Uploaded image for project: 'PicketLink Federated Identity'
  1. PicketLink Federated Identity
  2. PLFED-286

Validation errors when checking SAML tokens against the urn:oasis:names:tc:SAML:2.0:protocol schema

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: PLFED_2.1.0.Final
    • Fix Version/s: PLFED_2.1.1.Final
    • Component/s: SAML
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      This errors are only visible when setting the picketlink.schema.validate system property to "true". By default, PL does not check the SAML documents against the defined schemas.

      Show
      This errors are only visible when setting the picketlink.schema.validate system property to "true". By default, PL does not check the SAML documents against the defined schemas.

      Description

      Validation errors are happening when checking the SAML tokens against the urn:oasis:names:tc:SAML:2.0:protocol schema.
      This errors are only visible when setting the picketlink.schema.validate system property to "true". By default, PL does not check the SAML documents against the defined schemas.
      This error impacts users that want to integrate their SPs with IDPs not configured with PicketLink, since those IDPs usually check the SAML tokens against the standard schema.

      Validation error when checking the AuthnRequest type (SP-Initiated authentication):

      Error:
      org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 680; cvc-complex-type.2.4.a: Invalid content was found starting with element 'dsig:Signature'. One of '

      {"urn:oasis:names:tc:SAML:2.0:assertion":Conditions, "urn:oasis:names:tc:SAML:2.0:protocol":RequestedAuthnContext, "urn:oasis:names:tc:SAML:2.0:protocol":Scoping}

      ' is expected.

      AuthnRequest SAML Document:

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="http://localhost:8080/sales-post-sig/" Destination="http://localhost:8080/idp-sig/" ID="ID_bb64828f-88cb-44be-83d6-f07ba381b701" IssueInstant="2012-04-30T13:15:19.985-03:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post-sig/</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#ID_bb64828f-88cb-44be-83d6-f07ba381b701"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>ygGdJufYyfJcNRihdsxrok/jjdc=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>ZZdD5VUfF1PCz2Q3Sfp+CIbn5qjtIF2pV86KExEEEcZMLw9+bqmdC+9ZO+JDwVzmrmtb7043ImWso+Ck9TQVY2Xg8i3JFpO5+uZ1Sa/UvEQ4QkDMfF2sjZVCUJQA9hSC2OR3cj1gkW2x5p7wyWbIb4wVNzA33xUO2h8fi1R78Zw=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>7KiaO7wWGffrZcXyLcY3syZ7TWVE5wBzU08/DvglTvvSQeotmJDKBTea8N8Kf8SKqdBANH8dnYT0wRXkedAQ+97YwwWKiwTz+EHYvfwBWQaV3BBu2kLVe9w+hykXPmEEIQzXXbfoBt9xi5pworDsjJJROifK5+eUtjIK2jkGzKM=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></samlp:AuthnRequest>

      Validation error when checking a LogoutRequest type:

      Error:
      org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1599; cvc-complex-type.2.4.b: The content of element 'samlp:LogoutRequest' is not complete. One of '

      {"urn:oasis:names:tc:SAML:2.0:protocol":Extensions, "urn:oasis:names:tc:SAML:2.0:assertion":BaseID, "urn:oasis:names:tc:SAML:2.0:assertion":NameID, "urn:oasis:names:tc:SAML:2.0:assertion":EncryptedID}

      ' is expected.

      LogoutRequest SAML Document:

      <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_4b24ff47-3672-4152-815e-26875cbcbe97" IssueInstant="2012-04-30T13:19:50.900-03:00" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sales-post-sig/</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#ID_4b24ff47-3672-4152-815e-26875cbcbe97"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>e+Gbplf6ghhT1+Kvn3xu6njepNQ=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>VzdOSaLPL7+S8jVJVKgHhsKiYyP/9YGnkliauPZVMqraHDn9a55uQaH1n9inxojNpcnQVUy/xuYsi78dUaNDPY6fugZTs7ADbrFMWr1L6+Qug+2BpGYea0dmsbbGt745GvexmY8zppP/ngjeYVmVzPLWrPiPmHsQmfgsFvBg7zc=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>7KiaO7wWGffrZcXyLcY3syZ7TWVE5wBzU08/DvglTvvSQeotmJDKBTea8N8Kf8SKqdBANH8dnYT0wRXkedAQ+97YwwWKiwTz+EHYvfwBWQaV3BBu2kLVe9w+hykXPmEEIQzXXbfoBt9xi5pworDsjJJROifK5+eUtjIK2jkGzKM=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></samlp:LogoutRequest>

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                pcraveiro Pedro Igor Silva
              • Votes:
                1 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: