Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-685

PicketLink SP is unable to check signatures for encrypted SAML assertions

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • None
    • None
    • None

    Description

      Using PicketLink as a SAML SP to talk to TestShib, signature verification fails when assertions are encrypted. The error returned by SAML2SignatureValidationHandler is: "PL00092: Null Value:Cannot find Signature element."

      The issue seems to be that SAML2SignatureValidationHandler expects the signature to be in the unencrypted part of the SAML response; however, the signature is actually part of the encrypted assertion. According to section 6.2 of the SAML 2.0 spec, TestShib seems to be behaving correctly:

      Use of XML Encryption and XML Signature MAY be combined. When an assertion is to be signed and
      encrypted, the following rules apply. A relying party MUST perform signature validation and decryption in
      the reverse order that signing and encryption were performed.

      • When a signed <Assertion> element is encrypted, the signature MUST first be calculated and
        placed within the <Assertion> element before the element is encrypted.

      Here is the SAML response from TestShib:

      <?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/sales-with-servlet-filter/" ID="_4cb54eb33673f6b5b7c747112bb6e2f4" InResponseTo="ID_49a9dbde-5a24-4657-8948-381f4963c41e" IssueInstant="2015-02-11T23:08:35.051Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_2c34fe1ca03642da1f5c2b63655138ad" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_4b52a819446f41c5e1d8e3eb2b2addc4" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>nBY7OubDRWZVNd66zB4PmFvOQwsJQQON0X4nYN5+ffG8wMbzvVnhmU+3Lkr25rgGY16qH/BNkU15Zj/6pxSlMjyDkQrl8eotmGSKJlqyV1GLrMPKS0+2yKX/u1PYk0b2OgqmqXzLJb4I3e0F+m/hm5FawGitE63QUrBJtrVcIk4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>C5BjODQFjVvZ7IrAQFHeFB4SQy+AvIV86b8d2Y0FC35yJEZQc3s2onYWzj5xW8Rs9HUABmaGez40wmf3EKB71Q1QE/1wNGfBG/mNsyCtqZwRzbadE9N2GPLU/FdbulneTTcn2Q3vIxmRryq3RGXeDNwfEzFRyueZcq+P3o7tPiBlC0zN6Gu10765qcPSMGwvonU3yrurxtsDq9r9k3IxEAIVMbqOdV4kwkvyo4fLJiT86LIwpwvWy8qOkip98gDv+B676ouWw3fZPDo4S0B5c1bCOfbgBYSZJvxguJQivS1JSDMPFOv/Ov2CXNjTcUy78v+fEDMuLMF3Cmo4AKzXymQh8oiFsh2nAFJk01bW5CA0MBBMoljE9It4Fdxu/rxUwZ0xa5OHH5rTIVcyt9E/oqU3W0oYO0YKLNSkX+jInbgql5xTuzT+8P4KCJUTBW1/foxDSdM+6v/Lt9O7STI+ZatutHFFacZhnIQMkz590/L/ZInDNJWrBaFodPeEzyVXFpABPKz0KO7WwfuPpGtEYfFBOeg/4rdcXdfQeMamoE5t+0/KC4NqQ3gZml/RBUrgu8uu826pIsGyOt92sIJuHsYZoBieubnM7lipjmg2TV8Ww3ingmHeIvpw0EeT/725nokdoeFggc1Pa5l/CTeCBR8Y4t/RtULNQTaVc051m2HDShM4mOhYbWjUyxc2Wj3n3E7ZwbfKZEF1K/hB78r/ghwtJWao2pamJvcAxywH7zFy1lzYzV9s/G4eVdImcUgMufyRT2z/g4JnyMeHPfYCdVvzSIY2rUE4BH5R6bcp/rpLBeHTK0+CEM4aU6euW++NxTFUYAQ/6KcOfvrmM50djDHEwSik8FAi6oXf0PfYKx7p/+JmNLflDgAVjqAyuwtBRrINpk3sRLrr+8VTVoMqLEDR1b9TCS+J0ZVViXqPIQI0qjyMapEV4kBfsefidnNPWH2jaWKsY6kb9mzXeDudBCjSF+itBAmaecCxAG5CTffoE4EMhFzia2WxKI1j3M5ewIaTMACMZ5lb+FFMacnCHVCSNR+ZUNALR4A0AdHANg7RaaGA2tPskpdybvsoZq8TAetuz3KnG7GU5Pg16Zo9qLR0KWwerMQhQz0g2L2oS5Mp+1tWZBbZEfhtRwLAJvw77S0FTbbLv3cceLPLOice91TZU1wNucgzxhQf1S+gLZm/g2qiefeZrIIti1xCQIMD9cWOysLi2saS/Dtd7mj3+3c3RvQ3NDHr1bYL3joOOVRKcwM7VxHHlksTO8muIoJrxzwF6iyelRM8xRvkPFISet68jYf2rp0tGuGj6zBY2DO1opoJpducoFTbZb33hwSeW6NHjo2UJ8qnRNPh+FOfBvmd96KltXLSBDbG6mZboykG5yr47QJ/IBXcrKPcCV61JMHPN0YmFOIugA8QB5rfB3bKdM4M93r44vbFwM8iGSjWxRlRXvrE6K/MmwP/ZnDzsAb1VQiv/4u674jr0dev+gTKsGzQ0/jcfIAY6Y3FI9I61OVA/G/iNsaFSDEa8QHYf8EBAOC6mOsy47k1FpGvSjA55HEV547E5eO5JWJYKelzob7aipacrgcOmTQuJxHHr345nmMLZW4/2GVldVpLGgERD8T1EZ5P1amj7VJg8FTUDPsMuLUN2lJ/uGthQBDZqhXfPXBFE1qM61GC+9/X0qYvB7EZdWNudiPinqDdrd61E/QP7OS4tATCfLi5XXJrZwp7gbOI7awRNtLTJi+p4+iAh7eDbB3AELFpiqL+mRQNdX97bHZPzsnUpS3QPTdoyCg7I7w6Ig3EhQoNqynwATcVKuBu8aA6cP96G443TQvoC1NJTmZ7OLjYUHprGgQ9UWP4C2Cci2UrhPBpzBupfEbmG8g2LYJV+/pRDiJNuNDyiyu9D9yzISy4xIc2Weg68hqgwWYLtqJLQwq5tKem9wRLHUKzmUCdvTfKTrm5/pSiQyBhuWyFnhZcqNUiZTRrwMs9eaUxZzRwDoYbMK6BOraE2dvfI/sKnOocRq+m7quFEyDUScQPzaIzI9wNV6qk2VIv2VgtdaLSZY0BDwK1orhoYMSZdaVy9Vse0bFns1Nt4eS4g/XXC6P9/BEnMjCouxyf2Fv+mWNpG6wOCMe/Vc81B90Nzbrnf6kkktnibeDYUMC4cdnKNEh8Us++aSRHe5zUX498M4O248IOm+x9wscBazCmVtDI2/zP13JDbgE1U0Cik9OAGjiBqdcENUaghX5ClTULPaxHIUD+NoYNCx1XNW+3MhNpyHFx1G9fp92o2SaG+moLeZ1gGFPM71dnTlccsAgf4Hjz+4NaUmvqWmM4yCGfJ1YVfKz6CbGED+OqwH9ck+PuKXISdgUH9+SOZ2cH+uw05yxL6pB