Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for AuthnRequest HTTP-POST binding with enveloped signatures #78

Open
wants to merge 12 commits into
base: master
Choose a base branch
from

Conversation

tachang
Copy link

@tachang tachang commented Aug 8, 2015

Adding support for:

    "assertionConsumerService": {
        "url": "https://sp.example.com/saml/?acs",
        "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    },

Only the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding gets the enveloped signature

tachang added 4 commits June 1, 2015 03:24
service. Before this we only do HTTP redirects to the IdP's sso URL
with everything in a querystring (as per SAML HTTP-Redirect bindng).

A lot of the work concerns creating an HTML form as well as enveloped
signatures.
Also added an example self signed certificate with pub/private key
to be used for testing.
@tachang
Copy link
Author

tachang commented Aug 8, 2015

This is what the enveloped AuthnRequest looks like. This should validate when put into a file named authn_signed_assertion.xml via the following command:

xmlsec1 --verify --id-attr:ID AuthnRequest --trusted-pem tests/certs/example.com/example.crt tests/sample_output/authn_signed_assertion.xml

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_04273cc52656e53b0a3ca0861d498d713ff04fac" Version="2.0" ProviderName="example.com" IssueInstant="2015-08-08T19:54:42Z" Destination="https://idp.example.com/login" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://sp.example.com/saml/?acs">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#ONELOGIN_04273cc52656e53b0a3ca0861d498d713ff04fac"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Pzv7pLMvZ8HyMiWElqgsTFiX2LQ=</DigestValue></Reference></SignedInfo><SignatureValue>cdw7y1vPlovmvJM6C/5JzU+3ooqdd7qC/NUbhIhjt3KRapSlZN4fo149k5fPbPXY
HaPDk+FnN60ffCLDB2fIG4HEZ6ROPiTwUWwvWD5sLxSLOWrxeQYZM3CEry6kplzH
c57+VYLDBTfgrESW9+ofDYY5ZyBy9BqY1qHoVlXdOX5ncnaFBFjwYjsHZCB+abZm
2JkYz6+i7azVy3jXnAgAPhbAcJH8QytVeyhFXkiso0xmPX/Oau9GZ6V21KQG5VMA
DaxjqjJ3Uk+/i1/ZfCh/4AHLf2amSH1OnTAxDKRMC2cdwkwEM+MThTxWhuTfhxlN
io563s6sEbwPnE2YkakuRw==</SignatureValue><KeyInfo><KeyName/><X509Data>
<X509Certificate>MIIDuTCCAqGgAwIBAgIJALO8tfVURFsvMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
C2V4YW1wbGUuY29tMB4XDTE1MDgwODE4NDQ1OVoXDTI1MDgwNTE4NDQ1OVowczEL
MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
cmFuY2lzY28xITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIG
A1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDrkTb+VmDnhRUyuCO+i6fWJIey9ilwLMw+o/7TSM8qqB5PCZbVnePmd97Pbhak
VRqoYFfNpbMbD1QjFXXICkolVVS2tmRGsGlE9n1/P9egnVmrfByRrVViJd4EEG3F
YqKmpfGaPXUhJGqsYXXdv7Zi3ZcC+pKDrMjiQfv/MlZsHcZ1FBbOk5KSe/b8Rpzk
tbF4AqhjiO/XjpskUIVMlUcyqDlTkLYxU1uNIU9RJEY0/9Kbm/VT3SMFjhpMTbU1
4DmGARLXsLZiejs/c6O6Yvz1CJf8pCzUBR8SsUD0FUYgm3R1NBqAgNPMJeNDUAx6
qlu98RYjEnyBVyKT/0Th0BgtAgMBAAGjUDBOMB0GA1UdDgQWBBRghqUeLjDqMaJi
kgHWgxYQnQm1azAfBgNVHSMEGDAWgBRghqUeLjDqMaJikgHWgxYQnQm1azAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAs0h0MFMDme/07Gj5TJkaxQLWi
acNhqmqEa3Mt1C3k2Wva6OwAAqMMWcAQMdmACg8Qk0xjLBizs7go7QvkmV+RNbHD
BdD0p00GRrBj1XTPR4VJiJJvOmY2G7A084lx0M9nOGHtQRLgs116TNOTMHz3rPDe
N0SdQJien1AAKa4JhcWtuC0yBlPXtx9nQ4TSrCTgOEOnYfYjh+WKD/ZGUeYzmNlT
9Sl6aPjjbpSBMzZzckhxDAdQrveTKb75z8BFr+60X3f76qCO7xsoCCUJfybsgiUZ
vp6s7qcAkJNnWeIKWao5XEkAOvr6Kry/oncaUNm6Q1LRKgXmB8FiIx3i3xdP</X509Certificate>
</X509Data></KeyInfo></Signature><saml:Issuer>sp.example.com</saml:Issuer>


    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"/>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

@tachang
Copy link
Author

tachang commented Aug 9, 2015

Yay finally. Managed to pass all the checks.

@tachang
Copy link
Author

tachang commented Aug 9, 2015

This is actually not full support for it since we still need to generate a form.

This is just up here as a place holder.

@tachang tachang changed the title Support for enveloped signatures when using the HTTP-POST binding Support for AuthnRequest HTTP-POST binding with enveloped signatures Aug 9, 2015
@pitbulk
Copy link
Contributor

pitbulk commented Apr 8, 2016

@tachang are you insterested in maintain a branch of python-saml that implements HTTP-POST binding for AuthnRequest, LogoutRequest and LogoutResponse?

I have no problem to be hosting that branch, and maybe when mature, we could create a release based on that branch and modify the toolkit name, releasing it at pypi.
But I need someone that want to support it and merge/push changes done on master to this branch.
Right now I'm maintaining python-saml and python3-saml and can't afford that task, and I don't want to
push this feature on master branch since core changes wil be required.

This branch should also support Assertion Consumer Service HTTP-Redirect binding. #71

@sbc100
Copy link
Contributor

sbc100 commented Jul 20, 2016

+1 I'd like to see this feature land.

I would advise against maintaining this in a separate branch. Are the core changes required bad/scary in some way?

@tachang
Copy link
Author

tachang commented Jul 20, 2016

@pitbulk Hi Sixto I actually didn't notice this message until now!

Right now not really making any changes until I have more time. I just pushed this PR incase someone else would be interested in it. We are actually not using it right now but might if a customer requests it in which case I'd totally push to open source the changes.

@tachang
Copy link
Author

tachang commented Jul 20, 2016

@sbc100 The changes are not too scary unless you need the feature. I opened this PR just to get a discussion going. I managed to get the code maybe 60-70% there. The big part was just getting some tests written as to what was actually needed.

@tachang
Copy link
Author

tachang commented Jul 20, 2016

Obviously I didn't even rebase which is nice for PRs.

@ekreiser
Copy link

Any update on when this work might become part of the core product?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants