Re: STS incoming SAML validation with custom certificate

Fri, 30 Aug 2019 09:21:08 -0700 

Hello!
The request contains a SAML in the security header.
This SAML contains a
                <saml2:Subject>
                    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>                     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">                         <saml2:SubjectConfirmationData InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45" NotOnOrAfter="2018-02-06T18:39:56.655Z"/> 
                    </saml2:SubjectConfirmation>
                </saml2:Subject>
In the request is an attribute in the claims:
<ns:Claims Dialect="myDialect">
        <saml-a:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>             <saml-a:AttributeValue xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue> 
        </saml-a:Attribute>

</ns:Claims>
the certification with which the incomming SAML signed is stored in a database and for the query I need the saml2:NameID value (MyUserID) and the "urn:oasis:names:tc:xspa:1.0:subject:organization-id" organisationID (myOrganizationID). 

I can do this query, but only after the SAML validation is done.
Somehow i need to run the SAML signature validation after I can get the data (inside the org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle() function)
or get the data from the request at the org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or org.apache.wss4j.dom.validate.SamlAssertionValidator 


Thanx

Csaba

the request:

---------------------------------------
<soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> 
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
            <saml2:Assertion ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842" IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema";> 
                <saml2:Issuer>....</saml2:Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> 
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                         <ds:Reference URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"> 
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>                                     <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
<ds:DigestValue>....</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
<ds:SignatureValue>....</ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
<ds:X509Certificate>......</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml2:Subject>
                    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>                     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">                         <saml2:SubjectConfirmationData InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45" NotOnOrAfter="2018-02-06T18:39:56.655Z"/> 
                    </saml2:SubjectConfirmation>
                </saml2:Subject>
                <saml2:Conditions NotBefore="2018-02-06T18:29:56.647Z" NotOnOrAfter="2018-02-06T18:39:56.647Z"> 
                    <saml2:AudienceRestriction>
<saml2:Audience>.....</saml2:Audience>
                    </saml2:AudienceRestriction>
                </saml2:Conditions>
                <saml2:AuthnStatement AuthnInstant="2018-02-06T18:29:56.647Z" SessionNotOnOrAfter="2018-02-06T18:33:16.647Z"> 
                    <saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
                    </saml2:AuthnContext>
                </saml2:AuthnStatement>
                <saml2:AttributeStatement>
                    ....
                </saml2:AttributeStatement>
            </saml2:Assertion>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <ns:RequestSecurityToken>
<ns:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</ns:TokenType>
<ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</ns:RequestType>
            <ns:Claims Dialect="MyDialect">
                <saml-a:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>                     <saml-a:AttributeValue xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue> 
                </saml-a:Attribute>
                ...
            </ns:Claims>
        </ns:RequestSecurityToken>
    </soapenv:Body>
</soapenv:Envelope>


On 2019-08-30 12:14, Colm O hEigeartaigh wrote:

Can you post what the request looks like? Even a redacted version of it?

Colm.

On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <[email protected]> wrote:


Hello!

I study the WSS4J SAML Validator, but not help much, my problem is need
to get the certificate based of the content of the request and header
SAML (get out the subject, do an query and the query give back the
certificate), and need to validate the SAML with this certificate.

In this case (SamlAssertionValidator) is running before i able to parse
the request. I can create a dummy validate() function, but after I need
to somehow call it again.

Any help will welcome.

Thanx

Csaba



Does the SAML assertion appear in the security header of the request or

in

the body of the request? For the former, you will need to implement your
own WSS4J SAML Validator, or subclass the existing one in some way:



https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java

If the SAML assertion is in the SOAP Body then it's handled by the STS
code, so you will need to either replace or override this class:



https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java

Colm.

On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <[email protected]> wrote:


Hello!

I have a request with the STS to validate a incoming SAML with a
certificate what come from another source: example need to query it

from

a database, based on the data in the request.

How start it? I know the SAML validation is in the deep and need the
certificate to be in a truststore. Can I give directly the certificate
as an attribute or need to create a own, custom truststore manager?

Thanx.

Csaba



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to