I'm using Apache CXF 3.1.5 to work with PingFederate 7.2.
In PingFederate, I create a WS-Trust SP connection, if the SAML Assertion is not encrypted. it works well.
If the SAML Assertion is encrypted, then it doesn't work, because CXF requires an Id Attribute for Element EncryptedAssertion or EncryptedData in RSTR from PingFederate. While, PingFederate doesn't provide such an Id attribute.
so I have two questions.
Why does CXF require an Id attribute(method createSecurityToken in class AbstractSTSClient)? It seems the standard specifications say that the Id attribute is optional.
How can I add an Id attribute for Element EncryptedAssertion or EncryptedData in PingFederate? or is there something else I can do?
Thanks a lot!
RSTR from PingFederate
I loosened the requirement for an ID in CXF.
Fixed here: https://issues.apache.org/jira/browse/CXF-7003
Related
UPDATE
I found that if I add a trusted cert to SPOptions.ServiceCertificates and set SPOptions.AuthenticateRequestSigningBehavior = Sustainsys.Saml2.Configuration.SigningBehavior.IfIdpWantAuthnRequestsSigned; and set IdentityProvider.WantAuthnRequestsSigned = true, the signature element is included.
Original Question:
Having troubles connecting to an IDP with the following AuthnRequest:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="idf299bf8aa08542d193e022cb047e5ecc" Version="2.0" IssueInstant="2019-07-23T00:10:13Z" Destination="https://example-idp.com" AssertionConsumerServiceURL="https://example-sp.com/Acs">
<saml2:Issuer>https://example-sp.com</saml2:Issuer>
</saml2p:AuthnRequest>
The IDP says: "SignatureStatus: NOT_PRESENT". I'm guessing that means that the authnrequest should have a <ds:Signature section? If so, how do I configure Sustainsys.Saml2.AspNetCore2 to include it?
The metadata xml I received from the idp contains a <ds:Signature section, but looking at the source code for Sustainsys.Saml2.AspNetCore2, it looks like that part of the metadata gets ignored when deserializing?
I'm not very familiar with the internals of SAML, so sorry if this is a silly question.
You'll want to generate a self-signed .pfx file that contains both your public cert and private key. We use azure key vault, but you could also use openssl. Lots of resources that explain how to generate one of those and load it into a c# X509Certificate2 instance.
Once you have an instance of X509Certificate2, set options.SPOptions.AuthenticateRequestSigningBehavior = Sustainsys.Saml2.Configuration.SigningBehavior.IfIdpWantAuthnRequestsSigned;
And set IdentityProvider.WantAuthnRequestsSigned = true.
And then add the X509Certificate2 instance like so: options.SPOptions.ServiceCertificates.Add(myX509Certificate2);
Then run your app and start the SAML SSO process. You can use hookbin or the like to see what it sends in the AuthnRequest for SAMLRequest. You can extract the xml from that by url decoding it and then base64 decoding it like so in javascript, for instance to confirm signature xml is set and correct: atob(decodeURIComponent(samlRequestValue))
I'm trying to configure Windows Server 2012 r2 ADFS 3.0 to send the NameID to Shibboleth 2.6 SAML 2.0 SP, but I keep on getting these errors:
2016-11-15 10:07:07 WARN Shibboleth.AttributeResolver.Query [1]: can't attempt attribute query, either no NameID or no metadata to use
2016-11-15 10:07:07 INFO Shibboleth.SessionCache [1]: new session created: ID (_7e425978e43bc32c86393f518b26eb3e) IdP (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (192.168.50.131)
I understand that this has something to do about passing the NameID attribute from the ADFS IDP and displaying the nameID in Shibboleth SAML 2.0 SP.
I've also read that you need to set a rule in ADFS IDP to pass the Email Address, and transform the Email address to become a NameID. I have done that, and have these rules:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
However, I have observed that the configuration seems compatible only with SAML 1.0, but not 2.0 (maybe).
So, I went on by adding the name attributes. I tried transient, persistent, and emailAddress, and trying both SAML 1.0 and SAML 2.0 configurations.
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="NameID"/>
Question:
So, what is the proper way of configuring ADFS IDP to send the NameID to the Shibboleth SP and display the Session attribute when going to my application Session page?
Specifically, what is the proper output for Claim Rules that I should expect? and how should the XML configuration for Shibboleth attribute-map.xml look like?
https://c-app01.contoso.com/Shibboleth.sso/Session
Solution:
The solution is to create two rules inside "Issuance Transform Rules" tab in the Relying Party. Here are the Rules to be set:
Add a Rule to Send LDAP Attributes as Claims
Add a Rule to Transform an Incoming Claim
Also, make sure that Permit Access to All Users is inside Issuance Authorization Rules tab.
Instructions:
Add a Rule to Send LDAP Attributes as Claims:
Claim Rule Name: Email
Attribute Store: Active Directory
Mapping of LDAP: E-mail-Address to E-mail Address
This will map the Email address.
Add a rule to Transform An Incoming Claim:
Claim rule name: EmailToNameID
Incoming Claim Type: E-Mail Address
Outgoing Claim Type: Name ID
Outgoing Name ID Format: Email
Make sure "Pass Through Claim Values" is selected.
