Re: STS incoming SAML validation with custom certificate

Tóth Csaba Wed, 19 Feb 2020 08:09:19 -0800

Thanx!
You saved my day!

Csaba


On 2020-02-19 12:54, Colm O hEigeartaigh wrote:

See here:
https://github.com/apache/cxf/blob/540bb76f6f3d3d23944c566905f9f395c6f86b79/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom/CustomUTValidator.java

SOAPMessage soapMessage = getSOAPMessage((SoapMessage)data.getMsgContext());
         try {
             Element soapBody = SAAJUtils.getBody(soapMessage);

             if (soapBody != null) {
                 // Find custom Element in the SOAP Body
                 Element realm = XMLUtils.findElement(soapBody, "realm", "
http://cxf.apache.org/custom";);
...

Colm.

On Tue, Feb 18, 2020 at 7:12 PM Tóth Csaba <ig...@domen.hu> wrote:

Hello!
I have problem with my SAML validation.
- I already did, that inside the validation i can call an LDAP request,
get the given cert from the LDAP, and check agains the cert in the SAML.
BUT
I need data from the request too. special one of the given claims. I
need that value to giv it into the LDAP query.
How can I get the full request, or at least the SOAP body from the (it
can be any form: stream, string, dom, object...)
org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.validate()
function?

Thanx
Csaba

On 2019-09-02 12:17, Tóth Csaba wrote:

Thanx!
It's look like good, just I need data from the request too (a claims)
for the query.

Csaba

On 2019-09-02 11:36, Colm O hEigeartaigh wrote:

I guess you could do something like override verifySignedAssertion, to
retrieve the certs from your DB using the SAML Assertion:

https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205


and then override the verifyTrustInCerts method in the underlying
SignatureTrustValidator:

https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97


Colm.


On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:

Hello!
The request contains a SAML in the security header.
This SAML contains a
                   <saml2:Subject>
                       <saml2:NameID

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>

                       <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                           <saml2:SubjectConfirmationData
InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
                       </saml2:SubjectConfirmation>
                   </saml2:Subject>
In the request is an attribute in the claims:
<ns:Claims Dialect="myDialect">
           <saml-a:Attribute
Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
               <saml-a:AttributeValue
xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
           </saml-a:Attribute>

</ns:Claims>

the certification with which the incomming SAML signed is stored in a
database and for the query I need the saml2:NameID value (MyUserID) and
the "urn:oasis:names:tc:xspa:1.0:subject:organization-id"
organisationID
(myOrganizationID).

I can do this query, but only after the SAML validation is done.

Somehow i need to run the SAML signature validation after I can get the
data (inside the
org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle()
function)

or get the data from the request at the
org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
org.apache.wss4j.dom.validate.SamlAssertionValidator


Thanx

Csaba

the request:

---------------------------------------


<soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
       <soapenv:Header>
           <wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";


xmlns:wsu="

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";


xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

               <saml2:Assertion
ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<saml2:Issuer>....</saml2:Issuer>
                   <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
                       <ds:SignedInfo>
                           <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                           <ds:Reference
URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
                               <ds:Transforms>
                                   <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                   <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                   </ds:Transform>
                               </ds:Transforms>
                               <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>....</ds:DigestValue>
                           </ds:Reference>
                       </ds:SignedInfo>
<ds:SignatureValue>....</ds:SignatureValue>
                       <ds:KeyInfo>
                           <ds:X509Data>
<ds:X509Certificate>......</ds:X509Certificate>
                           </ds:X509Data>
                       </ds:KeyInfo>
                   </ds:Signature>
                   <saml2:Subject>
                       <saml2:NameID

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>

                       <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                           <saml2:SubjectConfirmationData
InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
                       </saml2:SubjectConfirmation>
                   </saml2:Subject>
                   <saml2:Conditions
NotBefore="2018-02-06T18:29:56.647Z"
NotOnOrAfter="2018-02-06T18:39:56.647Z">
                       <saml2:AudienceRestriction>
<saml2:Audience>.....</saml2:Audience>
                       </saml2:AudienceRestriction>
                   </saml2:Conditions>
                   <saml2:AuthnStatement
AuthnInstant="2018-02-06T18:29:56.647Z"
SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
                       <saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>

                       </saml2:AuthnContext>
                   </saml2:AuthnStatement>
                   <saml2:AttributeStatement>
                       ....
                   </saml2:AttributeStatement>
               </saml2:Assertion>
           </wsse:Security>
       </soapenv:Header>
       <soapenv:Body>
           <ns:RequestSecurityToken>
<ns:TokenType>

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

</ns:TokenType>
<ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</ns:RequestType>
               <ns:Claims Dialect="MyDialect">
                   <saml-a:Attribute
Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
                       <saml-a:AttributeValue
xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
                   </saml-a:Attribute>
                   ...
               </ns:Claims>
           </ns:RequestSecurityToken>
       </soapenv:Body>
</soapenv:Envelope>


On 2019-08-30 12:14, Colm O hEigeartaigh wrote:

Can you post what the request looks like? Even a redacted version
of it?

Colm.

On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:

Hello!

I study the WSS4J SAML Validator, but not help much, my problem is
need
to get the certificate based of the content of the request and header
SAML (get out the subject, do an query and the query give back the
certificate), and need to validate the SAML with this certificate.

In this case (SamlAssertionValidator) is running before i able to
parse
the request. I can create a dummy validate() function, but after I
need
to somehow call it again.

Any help will welcome.

Thanx

Csaba

Does the SAML assertion appear in the security header of the
request or

in

the body of the request? For the former, you will need to implement

your

own WSS4J SAML Validator, or subclass the existing one in some way:

https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java

If the SAML assertion is in the SOAP Body then it's handled by
the STS
code, so you will need to either replace or override this class:

https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java

Colm.

On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:

Hello!

I have a request with the STS to validate a incoming SAML with a
certificate what come from another source: example need to query it

from

a database, based on the data in the request.

How start it? I know the SAML validation is in the deep and need
the
certificate to be in a truststore. Can I give directly the
certificate
as an attribute or need to create a own, custom truststore manager?

Thanx.

Csaba

--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: STS incoming SAML validation with custom certificate

Reply via email to