Announcement Announcement Module
Collapse
No announcement yet.
Message Authentication problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Message Authentication problem

    First of all.... really good job!

    I'm testing this spring mod and i still have a little problem, i'm sure you will help!


    i have installed Shibboleth on my local Tomcat6.
    ( https://wiki.shibboleth.net/confluen...lay/SHIB2/Home )

    in tomcat6 i have configured 2 connectors for my IDP

    Code:
    <Connector SSLEnabled="true" clientAuth="false" keypass="xxxxxx" 
    keystoreFile="C:\\app\\shibinstall\\credentials\\idp.jks" keystorePass="xxxx" 
    maxThreads="150" port="443" protocol="HTTP/1.1" scheme="https" 
    secure="true" sslProtocol="TLS"
    />
    Code:
    <Connector SSLEnabled="true" 
    SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" 
    clientAuth="want" 
    keystoreFile="C:\\app\\shibinstall\\credentials\\idp.jks"
    keystorePass="xxxx" port="8443"
    then apacheds as LDAP as Shibboleth LoginHandler

    oracle XE as Shibboleth AttributeResolver

    I'have installed in my local tomcat7 spring-security-saml2-sample

    imported metadata both ways: idp to sp and sp tp idp

    then i did some tests:


    ------------------------------------------

    TEST1 (with no artifact):
    Code:
    <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
            <property name="defaultProfileOptions">
                <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                    <property name="includeScoping" value="false"/>
                    <property name="assertionConsumerIndex" value="1"/>
                </bean>
            </property>
        </bean>
    ----> OK, user authenticated and attributes printed on web page


    ------------------------------------------

    TEST2 (with artifact):
    Code:
    <! --  <property name="assertionConsumerIndex" value="1"/>  -->
    IDP LOG:
    14:49:25.717 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthent icatedMessageRule:37] - Inbound message issuer was not authenticated.
    14:49:25.724 - WARN [edu.internet2.middleware.shibboleth.idp.profile.sa ml2.ArtifactResolution:198] - Message did not meet security requirements
    org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.

    RESPONSE TO SP:
    Code:
    <soap11:Body>
          <saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_38a97cbb9ae5d4bde79c340afd780a27" InResponseTo="a2ja036g365833e753fi10d64gjh435" IssueInstant="2012-12-29T13:49:25.727Z" Version="2.0">
             <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idptest.xxxxx.xx/idp/shibboleth</saml2:Issuer>
             <saml2p:Status>
                <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
                   <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
                </saml2p:StatusCode>
                <saml2p:StatusMessage>Message did not meet security requirements</saml2p:StatusMessage>
             </saml2p:Status>
          </saml2p:ArtifactResponse>
       </soap11:Body>
    </soap11:Envelope>
    SP:
    error : no response

    ------------------------------------------

    TEST3 (with artifact and less security):

    in idp relying-party.xml: no MandatoryMessageAuthentication

    Code:
        <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
            <security:Rule xsi:type="samlsec:Replay"/>
            <security:Rule xsi:type="samlsec:IssueInstant"/>
            <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
            <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
            <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
            <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
            <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
         <!--    <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>  -->
         <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
        </security:SecurityPolicy>
    ----> OK attributes printed on web page


    -----------------------------------------

    now my security context has:

    Code:
        <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
            <constructor-arg>
                <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                	<property name="requestSigned" value="true"/>
                	<property name="wantAssertionSigned" value="true"/>
                	<property name="signMetadata" value="true"/>
                </bean>
            </constructor-arg>
        </bean>

    but something is missing .. need to do some tomcat7 authentication config maybe?

    thanks for help and .. happy new year

    alessandro

  • #2
    solved ...
    <bean class="org.springframework.security.saml.metadata. ExtendedMetadata">
    <property name="requireArtifactResolveSigned" value="true"/>
    </bean>

    maybe it should be true by default ?

    Comment


    • #3
      Glad you found where the problem was, Alessandro. I think that making the value true by default is sensible, you'll find the modification in the trunk in the near future.

      Vladimír Schäfer

      Comment

      Working...
      X