I've created a Saml2AuthnResponse and am passing it to Saml2PostBinding.Bind()
The X509Data node does not contain X509SubjectName although my cert obviously has one.
How can this be added?
Also, can the standard prefix "ds:" be added to all Signature nodes?
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...
<KeyInfo>
<X509Data>
-missing <X509SubjectName> should be here-
<X509Certificate>...cert data...
The ITfoxtec Identity SAML component use the .NET libraries to add generate the response and add the certificate. I do not thing what you request is supported, I'm afraid.
You are welcome to do at pull request if you figure it out.
Github repository https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2
Related
I'm using Keycloak version 1.6.1, newly installed as a standalone application.
Keycloak should act as an IdP (Identity provider) for an SP (Service Provider) called Tableau.
I have read from this page: http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html
... Keycloak from being Identity Broker grew into being fully fledged
Identity Provider
While it was an Identity Broker, it is now also an Identity Provider.
My question is then:
I have exported the SP XML Metadata from Tableau, which I imported into Keycloak, but when it comes to the export of the IdP XML Metadata from Keycloak (which should be imported into Tableau) I cannot find the button/command/guide anything about how to export this XML file.
I have worked with other IdPs and they all support this export of IdP Metadata which you can see an example of here: https://docs.oracle.com/cd/E19636-01/819-7664/g2enua/index.html
If I search for Keycloak and the keyword IDPSSODescriptor I find this:
grepcode.com/file/repo1.maven.org/maven2/org.keycloak/keycloak-saml-protocol/1.1.0.Beta2/idp-metadata-template.xml
Which is exactly the 'template' I need, with the correct links on all ${idp.sso.HTTP-POST} etc. places.
Should I create the file manually - if so how do I find the correct POST, REDIRECT etc. URLs?
Or is there some way of exporting this file I haven't seen?
Sometimes it's a good thing to specify in writing what you need - which I did here on Stack Overflow.
I found the URL to where on Keycloak one can export the IdP XML
https://keycloak-url/realms/{REALM-NAME}/protocol/saml/descriptor
That gave me the IDPSSODescriptor.
I'll leave this thread here, so people can benefit from my mistakes.
Since Keycloak 3.x, IdP XML descriptor needs /auth/ after keycloak-url
https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor
The original poster is correct that the option SAML Metadata IDPSSODescriptor is no longer available on Keycloak 6.0.1
One change to make is when you use the URL https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor, Rancher expects the root element to be EntityDescriptor so you need to remove EntitiesDescriptor and copy the namespaces from the root element.
i.e.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}">
....
</EntityDescriptor>
In your realm click on 'Realm Settings' in the menu on the left. Under tab 'General' at 'endpoints' click on 'SAML 2.0 Identity Provider Metadata'. The IdP metadata will appear in a new browser tab.
I've successfully implemented SSO authentication using Spring-SAML extension. Primary requirement for us to support IDP-initiated SSO to our application. Well, by using the configurations from spring-security-saml2-sample even SP-initiated SSO flow also works for us.
Question: Is keystore is used in IDP-initiated SSO (if metadata has certificate)? If not used, I would like to get rid of keystore configurations from securityContext.xml.
Note: SP-initiated SSO and Global logout is not needed for us. We use Okta as IDP.
This is a good feature request. I've opened https://jira.spring.io/browse/SES-160 for you and support is available in Spring SAML's trunk with the following documentation:
In case your application doesn't need to create digital signatures
and/or decrypt incoming messages, it is possible to use an empty
implementation of the keystore which doesn't require any JKS file
- org.springframework.security.saml.key.EmptyKeyManager. This can be the
case for example when using only IDP-Initialized single sign-on.
Please note that when using the EmptyKeyManager some of Spring SAML
features will be unavailable. This includes at least SP-initialized
Single Sign-on, Single Logout, usage of additional keys in
ExtendedMetadata and verification of metadata signatures. Use the
following bean in order to initialize the EmptyKeyManager:
<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>
new to Saml2, I want to use the Kentor AuthServices .net library for generating a Saml2 response, I have checked the output xml and I can't find any node for either "AttributeStatement" or "AuthnStatement".
Does anyone knows how can I deal with them on the library?
Cheers
H
The support in the Saml2Response class in Kentor.AuthServices for sending responses is very limited at the moment, so there is no support for AttributeStatement nor for AuthnStatement. Support for sending AttributeStatement has been added.
Support might be added in a future release, but the main focus of the Kentor.AuthServices library is to be service provider that receives and parses SAML2 responses. The identity provider functionality for sending saml2 responses is of much lower priority.
If you need it, please add an issue on GitHub to get it into the backlog, or implement the features yourself and send a pull request. Pull requests are always welcome :-)
I have a problem with keypair and certificate generate in token using csp or pkcs, and i must to distict this then i want to know
"How to check certificate and key pair created by CSP or PKCS ??".
You should check their respective API as the first step.
For PKCS, you should read PKCS11 standard as mentioned on: http://www.rsa.com/rsalabs/node.asp?id=2133
This API interface will contains the method to check on the certificate.
Take note that in general, CSP is used by only Microsoft Product, while PKCS is used by the other software vendors.
We have a Web Service client generated with CXF from a WSDL.
We now need to have an access to the generated SOAP requests in order to persist them.
It seems that the framework does not provide this behaviour by default.
Anyway do you guys ever tried to do such a thing?
I am thinking of building my own interceptor that can access to the fully generated message but maybe there is a better choice?
Any advice?
Thanks in advance.
By default CXF uses stax to stream your requests. If you add an interceptor, you can get access to the stax output writer and copy the events.
There is existing code in CXF to force the existence of a DOM tree; see code related to SAAJ and security.
In general, detailed CXF questions get better answers on the CXF user mailing list than here.