Does any one know, how to add additional assertions in a SAML request to federated iDP? The problem is that there is no nameID in SAML request:
?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="https://testserver.domain.local:9443/commonauth"
Destination="https://idp.eu.safenetid.com/auth/realms/XXXXXXXXXX-STA/protocol/saml"
ForceAuthn="true"
ID="_b53cdb3765c8b92fa51d6079a061deaf"
IsPassive="false"
IssueInstant="2021-02-03T10:45:48.275Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">WSO2</samlp:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
We configured federated iDP - SafeNet and wont to use it as second factor auth.
I configured 2 steps in SP where first step is basic auth and second step is federeted iDP - SafeNet (Saml2webSSO). But, as you can see WSO2 do not include nameID in request and username do not populated on safenet login page. May be we can, some how, configure what to include in SAML request?
You can enable NameID Policy in the authentication request by enabling the Include NameID Policy configuration in your IDP configuration. (Identity Provider > Federated Authenticators> SAML2 Web SSO Configuration )
You can add the requested NameID policy as well in the NameID format config.
Related
I am trying to integrate AWS Cognito with a third-party SAML SSO Identity Provider. The third-party IdP is responding with a successful SAML assertion upon login.
Cognito then attempts to validate the assertion's signature, but fails with the following error message:
Error in SAML response processing: SAML Assertion signature is invalid
How can I diagnose the cause of Cognito's assertion processing?
We've tested our Cognito SP with samltest.id, which fully works.
Reading samltest.id's FAQ, signature verification errors from Shibboleth (unrelated to my solution) usually means that the key "used to sign the assertion doesn’t match any valid key with either usage="signing" or null usage in your IdP’s metadata."
Here is a redacted copy of my SP metadata:
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:cognito:sp:us-east-2_[REDACTED]" validUntil="2023-04-04T00:00:00Z">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
[REDACTED]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[REDACTED].auth.us-east-2.amazoncognito.com/saml2/idpresponse" />
<AssertionConsumerService index="2" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://[REDACTED].auth.us-east-2.amazoncognito.com/saml2/idpresponse" />
<AttributeConsumingService index="1">
<ServiceName xml:lang="en">AWS Vermeer Single Sign-On</ServiceName>
<RequestedAttribute isRequired="true" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email" />
<RequestedAttribute isRequired="false" Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="firstName" />
<RequestedAttribute isRequired="false" Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="lastName" />
</AttributeConsumingService>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">[REDACTED]</OrganizationName>
<OrganizationDisplayName xml:lang="en">[REDACTED]</OrganizationDisplayName>
<OrganizationURL xml:lang="en">[REDACTED]</OrganizationURL>
</Organization>
</EntityDescriptor>
Unrelated StackOverflow Questions
Why is Cognito rejecting my SAML assertion?
Start by looking at the IdP metadata. The IdP signs the SAML response using the IdP private key, and the SP validates the signature with the IdP public key.
The IdP metadata will contain the certificate, and you can verify that the certificate matches the one in the SAML response.
Could you please elaborate on how these keys work and how, if at all,
the certificates in an IdP's metadata align with those in an SP's
metadata?
These would be a standard public and private key-pair. When used for digital signatures, the message is signed using the sender's private key, and the signature is verified using the sender's public key.
In a SAML exchange, there will be a SAML request (from the SP to the IdP) and a SAML response (from the IdP to the SP). Officially, it's optional for the request and/or response to be signed, although the IdP/SP may require it. SAML requests generally are not signed (although can be).
So, a SAML response is signed by the IDP using the IdP private key, and the signature is verified by the SP, using the IdP-supplied public key. A SAML request would be signed by the SP using the SP's private key, and verified by the IDP using the SP-supplied public key.
There's no relation between the certificate in the IdP metadata, and the certificate in the SP metadata, aside from both being public certificates for validating a digital signature.
Actually, we use Google IdP as a SSO / SAML authentication type for our application.
We have configured it to connect our users to our application and it works fine.
But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.
In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.
When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.
Is that normal ?
Does the Google IdP support the attribute ForceAuthn="true" ?
I didn't find any documentation on this topic.
Here is an example of the SAML request that has been sent to the IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="#url_sp"
ID="#id"
IssueInstant="2021-05-31T15:34:19Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=#id"
ProviderName="#ip"
IsPassive="false"
ForceAuthn="true">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
#signature_info
</Signature>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Official answer from Google support: "Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths"".
I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>
I've been trying to integrate SAML with WSO2 cloud.
I have some successful experience with other vendors like onelogin, okta, ping one.
But I get a obscure 500 error with wso2.
I get a 500 error with every request I try.
I don't need much - just a SAMLRequest format that will work for WSO2.
For example, now I'm passing:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest ID="z9dac5520-d4a4-4da9-b71a-483948c1655c" IssueInstant="2017-04-29T08:40:39.677Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
I defalate, base 64 encode and url encode it.
I tried different variations but nothing works
thanks
The request has no value for the Issuer element. Why would any IDP accept a request from an unidentified SP? You need to use a value that identifies the SP and that was previously registered out-of-band with the IDP.
Can you explain a bit more what you are trying to do here. Is that enable SAML based authentication via wso2 cloud for one of your application ? If that is the scenario, you need to login to Identity Cloud [1] and configure a service provider as described in [2]. Then only you can send SAML request to Identity Cloud for authentication.
[1] https://identity.cloud.wso2.com
[2] https://docs.wso2.com/display/IdentityCloud/Configuring+SSO+for+Custom+Applications
Once Service provider is configured to accept SAML requests as described in previous links, you can send standard SAML request to Identity Cloud. Sample SAML request is given bellow. Note that AssertionConsumerServiceURL, Destination, Issuer attributes should be changed as relavant for you. Each tenant gets a separate SSO service URL, which is in the format of "https://identity.cloud.wso2.com/identity/t/{TenantDomain}". This will be the value for "Destination" in SAML request.
<samlp:AuthnRequest AssertionConsumerServiceURL="http://apps.com/travelocity/home.jsp"
Destination="https://identity.cloud.wso2.com/identity/t/demo1org"
ForceAuthn="false"
ID="a9b1b4992f048bb1004677207cc97097a73e47cdaf4ba21360ef8cf38dc76702"
IsPassive="false"
IssueInstant="2017-05-02T12:59:45.409Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">wso2App1-wso2org-1.0</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
Can add custom query param with wso2 SAML 2.0 request rather than SAMLRequest,RelayState?
I want to make SAML request with target URL query param to make redirection to target URL after authentication success.
Example :9443/samlsso?SAMLRequest=jZPRb9owE.........&targetURL=home.jsp
You can add custom query parameters in to SAML Request... But only the "RelayState" would be redirected back to the service provider by WSO2IS. If you want to redirect to a target URL after authentication success, You must configure it as ACS in the service provider configurations of the WSO2IS.
You can use any parameter. But only Relaystate will be redirected back to SP.