OpenSAML v3 - Validate SAML Response - saml-2.0

We are implementing Service provider for IDP initiated SSO. We are using open SAML v3 java library to parse the SAML response using POST.
I want to validate the SAML data and format, so trying to figure out is there any inbuilt methods which I can make use to validate the SAML data.
I am able to validate the signature using SAMLSignatureProfileValidator and SignatureValidator but I also want to validate that SAML version, the entity provider,Audience, conditions and so on.
When I dive deep into the library I was able to find that the class WSSecuritySAML20AssertionTokenSecurityHandler which validate SAML when doInvoke() method is called but the message Should SOAP. This method uses SAML20AssertionValidator to validate.
I am planning to use SAML20AssertionValidator to validate the Assertion so I need help to instaniate the SAML20AssertionValidator. The constructor for SAML20AssertionValidator is as follows. Trying to understand the input parameters
public SAML20AssertionValidator(#Nullable final Collection<ConditionValidator> newConditionValidators,
#Nullable final Collection<SubjectConfirmationValidator> newConfirmationValidators,
#Nullable Collection<StatementValidator> newStatementValidators,
#Nullable final SignatureTrustEngine newTrustEngine,
#Nullable final SignaturePrevalidator newSignaturePrevalidator) {
Also want to make sure is this the right direction to go for validation or is there any other methods I can make use of?
Any directions on this is much appreciated.

Related

How to handle missing SingleLogout endpoint in SAML metadata?

I am using Spring SAML integration. I am getting below error when I tried to SAML logout without SingleLogout point.
I override the SAML method to check metadata has any SingleLogout point or not but it's not working.
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: IDP doesn't contain any SingleLogout endpoints
at org.springframework.security.saml.util.SAMLUtil.getLogoutBinding(SAMLUtil.java:108)
at org.springframework.security.saml.websso.SingleLogoutProfileImpl.sendLogoutRequest(SingleLogoutProfileImpl.java:66)
at org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:140)
To properly override the lack of single logout endpoint in the metadata, you'd have to provide your own implementation of org.springframework.security.saml.websso.SingleLogoutProfile and inject it as a dependency in your application config. Certainly doable but quite a bit of effort for a problem that has a simpler solution: manually modify the metadata you received from the IdP and add the endpoint. (If the metadata is signed, you'll need to remove the signature).

How can i use [Authorize] and [ValidateAntiForgeryToken] in API Post request?

I have created an webapi and MVC project with Angular 1. Also created some apis. I have also used oauth in my project. I have set [Autorize] in my api controller. I have also added RequestVerificationToken in my view file. Now i am calling api on submit button. I need to pass both [Authorize] and [ValidateAntiForgeryToken] on post api. I am getting two issues
A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity. To enable anti-forgery token support with claims-based authentication, please verify that the configured claims provider is providing both of these claims on the ClaimsIdentity instances it generates. If the configured claims provider instead uses a different claim type as a unique identifier, it can be configured by setting the static property AntiForgeryConfig.UniqueClaimTypeIdentifier.'
This issue i have fixed after adding below line in global.aspx.cs file.
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Email;
Now i am facing second issue. The provided anti-forgery token was meant for a different claims-based user than the current user.
i am not clear with this issue.
can i use both attributes on my post hit simultaneously?

Signing AuthenRequest SAML

I am trying to sign my HTTP-Redirect binding AuthenRequest so I can send it to the Idp. What is the logic behind signing the request? Do I sign it using my x509 and a private key? Do I sign it using my private key and Idp's x509 cert? Also, the Idp requires the signature query parameter. Do I simply extract the signature value from the request after I sign it?
I am developing in c# .net
Thanks
You always sign with your private key. The recipient will verify the signature using your public key.
In this case, you sign the SAML authn request with your private key and the identity provider will verify the signature with your public key.
Typically you supply the identity provider with your public key as a certificate file or as part of your SAML metadata.
If the IdP requires the signature as part of the query string, this means they want you to use the HTTP-Redirect binding to send the authn request. You need to look at the SAML v2.0 bindings specification to understand how to implement this. The signature is not part of the request and therefore isn't extracted from it.
The best and easiest solution to get the proper Signature value in HTTP-Redirect post is to use a 3rd party library for c# called ComponentPro. Below is what I used to get it to work:
NameValueCollection queryString = RedirectUtil.CreateQueryString("SAMLRequest", authnRequest.GetXml(), relayState, key, signatureAlgorithm);
The key is the private key.

