:13Z" SessionIndex="s22151a291b67897a999073befa7435bb136c72001">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my_user
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="cn">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SEDE Utente
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SEDE
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my_user@dev.my_company.com
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Utente
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Thanks for helping me.
Your namespaces are incorrect in your policy. It should be -
<Namespaces>
<Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace>
<Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
</Namespaces>
XPath is correct.
<XPath>/samlp:Response/saml:Assertion</XPath>
I just tested this and it is working for me, however your token has already expired.