Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shibboleth update #10

Closed
simong opened this issue Feb 11, 2013 · 8 comments
Closed

Shibboleth update #10

simong opened this issue Feb 11, 2013 · 8 comments

Comments

@simong
Copy link

simong commented Feb 11, 2013

These are the steps I performed to try to connect our Node.JS app with a Shibboleth IdP

Setup

  1. Register our node app as a Service Provider with the Identity Provider.

I used testshib.org to test our setup. I copied the metadata.xml from a standard SP (running under Apache with mod_shib which in turn talks to shibd) and significantly slimmed it down to

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_957cf08a6730ac2e70ce094b8262cdf79ce25120" entityID="https://oae.cam.ac.uk/shibboleth">

  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>linux-5z8i.site</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=linux-5z8i.site</ds:X509SubjectName>
          <ds:X509Certificate>MIIC9DCCAdygAwIBAgIJAJPgjeqQYMniMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNV
BAMTD2xpbnV4LTV6OGkuc2l0ZTAeFw0xMzAyMDgxODQ5MzlaFw0yMzAyMDYxODQ5
MzlaMBoxGDAWBgNVBAMTD2xpbnV4LTV6OGkuc2l0ZTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOoq83FgLTaOMqFMjsrmKk80S4kDpixN9ajKdBjTD+9f
iOUIr5x8a/xdE8OkDGWZsMTRJzAK3Mj1xY/d5NrGLCyKnb1v5ylLUd41NdpECRhl
GZvonbqrB6usdm+Bs01NOdyerjvhyLovQddtv/eFvi51bwtKr9JhH+H6Nh9Y0u/V
5Sjq+5DWug8QgA4+BHXSxYsKVhrAqxLHNPUCFzIqggF/Ncc4V8To3laH8YotF2uo
AnQKs7qpIvDxpWYnWBIFFZsemozW8IE6gxY/WiAnTOOHULCMe49RUDu12fIyQOwd
FrmsRncU7kMkvgFJpDQj6Hs6gff+4CzlwItB+O5tD7sCAwEAAaM9MDswGgYDVR0R
BBMwEYIPbGludXgtNXo4aS5zaXRlMB0GA1UdDgQWBBStENAKttjMN3gopEzHNHSz
gEurazANBgkqhkiG9w0BAQUFAAOCAQEAYpVMAZkxyf0MQNI0BOrMj4ufvqxF8Phh
kpN4m/qa/Bz741W2oXYWRRuziQemho7LFeSutcj05uL9UoYSGl9Uf+gNJyVNqIwX
HZ4rbetphzrxoQpR8/ykIf8px70Af38bv0v8iNPyyaiW4uAj8b6rUNV2Q1BSyZKk
CqLh5BUnKaw8atgFgMyulqZ/QqPXzMp+MvLMf8eykBtvM85RyNbbtkDOIEmugCFL
eJBy/J977I8UjVG3NaSG6PW1TSt/UumfnDNPKORYDlvpqq/RhJPp1bA3JxZWYaEu
+mgippboa2s6KL7xFO3X7b+Tr8OympTngHY/HzlWsa0G5MR3Op5RSg==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
    </md:KeyDescriptor>
    <md:AssertionConsumerService Location="https://oae.cam.ac.uk/api/auth/saml2/callback" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
    <md:AssertionConsumerService Location="https://oae.cam.ac.uk/api/auth/saml2/callback" index="5" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />
  </md:SPSSODescriptor>

</md:EntityDescriptor>

As you can see our SP only supports HTTP-POST and browser-post and a very small subset of signing/encryption mechanismes.

  1. Setup passport-saml
    I used the following node code to register the SAML strategy. (slimmed down for brevity)
    var strategy = new SamlStrategy({
        'path': '/api/auth/saml2/callback',
        'entryPoint': 'https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO',  // Use the redirect option
        'issuer':  'https://oae.cam.ac.uk/shibboleth',  // The entity ID we used to register our SP with
        'cert':  'MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0 ....',  // The public key from the testshib.org IdP
        'privateCert': 'MII... ', // Our SP private key that matches the public one.
        'identifierFormat': null 
    }, function(profile, done) {
          // Verify function
         // get or create user
         // ...
    });
    passport.use('saml2', strategy);

...

//  `server` is the express server.

// Redirect the user to the configured SAML2 compatible IdP. When complete,
// the IdP will redirect the user back to the application at
// /api/auth/saml2/callback
server.get('/api/auth/saml2', function(req, res, next) {
     // Some custom logic which isn't important in this context
     passport.authenticate('saml2')(req, res, _handlePassportError(req, res, next));
});

// The IdP will redirect the user to this URL after approval.
server.post('/api/auth/saml2/callback', function(req, res, next) {
     // Some custom logic which isn't important in this context
    passport.authenticate('saml2', {'successRedirect': '/', 'failureRedirect': '/'})(req, res, next);
});

That's about it regarding setup.

Testing

  1. Browse to /api/auth/saml2
    This gets picked up by the passport-saml strategy and results in the following SAML object
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2331765beede7e5acda2" Version="2.0" IssueInstant="2013-02-11T17:03:18Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://oae.cam.ac.uk/api/auth/saml2/callback"
Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://oae.cam.ac.uk/shibboleth</saml:Issuer>
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Which gets succesfully turned into a suitable URL (ie: the XML gets base64'ed and the proper idp URL gets generated)

  1. My browser takes me to the shib IdP where I can log in with on the test accounts
  2. I check the IdP logs and see the incoming request.
  3. The IdP verifies my PW and generates a SAML response which it signs and encrypts and POSTs to my /api/auth/saml2/callback endpoint
    This is the point where passport-saml blows up.
    The XML it receives from the shibboleth IdP looks like
<?xml version="1.0" encoding="UTF-8" ?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://oae.cam.ac.uk/api/auth/saml2/callback" ID="_fa84b84c92664434e0844485fbde6326" InResponseTo="_2331765beede7e5acda2" IssueInstant="2013-02-11T17:03:45.590Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_f10fa6b20292f7cc337ee32e5ecf17ad" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey Id="_b1e6d0ed4ce24daa0c018b90f715b43d" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIIC9DCCAdygAwIBAgIJAJPgjeqQYMniMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMTD2xpbnV4 LTV6OGkuc2l0ZTAeFw0xMzAyMDgxODQ5MzlaFw0yMzAyMDYxODQ5MzlaMBoxGDAWBgNVBAMTD2xp bnV4LTV6OGkuc2l0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoq83FgLTaOMqFM jsrmKk80S4kDpixN9ajKdBjTD+9fiOUIr5x8a/xdE8OkDGWZsMTRJzAK3Mj1xY/d5NrGLCyKnb1v
