Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruby IdP response valid, but fails #3

Open
jkamenik opened this issue Dec 3, 2013 · 2 comments
Open

Ruby IdP response valid, but fails #3

jkamenik opened this issue Dec 3, 2013 · 2 comments

Comments

@jkamenik
Copy link

jkamenik commented Dec 3, 2013

I am using the https://github.com/sportngin/saml_idp gem as a basis for a IdP I am creating. No matter what I try I always end up on fail Saml#fail.

<h1> Saml#fail </h1>

Find me in app/views/saml/fail.html.erb

true

The last true, which is caused by @response.validatate!. So @response.is_valid? returns false causing the fail view, but when re-validated it works, even though internally they call the same code.

Here is the parsed response that was placed in the log.

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="http://ruby-saml-rails3-example.dev/saml/consume" ID="_89ce97f0-3e8c-0131-9bf8-482a14030d65" InResponseTo="_85d1e8b0-3e8c-0131-5e30-482a14030d65" IssueInstant="2013-12-03T21:05:18Z" Version="2.0">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://saml-idp.dev/saml</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_89ce9930-3e8c-0131-9bf8-482a14030d65" IssueInstant="2013-12-03T21:05:18Z" Version="2.0">
        <Issuer>http://saml-idp.dev/saml</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#_89ce9930-3e8c-0131-9bf8-482a14030d65">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>eNTPeAX3bLyCWmWGEk+MgCGWwn0=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
ZyhVmEkLf/wTMa2zJbhff5hyZTcQ3ki7c9wAxZIfC0rxGwwwJBzrbm/sd4H465Ydx97YdRVyvHAxLQK7Pt/zQzPXpL2PbMoDaQq4pPrSOH9ATAQn48m5V7TBADTg57HzE2G4k76rhl0tiqc7OJtOftW8sSaHx2rlMtq1lZoPXrg=
            </ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIICxzCCAjACCQC0xircGnUAzzANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
                        VVMxETAPBgNVBAgTCE1hcnlsYW5kMRQwEgYDVQQHEwtHbGVuIEJ1cm5pZTEbMBkG
                        A1UEChMSV2F0ZXJmYWxsIFNvZnR3YXJlMQswCQYDVQQLEwJJVDEVMBMGA1UEAxMMSm9obiBLYW1lbmlrMS4wLAYJKoZIhvcNAQkBFh9qa2FtZW5pa0B3YXRlcmZhbGx3c29mdHdhcmUuY29tMB4XDTEzMTIwMzIwMjc0OVoXDTQxMDQxOTIwMjc0OVowgacxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEUMBIGA1UEBxMLR2xlbiBCdXJuaWUxGzAZBgNVBAoTEldhdGVyZmFsbCBTb2Z0d2FyZTELMAkGA1UECxMCSVQxFTATBgNVBAMTDEpvaG4gS2FtZW5pazEuMCwGCSqGSIb3DQEJARYfamthbWVuaWtAd2F0ZXJmYWxsd3NvZnR3YXJlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvm+QYwIbuihkUx7yezKCGqirz6K6S1FujJoRxWFzFLiU71auqUGdfHH+b/Z34rJnIdHUWFY2jvtFIlZknyG5kReVtMpNUdmoNBwqG5nS7TpkLzSYzpYRdaNwq97m7JXMICHSUzQz/mHIZretWblN5A1e6sRQrfDmH5qKL1WPIq0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAium4/61wL9zfXepvfLUU54dNtuEqTBmGMwt+DQ3kSNSWSihS8e4ppQSCoQWCeEVMJRC9tcoPK2r203OUrl9VA8LinNA8JF0C7hzB7Zmnda3Vg0Tl9S35XFLWzpc16ilGxYhksdhWjikmNsG9/OAyyWW0JTkzUaeU6l4f7GDG4EQ==
                  </ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">89cf2480-3e8c-0131-9bf8-482a14030d65</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_85d1e8b0-3e8c-0131-5e30-482a14030d65" NotOnOrAfter="2013-12-03T21:08:18Z" Recipient="http://ruby-saml-rails3-example.dev/saml/consume"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2013-12-03T21:05:13Z" NotOnOrAfter="2013-12-03T22:05:18Z">
            <AudienceRestriction>
                <Audience>ruby-saml-rails3-example</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <AttributeValue>[email protected]</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2013-12-03T21:05:18Z" SessionIndex="_89ce9930-3e8c-0131-9bf8-482a14030d65">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>
@calh
Copy link
Owner

calh commented Dec 4, 2013

@jkamenik, can you tell where the validation is failing at all? Also, which version of the ruby-saml gem are you using? My github copy is probably very far behind the official version. My patch wasn't accepted to the official project because too much had changed by the time I did a pull request. And it was a pain in the ass to try and manually change everything to merge.

If you're still using my ruby-saml gem, you might be able to try skipping the signature validation. See line 96 in ruby-saml/lib/onelogin/saml/response.rb. In the rails saml_controller.rb, line 30, you might be able to get away with:

@response = Onelogin::Saml::Response.new(params[:SAMLResponse], :skip_validation => true)

Of course, that doesn't really solve the problem, but it might get you closer. I didn't really touch XML X.509 signature validations because I couldn't find a really good XML parser for ruby.

@jkamenik
Copy link
Author

jkamenik commented Dec 5, 2013

I actually can't explain why validate! would fail and then is_valid? would be true except that it appears that XMLSecurity is slightly destructive.

Digging deeper by creating my own SP (https://github.com/WaterfallFMS/saml_client) I think the issue was Canonix. Nokogiri now includes canonical support. But it canonicalizes the XML without moving attributes around (which I think is the correct behavior), while Canonix does.

Your project worked against the sample IdP (https://github.com/drnic/ruby-saml-idp-rails3-example) because of a coincidence. The sample IdP uses the 'ruby-saml-ip' gem, which does simple string interpolation into a handcrafted XML document. It was handcrafted to match the Canonix canonical form already.

My IdP was based on the 'saml_idp' gem which uses an XML builder to generate the XML and Nokigri to canonicalize it for the signature. So canonical form did not match and therefore the .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants