Seems like certificates in our trust store is not always used or valid

Hi!

We've been struggling with doing a saml assertion in apigee for a good while now, and a few days ago things started to work, however magically it stopped working again now, and we simply seem to figure out why.

Our validate saml looks like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ValidateSAMLAssertion name="SAML" ignoreContentType="false">
    <Source name="request">
        <Namespaces>
            <Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace>
            <Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
        </Namespaces>
        <XPath>/samlp:Response/saml:Assertion</XPath>
    </Source>
    <RemoveAssertion>false</RemoveAssertion>
    <TrustStore>SAML</TrustStore>
    <DisplayName>Validate SAML Assertion</DisplayName>
</ValidateSAMLAssertion>

The assertion is valid from samltools, but here is my assertion with our apigee path taken out:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f20efea2ff27d10d58e1" Version="2.0" IssueInstant="2020-03-09T12:20:43Z" Destination="http://our-apigee-path/test-saml-partymanagement">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:7000/</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_f20efea2ff27d10d58e1">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>rggLfVuQ/6CwuvFKaiIRIFSjA8uf/BQtlYyBCJQ7nho=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>ZQ7DkHi5Jxl9PtTTsVJu8QwaNLqD41owqYMs+jk85x/eexyHGIJvyy29vQYETeDaT/9mufEO0jcVZhKx50C5KskoKC1bGwdubIGnjteyjHkJhf2XMxlTQ4Uj4AzoP4M6+aqUSP9ehFLb05C4tLVA9pXcC8o/oaHbtg47AKybeHTTDjv8p3Ro1jsDyaebECjqjj8btKAMI88hSUDdVvFftpWqu2rGDfyhoRCtvS/gigtNHfKTHOLIGevq+sUD9N3VYMMC3NZxgbsN8k63zFpBnSAybphrKrHup8s1V/rxFiStmvAh2u+hKQPJKhSth49W5fkLcpvohFlAWgfaWxhFNA==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhHyTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrOuK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYlkB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAeHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qHpStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7UkskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPFKeu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPAyy7YHlSiVX13QH2XTu/iQQ==</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_0nTmTK90z76PDuuF8hZ3s0T8UKpxQk2x" IssueInstant="2020-03-09T12:20:43.132Z">
        <saml:Issuer>http://localhost:7000/</saml:Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_0nTmTK90z76PDuuF8hZ3s0T8UKpxQk2x">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>1nwTafxKW6si9QVbZlvOJ/YBm7SzI4TPxumzYN1HzVs=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>Qi1KvaTk1oDbx61dzw87lbu6sXe3MBsauK28WfyPwjRoBI+tdhjFNH2qS/5YIlu1dkUf46eleqHq4vNyx3xVDVpyuNIBT2CJnnaGpNzP2ICrDydmsV8sqmSOD+EMi8JkVeF4r9Y+UOu1wdl7JdISrWkNyfGHfLDqgJ2inEimFgso8VNuWu89CeKEZncyUPqJMTpTykYQesR4x+ieK26ewPpGJr5nta4TsNaGKsMSHT3Mc8KbmWc7MixxplQs08tn1huo3weaaZuNJ844nFJDeY46NskOOsivSJfkajBv3ALYgwR+Gq6RN+DDUE93YdYNojBtxua+Y2QtOnABaKnVvA==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhHyTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrOuK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYlkB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAeHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qHpStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7UkskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPFKeu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPAyy7YHlSiVX13QH2XTu/iQQ==</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">saml.jackson@example.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2020-03-09T13:20:43.132Z" Recipient="http://our-apigee-path/test-saml-partymanagement"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2020-03-09T12:20:43.132Z" NotOnOrAfter="2020-03-09T13:20:43.132Z">
            <saml:AudienceRestriction>
                <saml:Audience>http://our-apigee-path</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2020-03-09T12:20:43.132Z" SessionIndex="892528770">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Saml</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Jackson</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">saml jackson</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">saml.jackson@example.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="mobilePhone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">+1-415-555-5141</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Simple IdP Users</saml:AttributeValue>
                <saml:AttributeValue xsi:type="xs:string"> West Coast Users</saml:AttributeValue>
                <saml:AttributeValue xsi:type="xs:string"> Cloud Users</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="userType" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Admin</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

It's generated from this node project
https://www.npmjs.com/package/saml-idp

Pointing it towards our apigee proxy.

Our flow is base64 decoding the message

var assertion = context.getVariable("message.content");
var decodedAssertion = Base64.decode(assertion);


context.setVariable("saml.decoded", decodedAssertion);
 

Then setting it as the body

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="amSetBody">
    <DisplayName>amSetBody</DisplayName>
    <Set>
        <Headers>
            <Header name="Content-Type">text/xml</Header>
        </Headers>
        <Payload contentType="text/xml">{saml.decoded}</Payload>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

And then doing the saml validation which doesn't work, we're getting the error

{"fault":{"faultstring":"ValidateSAMLAssertion[SAML]: Digital Signature Validation Failed","detail":{"errorcode":"steps.saml.validate.SignatureValidationFailed"}}}

However for some reason it has been working from time to time, and to our knowledge without any changes it has stopped working (at least without changes in the proxy, any underlying changes in apigee that could have this effect we don't know...)

Is there anyone who can come with any suggestion to go forward with this?

1 0 119
0 REPLIES 0