Handling Token From URI AngularJS and Web API

I know there are tons of examples for Token authentication and OAUTH, but I haven't been able to make sense of any for my needs.
I have created an AngularJS/Web API application that displays data from a database in some forms using Web API calls. Our company has an authentication portal, that once you have logged in, if you have access to the application, it will redirect to the application URL with additional data such as token, login_id, etc. I don't plan to have a registration or login page in my application at all. I simply want to use the redirect URL to authenticate the user with the token provided. I will need to make some additional calls to see about additional rights.
The user is redirected to my URL with the additional parameters in this form:
https://myserver.com/?data=AOSTOKEN_1_5:XXXXXXXXX&logonId=XXXXX&badAttempts=0&passwordExpireMs=1517223840000&version=1&changePassword=false&country=US&css=&js=&language=en&limited=null&x=31&y=4&staticId=123456789&faceStaticId=null
My intuition is that I need to make a route (I'm using MVC System.Web.Routing to handle route management) for my Web API to handle this data, but I don't know how that will work with the AngularJS view. The closest example I can find is from here, but I won't be using a database or anything. I know this is a vague question, but any help will be great!
I was able to do some quasi authentication using the HomeController.cs file of my MVC application. I can parse the query string data in the main method (or any of the other view's methods) by adding some parameters.
For this instance, I modified my Index method to the following:
public ActionResult Index(string data, string logonID, string badAttempts, string passwordExpireMs, string staticId, string faceStaticId, string version)
{
//Handle null data, validate token data, and redirect if unauthorized.
}

Custom SignIn & SignUp on RESTlet + GAE/J?

I am currently working on a small project using RESTlet on Google App Engine/Java.
I was searching.. searching.. and couldn't find the exact or understandable solutions for my doubts.
My question is that How am I suppose to implement my own SignIn & SignUp module without using google's UserService or Spring Security??
Is there any actual sample code available??
I mean SignUp part is just a simple JDO insert & select module. let's just say I've done it.
How am I supposed to handle each user's request session and authentication??
I am thinking about using HTTPS on every request.
Any suggestions or help would be really appreciated!
Thanks in advance.
In Restlet, you have security support on both client and server sides. On client side, you can specify security hints using the ChallengeResponse entity. This feature is open and you can specify the authentication type you want. In the following code, I use an http basic authentication based on username / password:
ClientResource cr = new ClientResource(uri);
ChallengeScheme scheme = ChallengeScheme.HTTP_BASIC;
ChallengeResponse authentication = new ChallengeResponse(
scheme, "username", "password");
cr.setChallengeResponse(authentication);
Restlet will automatically build necessary headers in the corresponding request. You can note that Restlet supports a wide range of authentication types through its extensions. I know that some work is done at the moment to support OAuth v2 (see http://wiki.restlet.org/developers/172-restlet/257-restlet/310-restlet.html).
On the server side, you need to secure accesses at routing level using the ChallengeAuthenticator entity, as described below. This can be done within your Restlet application:
public Restlet createInboundRoot() {
Router router = new Router(getContext());
ChallengeAuthenticator guard = new ChallengeAuthenticator(getContext(),
ChallengeScheme.HTTP_BASIC, "realm");
guard.setVerifier(verifier);
guard.setEnroler(enroler);
guard.setNext(router);
return guard;
}
Like for client side, this support is generic and is based on two interfaces that need to be specified on the guard:
The verifier one to check if authentication is successful
The enroler one to fill roles for the authenticated user
You can notice that same security technologies need to be use on both sides...
If you want to manage authentication session for user, you need to implement it by yourself using cookies.
When authentication successes on server side, you can return a cookie containing a security token that allows you checking the user from your database (for example). Some code like below can implement that:
CookieSetting cookie = new CookieSetting(0,
SECURITY_COOKIE_NAME, securityToken);
Series<CookieSetting> cookieSettings = response.getCookieSettings();
cookieSettings.clear();
cookieSettings.add(cookie);
You can extend for example the SecretVerifier class of Restlet to add a test on security data received and add this code when receiving the security cookie.
On client side, you need to add hints for authentication the first time and then re send the security cookie following times, as described below:
ClientResource clientResource = (...)
(...)
Cookie securityCookie = new Cookie(0,
SECURITY_COOKIE_NAME, securityToken);
clientResource.getRequest().getCookies().clear();
clientResource.getRequest().getCookies().add(securityCookie);
Hope it will help you!
Thierry
If you are interested in re-using social accounts, you need to integrate with each one like facebook oauth
And/Or use the app engine authentication via OpenID
Both ways define an API to authenticate a client, you can use the UserService or manage your own state via cookies.

Resources