Rewriting SamlExternalAuthenitcator jython script to do POST not REDIRECT

By: Won Kim user 03 Dec 2016 at 3:01 p.m. CST

13 Responses
Won Kim gravatar
Hey sorry to keep bothering you guys but we are so close to getting this proxy IDP working. We were able to get SAML Auth working but now we need to sign our AuthnRequest to our IDP. And I thought I was able to do this but it seems to be failing. One problem is that we are using enveloped digital signature to pass in as SAMLRequest. This seems to fail on our IDP and unfortunately the Siteminder IDP we are using is not clear on why it is failing and the only thing we can think of is that the signature is not being read or generated correctly. We have inspected several other AuthnRequest from other SPs and it seems that none of them use enveloped signature but rather pass a signature and SigAlg in the queryString in an HTTP Redirect. I have read, to use the enveloped digitally signed AuthnRequest we need to send it in a POST. But we are piggy backing on your Jython script SamlExternalAuthenticator.py file. And it is not clear how you guys are sending the HTTP request. Rather then using the redirect could we just use a POST and could you point out in your script where you are actually sending out the HTTP request and how we can modify it?
U1404
closed

Answers

By Michael Schwartz Account Admin 03 Dec 2016 at 3:05 p.m. CST

Copy
Michael Schwartz gravatar
Signing requests is an advanced topic. It's actually optional in SAML (while IDP responses must be signed). What's the security requirement for signing requests? What happens if you get a bad request? Does it really matter? See if you can push back on your IDP... Short of that, we'd have to assign a developer for this question, which is not something we do unless a customer has commercial support. If this seems very likely, let me know and I'll see what we can do. But it's a very busy time right now--we are about to release 3.0 and everyone is assigned multiple issues.

By Won Kim user 05 Dec 2016 at 2:14 p.m. CST

Copy
Won Kim gravatar
Hmmm...one side question that may help us, is that we have been using the asimba.key and crt files as our SP metadata for the backend IDP, how were they generated? I forget if I generated it when I installed the asimba module or was it provided for me? In any case whether through instruction or not what is the key length and signature algorithm used for the key generations? If I generated then I may need to regenerate them can I use the following location to update the key and crt? https://gluu.org/docs/how-to/update-certificate/

By Michael Schwartz Account Admin 05 Dec 2016 at 3:22 p.m. CST

Copy
Michael Schwartz gravatar
Asimba keys are autogenerated in our setup script. You can see this method: [https://github.com/GluuFederation/community-edition-setup/blob/master/setup.py#L1155](https://github.com/GluuFederation/community-edition-setup/blob/master/setup.py#L1155)

By Won Kim user 08 Dec 2016 at 5:32 p.m. CST

Copy
Won Kim gravatar
Hey FYI, I was finally able to get the ReDirect working with the digital signature. In hindsight it wasn't too bad but the error messages being given by CA was not very clear what the problem was. After a bit of looking around I was able to update both the jython script to use a new AuthRequest java object I wrote that would generate the signature and output the right URL query to pass to the jython context.

By Won Kim user 08 Dec 2016 at 5:33 p.m. CST

Copy
Won Kim gravatar
Sorry forgot to close this ticket with my last post.

By Michael Schwartz Account Admin 08 Dec 2016 at 5:37 p.m. CST

Copy
Michael Schwartz gravatar
If you can send us a copy to support@gluu.org, we'd be interested to see it. Nice work!

By Won Kim user 09 Dec 2016 at 11:39 a.m. CST

Copy
Won Kim gravatar
Do you want me to do a pull request in your git repo?

By William Lowe user 09 Dec 2016 at 11:41 a.m. CST

Copy
William Lowe gravatar
That would be great! Thanks, Won.

By Won Kim user 09 Dec 2016 at 1:33 p.m. CST

Copy
Won Kim gravatar
Hey so I modified the oxCore module to add in the Signing code. But I modified it a lot compared to what we use in our code because the code I am sending integrates everything back into the AuthRequest and SamlConfiguration classes, while the version I have tested and works I made a new class that just did the signing and leveraged the original AuthRequest and SamlConfiguration, so there would be no conflict in my working instance. Should I still just do a pull request or just send you the updated classes out of band for you to look it over and update your classes and test it on your end. I am concerned that the code I am making a pull request has not really been tested.

By Michael Schwartz Account Admin 09 Dec 2016 at 1:34 p.m. CST

Copy
Michael Schwartz gravatar
I would say make the pull request if possible. We can review and test as part of our next cycle. Thanks a lot for sticking with it!

By William Lowe user 09 Dec 2016 at 1:34 p.m. CST

Copy
William Lowe gravatar
Go ahead and send them out of band to support@gluu.org Thanks.

By William Lowe user 09 Dec 2016 at 1:36 p.m. CST

Copy
William Lowe gravatar
Oops, OK, follow Mike's recommendation. Thanks, Won.

By Won Kim user 09 Dec 2016 at 2:40 p.m. CST

Copy
Won Kim gravatar
Ok I uploaded the code please tell me if it works for you guys. Now that we got the back part working, I need to work on how I can automate the registration service or if it is possible to modify the gluu web console to allow for self service registration. May ping you guys again if that is possible.

Post an answer