The setting above for "Transform An Incoming Claim" will give you the following claim rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
After that, you may configure the attribute-map.xml like so:
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="Email"/>
My Mistake:
I found out that every setting in my Claims Rules is correct, except that the rules for Email and EmailToNameID should be under the Issuance Transform Rules Tab of the Relying Party.
We are trying to do a single setup with Shibboleth Identity Provider 3 and 1 service.
We have configured the Shibboleth IDP3 to use the OpenLDAP service that we are running. This is working as authentication is succesful. (see green underlined part image). This is with a user we created in the LDAP who is named 'test'.
Now the problem is that the entire transaction fails because we seem to lack a nameid in our SAML response.
We have made multiple attempts to fix this, here are some of the changes we tried.
In attribute-resolver-ldap.xml we added:
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</resolver:AttributeDefinition>
In attribute-resolver.xml we added an attributedefinition and a dataconnector as follows:
<!--
Attribute definition that expects to get the 'email' attribute from the ldap connector
defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="googleNameID"
sourceAttributeID="cn">
<!--
The data connector expected to provide the source attribute, email. Note how the
value of the 'ref' attribute is the identifier given to the LDAP data connector.
-->
<resolver:Dependency ref="ldap" />
<!-- Encoder that transforms the attribute into a SAML2 NameID -->
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
dataconnector (the <..> values are filled in correctly):
<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="ldap"
ldapURL="ldap://localhost:389"
baseDN="dc=<FIRSTDC>,dc=<SECONDDC>"
principal="cn=admin,dc=<FIRSTDC>,dc=<SECONDDC>"
principalCredential="<PASS>">
<FilterTemplate>
<![CDATA[
(cn=test)
]]>
</FilterTemplate>
</resolver:DataConnector>
In the saml-nameid.xml file we added a nameIDgenerator (we did this for both SAML1 and 2):
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
In our ldap.properties file we assume we have configured everything correctly as the authentication itself works fine.
The error at the service side is that it can't process the SAML message:
Caused by: org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
There could be many reason for this. There are some issues I could see in the configuration you have provided:
In attribute-resolver.xml, you have defined AttributeDefinition ID as id="googleNameID" while AttributeSourceIDs in saml-nameid.xml is set as p:attributeSourceIds="#{ {'mail'} }". These IDs should be exactly same. Change your AttributeDefinition in attribute-resolver.xml to:
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="mail" sourceAttributeID="cn">
<resolver:Dependency ref="ldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="mail" friendlyName="mail"/>
</resolver:AttributeDefinition>
In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:
idp.nameid.saml2.default = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
You have not defined any Attribute Filter Policy. Add the following to the conf/attribute-filter.xml:
<afp:AttributeFilterPolicy id="ldapAttributes">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
I am trying to use SMTP component inside recipientList.
.recipientList(simple("smtps://smtp.gmail.com?username=abc#gmail.com&password=RAW(abc)&to=${header.alertTo}&subject=RAW(alert)"));
When the value of ${header.alertTo} is just a single email address, this works. However, if it is comma separated list of address it throws exception.
No endpoint could be found for: def#gmail.com&subject=RAW(Alert), please check your classpath contains the needed Camel component jar. and the stracktrace is org.apache.camel.NoSuchEndpointException: No endpoint could be found for: def#gmail.com&subject=RAW(Alert), please check your classpath contains the needed Camel component jar.
at org.apache.camel.util.CamelContextHelper.getMandatoryEndpoint(CamelContextHelper.java:65)
at org.apache.camel.util.ExchangeHelper.resolveEndpoint(ExchangeHelper.java:85)
at org.apache.camel.processor.RecipientListProcessor.resolveEndpoint(RecipientListProcessor.java:223)
at org.apache.camel.processor.RecipientListProcessor.createProcessorExchangePairs(RecipientListProcessor.java:163)
at org.apache.camel.processor.MulticastProcessor.process(MulticastProcessor.java:208)
at org.apache.camel.processor.RecipientList.sendToRecipientList(RecipientList.java:153)
at org.apache.camel.processor.RecipientList.process(RecipientList.java:112)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:118)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:80)
I was earlier using "to" to send these mails. That works fine. But later due to a change involving configurable email addresses for different routes I have to use recipientList.
You can change the delimiter char in the recipient list to something else than comma.
See the documentation for how to do that
http://camel.apache.org/recipient-list.html
I am using ADFS 2.0 as a service provider and Shibboleth as an IDP which issues SAML2 attributes in the form of:
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="nameidentifier" Name="nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testuser</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
does anyone know how to setup a claim rule to consume this attribute?
I have tried the following but it didn't work:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"] => issue(claim = c);
What am I doing wrong?
Thanks
Should just be
c:[Type == "nameidentifier"]
=> issue(claims = c)
The FriendlyName and NameFormat are accessible from properties, like you have in your rule. You don't need to include them though unless you want to narrow the scope of your rule (in which case, please update your question with that requirement).
HTH!