problem with canonicalization algorithm #36
-
|
I'm trying to implement SAML2 single sign-on on an app as a service provider towards an IdP, and I'm using XML::Sig to sign my sp_federationmetadata.xml file. One issue reported to me by the IdP is that their ADFS management system rejects the metadata with the following error: I know very little about this, I'm learning on the fly, and I see in http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf that
I checked my installed lib and tried changing the TRANSFORM_C14N_COMMENTS constant and the CanonicalizationMethod Algorithm block, and will try with that, but I wonder if this is something that should be changed in XML::Sig, or if there's something else I'm doing wrong. Best, |
Beta Was this translation helpful? Give feedback.
Replies: 12 comments 4 replies
-
|
What provider you using |
Beta Was this translation helpful? Give feedback.
-
|
You mean within my implementation? I'm using Net::SAML2. Of the IdP I've only seen a modal screenshot titled "Error AD FS Management" |
Beta Was this translation helpful? Give feedback.
-
|
Hi Take a look at https://github.com/perl-net-saml2/perl-Net-SAML2/blob/master/TUTORIAL.md The current version of Net::SAML2 uses Net::SAML2::XML::Sig instead of XML::Sig directly. Can you provide some code samples please as to where exactly you see this? You can also review https://github.com/timlegge/SamlLoginContrib/blob/edf3562a3b4b14d01b27220de7c47a102345c823/lib/Foswiki/LoginManager/SamlLogin.pm#L504 to see the login initiation of a login request. |
Beta Was this translation helpful? Give feedback.
-
|
I've implemented what I have of the login flow so far based precisely on your tutorial, it's been really useful. But this problem I have now happens because I'm trying to programmatically generate an SP metadata XML file. I will try with your version of Net::SAML2::XML::Sig, though I see basically the same code, I think, on lines 33 and 1381-1385 of the current Sig.pm |
Beta Was this translation helpful? Give feedback.
-
|
Hi
I likely did not document this as I have not used it much myself:
The metadata returned in this case has not been signed. Do you need it
signed?
Tim
https://github.com/perl-net-saml2/perl-Net-SAML2/blob/master/xt/testapp/lib/Saml2Test.pm
get '/metadata.xml' => sub {
content_type 'application/octet-stream';
my $sp = _sp();
return $sp->metadata;
};
sub _sp {
my $sp = Net::SAML2::SP->new(
id => config->{issuer},
url => config->{url},
cert => config->{cert},
key => config->{key},
cacert => config->{cacert},
org_name => 'Net::SAML2 Saml2Test',
org_display_name => 'Saml2Test app for Net::SAML2',
org_contact => ***@***.***',
);
return $sp;
}
…On Fri, Oct 22, 2021 at 1:01 PM Adriano Varoli Piazza < ***@***.***> wrote:
I've implemented what I have of the login flow so far based precisely on
your tutorial, it's been really useful. But this problem I have now happens
because I'm trying to programmatically generate an SP metadata XML file. I
will try with your version of Net::SAML2::XML::Sig, though I see basically
the same code, I think, on lines 33 and 1381-1385 of the current Sig.pm
33 use constant TRANSFORM_C14N_COMMENTS => 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments';
1381 return qq{<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
1382 <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
1383 <dsig:SignatureMethod Algorithm="$algorithm" />
1384 $digest_xml
1385 </dsig:SignedInfo>};
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#36 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAH3N6YE6M3EY4RUUQFE6NLUIGDFZANCNFSM5GQSSNUA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
-
|
Yes, signing it is the part where I'm having trouble. A problem with that code is that I can't specify my URLs for callback/logout/etc. |
Beta Was this translation helpful? Give feedback.
-
|
That is on my list. Maybe this weekend. Let me look |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so much! It's always a joy when the author responds so swiftly and nicely. |
Beta Was this translation helpful? Give feedback.
-
|
So the Net::SAML2::SP is now configurable for the values that were previously hard coded: https://github.com/timlegge/perl-Net-SAML2/tree/metadata Taking a look at the signing next |
Beta Was this translation helpful? Give feedback.
-
|
The https://github.com/timlegge/perl-Net-SAML2/tree/metadata has the signing of metadata. It will be cleaned up and likely optional in an upcoming release. Try uploading: It has been signed with the cert from xt/testapp |
Beta Was this translation helpful? Give feedback.
-
|
Logged as: perl-net-saml2/perl-Net-SAML2#40 It likely needs a bug here too |
Beta Was this translation helpful? Give feedback.
-
|
@adrianovaroli did you have time to review the changes in https://github.com/timlegge/perl-Net-SAML2/tree/metadata? I am planning to do a trial release tonight with some other fixes. |
Beta Was this translation helpful? Give feedback.
-
|
I'm testing them right now, I think it worked, yes!
--
Adriano Varoli Piazza
…On Mon, Oct 25, 2021 at 12:40 PM Timothy Legge ***@***.***> wrote:
@adrianovaroli <https://github.com/adrianovaroli> did you have time to
review the changes in
https://github.com/timlegge/perl-Net-SAML2/tree/metadata? I am planning
to do a trial release tonight with some other fixes.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#36 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG2GGQHHVYWEM67RZCUXMDUIV275ANCNFSM5GQSSNUA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
-
|
If you see any issues log at https://github.com/perl-net-saml2/perl-net-saml2/issues |
Beta Was this translation helpful? Give feedback.
-
|
Also #37 fixes it in XML::Sig |
Beta Was this translation helpful? Give feedback.
-
|
Latest trial version can be installed as: cpanm TIMLEGGE/Net-Saml2-0.42-TRIAL.tar.gz Check that your code is seeing the correct version: perl -MNet::SAML2 -e 'print $Net::SAML2::VERSION ."\n";' I have some last testing to do and will release 0.43 this weekend if I don't see any issues The setting is now sls_double_encoded_response: "1" Tim |
Beta Was this translation helpful? Give feedback.
@adrianovaroli did you have time to review the changes in https://github.com/timlegge/perl-Net-SAML2/tree/metadata? I am planning to do a trial release tonight with some other fixes.