                                5ylLUd41NdpECRhlGZvonbqrB6usdm+Bs01NOdyerjvhyLovQddtv/eFvi51bwtKr9JhH+H6Nh9Y 0u/V5Sjq+5DWug8QgA4+BHXSxYsKVhrAqxLHNPUCFzIqggF/Ncc4V8To3laH8YotF2uoAnQKs7qp IvDxpWYnWBIFFZsemozW8IE6gxY/WiAnTOOHULCMe49RUDu12fIyQOwdFrmsRncU7kMkvgFJpDQj 6Hs6gff+4CzlwItB+O5tD7sCAwEAAaM9MDswGgYDVR0RBBMwEYIPbGludXgtNXo4aS5zaXRlMB0G
                                A1UdDgQWBBStENAKttjMN3gopEzHNHSzgEurazANBgkqhkiG9w0BAQUFAAOCAQEAYpVMAZkxyf0M QNI0BOrMj4ufvqxF8PhhkpN4m/qa/Bz741W2oXYWRRuziQemho7LFeSutcj05uL9UoYSGl9Uf+gN JyVNqIwXHZ4rbetphzrxoQpR8/ykIf8px70Af38bv0v8iNPyyaiW4uAj8b6rUNV2Q1BSyZKkCqLh 5BUnKaw8atgFgMyulqZ/QqPXzMp+MvLMf8eykBtvM85RyNbbtkDOIEmugCFLeJBy/J977I8UjVG3
                                NaSG6PW1TSt/UumfnDNPKORYDlvpqq/RhJPp1bA3JxZWYaEu+mgippboa2s6KL7xFO3X7b+Tr8Oy mpTngHY/HzlWsa0G5MR3Op5RSg==</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue>FTEOGQ+iQaVmqnt5KvAKVr4BRGkhT67AuH6ElMgHdwkJewsytpDj2KLkkKjEtkrIC3ldzkpty1KlsT00CPeXUdOh/ucHHJlBZ97wN6zDI4Lv6iefVoZiCF565AeBMPU1AxhwxDQ3JqGWwli0cYmCcNbrthPC3soqlbZRxMObHzzsPtDLgs+VDj0fO794bSJ51x4lrY6GsL0JqSCLLalYtELI45PTt0mvR1/GwEj85EAt2wFb6IU94bUtesNHv3aVG/oKF0kcGfqF+NND2oK1BgGYd2ISICujKeBDSc+EHehmwgH5dTvfKSmAy6A6ilj39eRZDwCERN+SOU2VYqyuRw==</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>WkWL64lLehT3YRNGkNf8Q2pbpxcfgRnCP01ng2W9OQjXcRszYcAVjRhsvNA0DmqlhgScIrLAz8xAQchDPOwFBQ4MqlFfQ7PnU2kKfMv1M4gwNpwNgaP/C3b+cW8Xx1HvsBNt3b8pb71TgZtPGqejq368r7wajpFy/LQ75/8Jjt65Q23wyHduLYVx8CTc00ZKeKoB1N9E8TO0oCWfVZ45XyvTlgOCN+/mchGIuplrU8T5Z0J8q++A+cZhLlJSu/rsJzwakp2Tm0+9QNU4UcJOE6DI8ejf4Gk4jy4tLTE/PQqD/B80M907NLZEmdrlP++uOF3VHYLMWdPvvNi6rjbBtCDjZd55p+OxI1H053A0VcCNvzCpz1eo72fXNdO3uCzw5zlzszP/BDAcH4VXewayrJzJYoPd3764NrfCiMsQSrgZda4BPMurQylNFNl2sFsRwL5YpXS2lYZ5CU1z6/yKn3ecf96vQ80MF9BWgEArMo0X/rMorZrYxXJXaPlVibtJmME8q5Yyaj4+NjWMpnrVArr3EtevWQxHgb7S4+02bYJHSWagF7RZuSEmvqlONm8gW8aTD1TwhdkRczeSR81d0e4A4tg9BaAqhyo/CF9+Iy13KAqWekxN4JQPR9B5yvF4Aj16/SqC/IiLwYWSjBAELZDbOxL3XWSPNmQvwfOh0d7PFV4wh8lkNZZvnvc60R+KmWKhK2iyJC0TDavBJQrcuMqlIQBqvbhNd/W377pibfgopR1I6WtlTgQhR8DUpsDDibeo31KbRQ0RMDgbcnDZuPkjYyoX54oXUDRcuhl+hD1ibv5MFolF26Wefz0i8jezFeDKsCAPkOCqWcV7EdZDGkCcOoMe7SMA/uUwKnm8y+zRm5yzX0DsFzKcltce76k8d2q9Ah24tDbuJALyUyUGfTifvl6Ku5lGj0ljz6OANKwJgzTvCar1L5dKO46yz/b14U/P7jFSuJPfvAe8h2AOO+Q+Ut5LsFq2zAePAe3jRut7etEmSuTc0Qdpw0S2wlKtndULxO+w/EFprhKdV68J7cI5U/iG4bSHSkdpyh7ECC6+mhUfmtqrjpXq1x9KY8N3whObtjcQlZvQBnqvlQcUBY+52yleBRJLf590LLNq9e/YSwKHSebtWHnfYbRR3G7BnUkdOMfvJ/rJ9rKgzU4iPOaIoHiw5rRkhnfuzpitPU0hbQdbS28oFIEzVb4rn/VBt7Os/6IzzHNpRhfAoGtlZhuqjZVe+gVG/Zk/QzUsLphUMaG6l+BIR/+mRTiJChBH9kr3e59QqWCdZKaqwrRfcm3bMRh9o9QKpeND5KbefsxlYNrKkBT8TInWE9rRHJyh+AoXLocB2gCKoYswO2DcKVAXWas/Hptrdd/Q524YK66Rk7syyL5+z4tZErivlrVEfSM/FkCgA708nyxC/MeDFrL4kbH/1ebXp97WqUt4XJcfGwSI1D4aKmLNdCVD2j6gWlOVBlTsB6nbh6YE1g95nZlfChHbl6/Fme0pDYZL8qWpEJLs6Vsac1aeN0rPg4k+pPRGskaJ2bHDFNxlYtM4MHiLInIdx7X8RUlv9DWtnArk5qdh9bTssVCJdSyT4P+vK+SnW/2lrxaGSQ4Rl8GF9fLztdn2TQtvbjgNt+4RLqRTyQRDeuPIZGH8y1HsC+oheAOwtjss9e+AtzMzKR5HVLIbPUV3SEv+nZxKiHtrtvwWLUUcN9lUzU1NZzrM2eBO+IDS5wGd4YXcu56pGL3jNqMBvMngFusP19vmXFXERpSHQjWm++OgLxNUbWJGy4CXisyx4UFy7r5SNAETS2Oepxg3g+HyBIMTJWYHaqg388h/SkmMp3hOE//y7q7KnDXV4vpyJXLsxhnG2X+IiUkU6qPMcdrp0GcuhTBs/ERAEiyrHTDVGkAuyw7hUPxhAgA+HITfXxQoxYqInOnVBzmHjB+j9pGXWgGylPSEoGt0CqTpKx7OBbJHBK/2KB5hZ63BLbmcMcrm2VdJzZ+FB1Agarmbfz/3Emft8akfB6SZvEdgUujy+bURNxikDA8/EL/PN79pmtWqQ+3uBpVB90ZaYTbA9H71rwxlugOdC6XMZprZNDeF73dN5p9/E42jkHGT8WZQ6rNV7AaRSnj4aeaCfZg/PSmY5CsD/3JFyJMbFpzpMNe2vVYR7dhl32OlA3LjmKDTgEMjCLsgAdna2tR7CmLwggo0EcbPgLhcjMDNjsm6IOQde+3ObEpmtYFbba7Us94RBGfkT8sUr0AXpNO53kSqkc0N1O314a4vwdrpabJpPuCnVqa9URF+1Q9n3ercmFOH6zrj5gYMpGwaNpPWulH5f8OLW/Lq30j87hHxbVXv8KKFluiK40D3Z4uRgVTpv5GI2w0RyI5WsJKA9Zs+1kWaCGBTp29QsPcqT8xFcnP1GUdIoebdcNfieVt6NxHr+tSxRULh5cNWGx4L0siUDtQhf7NuzBh270uThoRsImeJEnPvOTcRJXHj6+q7gnrS2D9b7K7tUh/3GUo77YiiZzmcg0UONJ9Bbv+KFsC/dDlaENihneVNVirEpXRiJcAQEBroNfzHIQWj/Ef3qA9eni7hhg43rSNk7I7fYK8U7q5dxhPqj6Vc2Xxky00xB7o0z1qKxHHeuKLfyRFqAKrXusZZ/kWWya6sFFNbZbQCWAUKUUOIeJWn31R0P6Kif1b5e/fRq3MRQpiYBGeQoRNMXnuE53GgDv8Rk/kv+116rB9LjzU56N8Eeqnt1rF7aRntMowh9HpNY6coK7AU+60hm2YPSXKXPIBJuLhp89bGKoIns39T1HyI0mZcjd2ICGc3GXwN/hfLmDz0o3RUgDYldqh1p6HXDhzKbP5N57HtKmEx8TcnyJjpSUrS6dBWF3fWbLuHoO+vBI1NGGf+G5cdiNpJkiyfrBdfzeS6XmR8uEXm+MhM/nm28ZGandfO3hLRhkWjcebLtYMllIWyjhPksgZyF2HagxB9WJsDTA6hJ1lVB/wSkbYjyMpIUYwPGKFzX96hU+HQlcakEpdB0TZR29jdsgnh3bv/ALO896fM7gs+jDykrcly7chYlI