Passport privateCert parameter not signing requests

By: Cu kal user 21 Feb 2020 at 6:25 a.m. CST

7 Responses
Cu kal gravatar
I followed https://gluu.org/docs/ce/4.0/authn-guide/inbound-saml-passport/ and have it working with ADFS. In Chrome SAML Panel I see this request when I click on the ADFS provider in passportlogin.htm ``` <samlp:AuthnRequest AssertionConsumerServiceURL="https://GLUU_SERVER/passport/auth/saml/ADFS/callback" Destination="https://ADFS_SERVER/adfs/ls/idpinitiatedsignon.htm" ID="_a56fd5bffd6865afdc08" IssueInstant="2020-02-21T11:58:24.111Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://GLUU_SERVER/passport/auth/saml/ADFS/callback</saml:Issuer> <samlp:RequestedAuthnContext Comparison="exact" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> ``` I followed the *"In case you are interested in signing the authentication requests, you can supply privateCert (a RSA-SHA1 PEM private key). More details here."* part of the documentation and added a privateCert parameter and can see it being parsed when Passport renews the configuration. The SAML request however does not change, should it include singning information after setting privateCert? Thx
Gluu 4.0 CentOS 7.0
closed

Answers

By Aliaksandr Samuseu staff 21 Feb 2020 at 6:36 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Cu kal. Interesting. Please provide us screenshot(s) of the configuration you have in web UI for this external IDP. >should it include singning information after setting privateCert? Yes, if this feature is supported, request should have signature.

By Aliaksandr Samuseu staff 21 Feb 2020 at 6:38 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Just one thought: after you added the signing key, have you tried to restart "passport" service inside container, before proceeding to testing it?

By Cu kal user 21 Feb 2020 at 7:39 a.m. CST

Copy
Cu kal gravatar
Hello Aliaksandr, thanks for your reply. This is the configuration screenshot: https://monosnap.com/file/PBTcHw1EqDaJ8wysayMMJbGk83hkbZ I've restarted the container, is that sufficient or does the actual service has to be restarted? This is what passport is logging: ``` "validateInResponseTo": true, "requestIdExpirationPeriodMs": 3600000, "decryptionPvk": "-----BEGIN RSA PRIVATE KEY-----\n-REMOVED-\n-----END RSA PRIVATE KEY-----\n", "decryptionCert": "-----BEGIN CERTIFICATE-----\n-REMOVED-\n-----END CERTIFICATE-----\n", "skipRequestCompression": true, "authnRequestBinding": "HTTP-POST", "identifierFormat": null, "cert": "-REMOVED-", "callbackUrl": "https://GLUU_SERVER/passport/auth/saml/ADFS/callback", "privateCert": "MIICeAIBADA -REMOVED- lBbhw34Xqm8", "entryPoint": "https://ADFS_SERVER/adfs/ls/idpinitiatedsignon.htm", "issuer": "https://ADFS_SERVER/passport/auth/saml/ADFS/callback" ```

By Cu kal user 26 Feb 2020 at 4:28 p.m. CST

Copy
Cu kal gravatar
Anyone any idea?

By Aliaksandr Samuseu staff 26 Feb 2020 at 4:46 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Cu kal. Restarting container is good enough. I guess Jose hasn't had an opportunity to check it yet. I'll remind him about that ticket tomorrow.

By Cu kal user 26 Feb 2020 at 5:05 p.m. CST

Copy
Cu kal gravatar
Thanks!

By Jose Gonzalez staff 16 Mar 2020 at 8:01 p.m. CDT

Copy
Jose Gonzalez gravatar
Hi Cu, I completely lost sight of this ticket. Seems to have been closed due to inactivity. It turns out the strategy we employ (passport-saml) only does signing when `authnRequestBinding` is set to `HTTP-Redirect`. This bug was [fixed](https://github.com/bergie/passport-saml/releases/tag/v1.3.0) last month in the latest release of passport-saml. We will use such for our next version, ie. Gluu CE 4.2.

Post an answer