Thanx!
It's look like good, just I need data from the request too (a claims)
for the query.
Csaba
On 2019-09-02 11:36, Colm O hEigeartaigh wrote:
I guess you could do something like override verifySignedAssertion, to
retrieve the certs from your DB using the SAML Assertion:
https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
and then override the verifyTrustInCerts method in the underlying
SignatureTrustValidator:
https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
Colm.
On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:
Hello!
The request contains a SAML in the security header.
This SAML contains a
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
In the request is an attribute in the claims:
<ns:Claims Dialect="myDialect">
<saml-a:Attribute
Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<saml-a:AttributeValue
xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
</saml-a:Attribute>
</ns:Claims>
the certification with which the incomming SAML signed is stored in a
database and for the query I need the saml2:NameID value (MyUserID) and
the "urn:oasis:names:tc:xspa:1.0:subject:organization-id" organisationID
(myOrganizationID).
I can do this query, but only after the SAML validation is done.
Somehow i need to run the SAML signature validation after I can get the
data (inside the
org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle() function)
or get the data from the request at the
org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
org.apache.wss4j.dom.validate.SamlAssertionValidator
Thanx
Csaba
the request:
---------------------------------------
<soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Assertion
ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<saml2:Issuer>....</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>......</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-02-06T18:29:56.647Z"
NotOnOrAfter="2018-02-06T18:39:56.647Z">
<saml2:AudienceRestriction>
<saml2:Audience>.....</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2018-02-06T18:29:56.647Z"
SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
....
</saml2:AttributeStatement>
</saml2:Assertion>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns:RequestSecurityToken>
<ns:TokenType>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</ns:TokenType>
<ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</ns:RequestType>
<ns:Claims Dialect="MyDialect">
<saml-a:Attribute
Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<saml-a:AttributeValue
xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
</saml-a:Attribute>
...
</ns:Claims>
</ns:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
Can you post what the request looks like? Even a redacted version of it?
Colm.
On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:
Hello!
I study the WSS4J SAML Validator, but not help much, my problem is need
to get the certificate based of the content of the request and header
SAML (get out the subject, do an query and the query give back the
certificate), and need to validate the SAML with this certificate.
In this case (SamlAssertionValidator) is running before i able to parse
the request. I can create a dummy validate() function, but after I need
to somehow call it again.
Any help will welcome.
Thanx
Csaba
Does the SAML assertion appear in the security header of the request or
in
the body of the request? For the former, you will need to implement
your
own WSS4J SAML Validator, or subclass the existing one in some way:
https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
If the SAML assertion is in the SOAP Body then it's handled by the STS
code, so you will need to either replace or override this class:
https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Colm.
On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:
Hello!
I have a request with the STS to validate a incoming SAML with a
certificate what come from another source: example need to query it
from
a database, based on the data in the request.
How start it? I know the SAML validation is in the deep and need the
certificate to be in a truststore. Can I give directly the certificate
as an attribute or need to create a own, custom truststore manager?
Thanx.
Csaba
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