5IDPu9OVoX+QRZZ8Hyc6D3Wvu1ynBPOljvu9PZ/81B84dSEJemKCndejZyhGDohdt25rniDjKrsycsNrd8iDcbeDagd6/ToaHCaCz3hZTr1PkfBI6843bh3cZNbFWw4xGFqdKccofKXsK7zlQnJDxlGoAg7zjfjl257pgwja1niVNrKJvnTo9Dwk+FDnkYV0wEQGWwc6iWhqnYNZib2VnFQjuUvy9PUF2Zu4L/wePwI4WBaIcy4nQc6TNY45/8XYxrc1xl2gRRFveZhYFinv6ilO7F8ocy3UJI4HicrG7OzRo00ZYZJWyPvBjyVgJPOdEKq3QVTwXJN9YwByGCPVMheFW+ozsg4O/T094eUIWHH9K5QshuIAkwb/J2QADxPDebG2lk3IvKhoI/rqtb9DXE8Q9TggHW4O2g+2zMJNl9udfbHZEzSE65bB7HCY+0kiqTcUx75MEh6NzYFhs1luy+ZcS/sGTuY8wDMMNsUoZQE9aah6IAkPnH7GQxHa1VYQVafnvypWE5LMMn71Qbm8uoB7fSXlziEon55ywzxpLKRug2KBC0Tb+OyHUTGy6RJGlv26Vay5Vfwb4pKGi1cP/FVXoDRw9Pldy9LlkqssuXkLJhat9cxq6BFIlnKk9/URDqyy5ltXzVVkwWNIE5f0507Vl2sx9QJ0UCeVrcVlaJ5a6dTE77amymxmop4PhfvumrA2mG/pPJvPLn0ucorWpPyZBuLHSNOTyVtsAwSaHrDQEmXIk2LeS2sOUSl36gHth8cAI8DFCSy5n8M2+8yekXqZRK4LgQVZ3jZ6KGIoxHJZ+qUaCJ9wK6CQp7RDuaRfyaF4vYvn8wXjhDkwQvDJu09Z3pQL5H/nRdQnoOg+vpYM+hgFT0mGLQvcyQBPhgyZiU0pbh6RMGeYwtCwloP0cVn8VrIxMZTuIFVKRKNUj13aceUpcEm8CUZnpIrN4FfOM0LteWUeVhDurOpK+TAgrrgtYi5GzsYkotKug5zsMkDcCI9z7gXtBI3BkOu2nc61wSUBHCwN4AYmpcL4jTKLsjwqtb8H0yTBwKIz6DHaxeWMuFpFkCT3+jS9YApwvDYo6kXrZ8qJmdNda0ECXz+WXIgKJ/B5latUyblVpDUaUImAUrdFYPJaAakMqEwC+OffsI4r/PDTrFJ2W8Rhmw11YUvbIU2GDnew+QpkEus2lhiSO1E3sfcSD76Pm7AHb+r99SNXpFC8f/aTXxGcV7GvnHv9SJDLuvqJ1e+WDYZHTfqYzplufpK2RWbLA7+dt+o3ejNEJirOUHDZfqrv8oDU7YW8+yOlRxbtkU5MpX8svLMNOfC/bfzkQqNssy/Bi1EqYyD9zs6VPsyc9ta+jCqQmFJ1gkIWhTrLpHH5jgwbj7pWYqLFNcSIT6T4ra92oW6AZ5+0CwiMGuTzWKQTj7Crst7nENOOlJwp6zgp0+35aWawuOI14CGaywHUGPkJwg317J8SYAbq5tEq2DqL2botyK8enfpRFPGDTmfd2FEyL9HraqOJCkSpgR6W4D81bAJHdQftAgj5QB9j0VYqIL2RxYc6u6j5dEG1vCuSMJghG1kLWt5N8NQbJEYSTTaFi2JQUU4zAmyZo1hla3gKmHWrkEYB8wBdWieNSfCZwbrQerrUFoEH7V8Zt36oECwR16ibLKITqj0VE8GrR+EcG74aNMg8ZOY4cu8OirtQiDsHwou+GIVeuagDIJRGaGc4tXgjUhyTbdG9TM6bUc9kIvvHgXBYUXrcODhlEkYMbh0gjj2z6Vaz2tOLcP8YMKLm9GMKaAZGbveV4hvN5HDfIq/Jg17qmSDLZfKXIhkF5h/6065zCPVgDEtzRhx5t6EFO/ijFddcDF3c9Es9JgE9H/2TbwgMeB9cS8Q/ULB4gteefj26BKFQWb5ShINuRvJTWLBnPil7e6XVVWHPKkeZr/XmOQ5A/UfR70eXuPWx/J6ix8uoCnef4KtQFiiQdcRlcurIAw6CBFmmFs0sj5WRZ5YuvUVqlunvAkuCC/g/+WKa12C34VNUMaeWzVtVX205D3/xA87Wd/HvbC/gzV+et5HaqfUo5KTpONH43brqMoY3NznHSoofOxejib+7J4A5e2wyqAVXME4GUEfunQm7UZAPKjHoxeSdTzeuHp7gBm4XKglzA668ynnfi1F3LSzOcQ/ggu2MHrOjPatDrzKyROXqGoUROh+dwmWb1T42ICq2er1JYl43r+rVk/ONQ/SCQWuYBqQOe/vHj20rstnNmXoVlRqecA8vOEdEh0YY13BnDOZl1Fe3NDyAYEpqVP2H2+mdrIUI1LQu3gTmQoGoR7RHUf9QHKryD93m8ETunbTuT8wM+t9TWcC7FSJyFhyFOgMDqh0+bKUYNJRnN4xSbRGyFYw1Py296KkN3BpE6+kBkJQ4PoKkY7vbPqXTQ0ibcxdpOy/WWuWIcuwPSSYfSFSXX5u7+N3+qIdQU/38Ws5GYRv2C0QbUhbwjU5CmA2doYS/pjGpcuY9beN0gcmtV5utdAr9hb6KOiIouvhTonEVug853EfhYQfq8S3B5W87GySwj8lQEK7Iv+UgqPBogdXS68A9518lEpTH2MaMQI8M7TBHjVGeoEAa0QV6fW1kNy/kNAFiEwpCWsy99Ox2ecv0oWgl9A7LX2ZtfuDJ7PkEDZS8+YUn08eo7Crsc3QYefz0UTasMBYoH149K7D/ULPXA27BVwkUUmkFr3ADFBk1N0vcrgBn8YLStyFQ9RYP1pkZkX8GYNxejF3GSaiTTxd+U/iz1MlsqmtSKzHPlcXkbikv08WIAG+N+h/k0xY3+6hLgXT6In6axXsSma346p/Zia/ORQPar8L82ddy+UNXpKj3zQeKr3CQnEQuFcRI5YJQYmoojqesWJ61k5vD092YClUn7AHOYEwyYtctPzTY/rwrNDuJfLqKn8mhnGOrzf0LWv6WjEhmBintYWmDDSkBS8KBiZCKJWR2IlBKfaJJpRhMPJOScsM2ThYx9ui3riTplpACDavVF2BZnxba51CvVxsQJO/fG/6ykMFJUdFtvaJk2IWvyZy/VCSd7+bORrmDTxWmUZEHeeedtaW4gkmk6iw0a0q8IesQY1OKfkTEeztAXP9yQJhPetNv5vKgD6IX+vsIj2vpmVGMBSKatff2VOVnRLOdOz/lZjeGGDLkJpi4VGNZGl3OFY47il21a1abNYWkCL+Lue6Htd2hRMKvjIn0OvUol6sm6VexvLPGWX9q0kXpsr78C+4q1JIzS2/erjVvFI5TZQwyxgwQqFSawTxmWU2TRf2UeJHTJDhCC31noshAYQEzBDJvQDFTgAXBn5myVN/C6JOHof9qL4h0nNaMZRnvPRBiXUcei6oC/0etBnZgF/Ydd3E3KV2gW08mwI+mpGZ2XpIEci54MlylnS0/xeE0ralwO2KKUmLI0BA8CML/S1JXMe99kx/o28oemVm11CwoK8V22JUBM0rU/+U8FLnCWW5/cJC2ttph+rd/XnMzTsiGRIVQG2n35EexdWScmVpqOG9AWUNSZMrc3tBVN4IgdOW/z4czi+zSKdSvhB+x6G0M7mOv9Eg44bFBRVXwruITsrpCn8nMTCwu9BdjkOfPsq5BShyAZKD+Se3Qi4AvG+jwlbRFw4RDa8qMxgdeJggiti6dYo3IJeKOA30siVG4DryYCOnLcL1vaQkPY10+hsn734irkTdmOn7XEEyRVGekXUI1STpdZ+cw/Juzt8UdyAMnILY1F4tB6HvKzXK6e1fh8egtpQ3VUhmYLdk1v2/w0dtlG2rm2o9P+iMepV2fnKiBACkddmshypKmPT2/6rvCnZofZx9R6uXamoJjpshbdg7C2aOVVNpQwlZgY+EPINnivgfEXQ63WVO9AhaudHg0WMk1qxDzUuhnEeJ+CmjsfcjWhjxADSO8CA0DWI1iYhbBslzba8pwDzi8Am+le1QGmbs6OfFr9QI9hfh5XMKi+xqwa1pK7gZlUzt0XW6SPMZcGNfFEyx6fugIyzS3jrGajmRY++HOUGglxIadUHbPg3ZbGztkPphJcQgsGa/8kaZCL1Y7oa8AuWGM6CuGJHePbm6wk0Rz2cOqfBixukp/I3HL8vuCCWetHSufe2QNhjNXcJsg85+rpJ8Ek9Zb4HwoCKo4rNpIzKq7+fObx/QI7QXzJx2MvozbACYbfEs6CaRQpQOb53rusOO5e4AcjO5nwJEODrlbxMyMZ49LEJ7yJQ6uoSVR2bVsrFHpNZoBlhhnnlhiFk8EirNy1PUT5XW6t08yykanbHBdjqU52E92SN7dLKeaHwEoBU1exzRxcHnZztNh3dIPQZHGpLCRGV8aUbVsvOtGf7rhJBjf5jWi4i3Ai8Gr5DlJAmur0XClPb1ZbTQgsIw2HmZPvz4cWJWkbMM1AgkVYeMX1byXEJ+fJXelz7r/uv1XHenA0x35KNpY7lfikdVtnQs/rC/efBLW52g5c3Y1KOREL7WjLsKZZgpWmsdx2EjEIvit8iGuVqY2B5yMzkeCqEjRNlE3U63e5V6pSd0PXCepvmp+KPI9no7fHARtTdr9Ys3Rfka+N1Zhs2vneV77ofty5hbAjhT/MIaI6+I+1m4OKtQriJmMJv6rGsAzqeHDvj6nyM6HbPXIreNykV/HEtjSzM6vLZ0C+8PJXcGUgzNsGhHsl4QRn5tn27ZQMMKpBJBe7AyVka7rQpb/vch9mBo0OGySb4LVSITNaJTanId4opjnjEnD/PDA/pvQ5jO6YP5S707M8bYOv9lY38IzKdf23kpGO+NqXMEbU62fGCo39t8PHpK9EHo4TKQdr3ge4clSpDi/SvmeF3X4orkNHsd5j0fBL6B0MEGOABoqH8DQoRJ9fzbNtwGbT18nN95d3Lu6bciDTwGVlvPAOTV6qTKMfbPFWzmKibgzYs6yq2OUCWIgOYFoS5537ZFnFzsu9DQkLFIND/Adbz33Qy46s3GB4JA5UvgTMEjtMBOMe4Q456H2WpcBxC/bBnaotkdFq1t5peY005PR0eRvz7tBYvl/Ok1JpBYg4cKUSMRYGDMTM976iYNp1hYMDqLGk4dLJ3/r1ibNeKfhfBf+A/V4MIDSBzfbUWlJxjHAUmy7jklLhT9W1Q3WDOgCrr2/RauTNLYzH1oTo8mPW4fryn6+0uJDLPVz0Scm1qsJHFSBtWvfrzI/nFzaxSzHEHVebgkxoAw9K3toGplCJadWDDssgwB0onlX8YFD0PAPPNA7LdsoCHDOTzTkPTHHiEfjN0S1M7QoZr9JR9Cm5p65Gt3CK6MKv+QlPjs1mqKEZYZLgrX+5JudMvGNUrdjqQWX7gcRoluf6vSxS6v7Ml0xGYoEyeC7lkj+iDURYpd4KlY/G0W6xiVGxukrGa+xHCXocAWz/ykrkogx8hMTnkFxCOpUhP1x+LnDpMV7acdUcuZYBVPm/5YXUUzrhpYKNbHmchQjpxhzkCZwMtAKFmCuPFeu9hK96ubPx3iQPsMB6/XdecPabn9g4KZ0kuIufrhN0eoak8YRjY11BP6sMdWLbXyJ+F3yU4U0dLqKstEqGNcQG/q+0Wqx9+FMcF8EVp/SMhN5WAyXIoCUcQy8DyS/LbSrPHZDGcYPDByW5CBVXZkEDt8Rg84R86DvlCjLn+M7c1/z/NYVxb3Z1vFO25O37QbjmHONItULQ0dn6bkba3anmWJsWRxnUTT3hRrNZre2aXJgG8MVYTX+KTrwkEId+InePlOet/YD2pbUv/dYk3BFm4SuCmvJhDtfMvScdjPEwSnKcrFZju+CdjMSg4RREChJjQAyuvweWc43JgwRpWiOGG7DzDX5dHeG5Gj2kMlltBBob8ArccxU4+jBOWyBvgnbnknqtFuzJnhmI7iP2/PdNNcPA8eJYauDJaECMrtf274mPfpIS/lMG1ZX2fzS4RtM4v9Yip123WC/BkfrP14kY5AEFsMuSzrDb7if/NNIf19i9AcP5KopBVLFpBHVoEPGdlLDhvAEHruUlLiQxOpvlR/uWjRgcsL8XHbpdqyxVeOZgJLXBilzOONNdiDuMcH2IeiHooJJL0ISBW5NQTnPJ817F+FNYPV2ChBIcZvl8Jg7D63M7Qvmid6bJDbIfc2NDOnMODB3jsloh/O/XPvmINPghcETBTWkP197/jXXIfXMEOtGgeEWIgDzqgAHpYJ/NZ6jPSxgGvFGfShEKazkpvIPHglVUqxpoui/8+iCNiB7kZfW6YPSY3yhZiZj783mM7L/iWYC/4cCPSwYdvt9JBms9UCrabOteSy6yfno3P3iatt8L1XfrggHYNEjkIweBTW5r1aEHnrqmVAVTs8BhZHSOIUGn58vMbtU68Hp+jAuXQpL3W+Q3A1bRZCUk0n3ZRpY0ohb4jrmgI/hU+nNkcsi5kRYErnUU8e5hWYF3wKlbpr2jBArEKU7oH2WAPHqkpi3GbOeQRT4cRF7PKDD8qA4W8wvp1qvrl9IFcfqW5v86bytHKkgRE5tuXvw8sUYl8sXUCwo9K5BguGjAS7ETEsbFdRj6jrzBtlxjup1nTq785/AF6JD+eLta2QCahAXvwjHY1SmD3RJsrRPurZtbhkYNAppOtZNMR2jLsbcJsiq0GlDF++LF/t+/985bFQlZsyGcq8nruvaMIcJTRzaCL4UgWwqvHh3xaSJ0GcDaF+N2XINVZivuxaYg7p3UCtR7Qq6IUAXgPaYXUgkLWlDNYLWtt2aWMfsLVFLjfWkoI0GFsqcnBMjvY3V98RbUEBLGKZQd7rCfs8BgIaOOq93Xi811PMwvuYTaLALL7W2qrFn6bQsB3cg==</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

This is the step where SAML blows up (not illogical as it probably doesn't expect encrypted SAML assertions.)

Now, AFAICT the only thing that needs to happen is implement the 'decryption' step. I'm not entirely sure if it's feasible to implement all the supported encryption algorithms, but it might be worth the attempt to try a couple?
I'd be interested in hearing your input.
@bergie
Copy link
Contributor

bergie commented Feb 11, 2013

@simong the crypto stuff in passport-saml is handled via the xml-crypto module, so the first thing is to check if that supports the things you'd need already.

I don't have a Shibboleth setup handy, so a pull request to implement the necessary changes would be great.

@bergie bergie closed this as completed Feb 11, 2013
@bergie bergie reopened this Feb 11, 2013
@simong
Copy link
Author

simong commented Feb 12, 2013

I played around with this a bit more.

I've written a small Java app that replaces the EncryptedAssertion with their uncrypted Assertion counterpart.
I've also added saml2 and saml2p namespace support in saml.getElement

Before I hand over the returning request (from IdP --> Node) to passport-saml I run it trough the java app to perform the decryption.
If I disable the signature check (which happens in Java anyway) I'm able to log in and access the Shibboleth attributes and continue as normal.

I've also added anti-replay support as any intercepted message could otherwise be replayed and you would be able to log in as the user from who you intercepted the message.

Would you be interested in me submitting a PR for this? (The Java .jar file is around ~12MB so it would add quite a bit of weight to this module.)

@simong simong mentioned this issue Feb 12, 2013
Closed
@magou
Copy link

magou commented Jan 22, 2014

I'd be interested in this as well. I'm attempting to connect to an IDP that sends back an encrypted assertion (as Shibboleth does) and it fails miserably. Supporting encryption would be really great. +1000 on this Pull Request.

@danielkhan
Copy link

I've ran into the same. The module has 'Shibboleth' as keyword and well - I thought it would support it. In fact it supports just SAML and NO Shibboleth at all.

A deadline was coming close and so I spent a night hacking the module to decrypt encrypted assertions and deal with the payload that comes with Shibboleth.

In fact not much of the code was untouched after that - but I am in production with it now finally.
It is still too hacky to release it as module but if you are interested drop me a line.

@ploer
Copy link
Contributor

ploer commented May 29, 2014

@danielkhan , I'm interested in adding assertion decryption, is there someplace I could look at your changes?

@danielkhan
Copy link

Yes - it can be found here: https://gist.github.com/danielkhan/69f08fa633a12d4a4d4b
It was done in a night under time pressure and is hacky and nothing I would publish in a module but it serves its purpose and is tested with testshib and works find with an austrian university using shibboleth.

The important parts are from line 222.

@ploer
Copy link
Contributor

ploer commented Jun 2, 2014

I've committed e027994 which adds working decryption support for a test case based on the testshib.org IDP.

Will be interested to hear how well this works for folks. (and if there are cases it doesn't work on, please capture some response documents to add to the test cases)

@ploer ploer closed this as completed Jun 2, 2014
@petermikitsh petermikitsh mentioned this issue Feb 26, 2015
Closed
@ricardosaracino
Copy link

Can someone point me in the direction of how to add aes256-cbc Assertion encryption support... i see this lib but not sure how to put it all together

https://github.com/auth0/node-xml-encryption

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bergie @simong @ricardosaracino @danielkhan @ploer @magou