62hZAWkhSE5b5Khhsf5rctmpCMXZcHimE38Y9LA4HHNOkp5T5evmwBLdteNP5CJi7vJPdYCeMUhzkJBqmjWEzulDqKA2GNO8wbF4iJRXcrsic7vQ91IudZ7kSSCrLHXMeTv5Nq2cji4GVAcSjD8nuUbuUDRhQOYSS69w78eFRmTiAb7mUZG0wBwCbtGvMT1MkVRx1/ZehVd51qhIb3QjAJQRTta1XG5CfKph6oPO1h3of+Ufu2Nob/CHdoxV6EocnirmG9DfeEN0bn3bfkG2dD+zqU+zDBUTH5zm/T2H77t64ZAKXzx+akNyLsddLMeDUVOHR5/t+I29y++LHlE2FreFxuFSGoYhBHve4UKB7oz69wT6UQObyvZ+nS6X8DJs8fNmVF7dhHXDPmXVEH6Z7ZQkttCcefWuMzP/ZnEywFhT1KLUz6YfVyOw4vT9egYR0fb6am/4BXdhvHcI+eX7AbPHzT9Lp5s/iWdN+hl0plZWXRSG60CquzHxc/edY/DowKGm90ULQjUEpoi4xIp2MFqxwopA7poix57vg97NMlpmqIwa/2a3hnmx1Iulji4LNYUCsQob5mX1+hfFKUXICqmzTYdZPaDSKv6gvEBnVYGRwaQKgSov9wh/Dc2dd1XJ5KMVDlAA92eErRXQzN4Tza6eeFDxu6w3F888LjyxaX2quiUGujS1add1Krsnl97x3APEkwLvVWfzoEwsJRQArVq4lRJBSwTsFPxEB7UOKLiQd4R2kdcUx0ccVEwz5CTRskVVOM6Snh6Z4OsIn93tdhktpLy6Fn7q9lDb84Zs3gdt5YP60i2ep1p1jAbvewZwrvIf8GCr5aNhkVmjJD0QMODYzCPKA+rBGfMUuU6m95SGz30fcVR1qgqHrkQurziY9zd5H8Q+r+a+XUWtxGaQLxh9mIEun8K+18IzNZ2jD8NmI58dBPE4GqvdZrRmjSp6r0dULLPYisv7OF7fmlImQfHgt3Jyb3/s0ICf2QMSILspbJa5dmdOcZIGvFeKdVcmijEbaEgxZcLL6NhvZ4Eb6oH/qFKrCMvpCoDFbGHva6YChklg/hWQU+LHF0m1PmcDkeTgFSB0QYAcZfD34eXKQllGEBMNAuQ3W3lHUA+jJ8XX9uWOHfYX7XJ9rjwOmGSHk+QdRt2lSAxOo0/I6gdlYJ8R77uyGrkgJTXMEJ/S80IdfZOGa8hfHS4qk5MMGJxqO8cfOqJUybjpWnvk6I2Br/fP4GbIpsmsRk89wRWCbrUD8NmGu2uKqpJHR4p0nPNyVxBrrD6ScZGVf8c83ojcvTynAuZ1YRM7+C1tpBnIZjG7Vu8WPRzfzM688e1dl1GlA/SrJtZ+3BDmtE/EWnxl1+9RIrysI7H6rxZPgKX5J/yQ2LDALCdRK8uiHIR5bRQN1HQCdfP0EYz3wZuZgt91UEaazYj8BGjYgXkE3rLNXJTlMtiPyuRuS2sDbDC28jUkHo7Ct8bKu637SVw0RPE6gfIod8u1JTjf+z6G5bh8dReBlqZjWpb5HULw1fArIll2yHxKTe07wJbItWIr8Es/rzMau1crBE2H2OM49+SLJq9l+SkUI5vBqXM59aw8nw90SWw+rqKkL2KVJo/pq/T95ZUGRu865d0JtWf/hUeVma6GGOEBnFJDZg86OEyacmB46noKmoCVGfdB89AI1C9usK9WzK8AG0y+05dN+x+C0xljqVVuIYOd01+l2oiw2DViXdsXtae01peZQ5L7XG+MuPJrrEi+0m8NVcAqPX/iT7WujxnA3SmQPehce50TMiUlI1aQ+52S8tzwKSBHadGmClKmzOObyt23qpyqIMogUd8Z18IcQvYrsAILns6inHFxoGsdErmdFE90D3Jh8SrFf0tJrAww6Pi8c+tA2Tvrc0pOZ17BAQoV/7KgVnaaq9M/FEySRW9F2bx03hLO7JYFTu9E1sf3zicKvJrJjW55oAeocKANQfd9jjSEZhAqv0mnZ6sPu2HHJ7l3rX/r93nCWbkDXGCdQSzScfL0YK02z902EdLvgunSGhbQbDh9/2zVTj5266s+/znT0TSfiNc8n7CaLVGh6C7b6t+9z/2v5THHO0b/nKcMv7TTYGM9eYuxRyIbD666a/+lvOEgpB5k+thvlc+Zwb7RLjX9kTYMpDWtw2RjWomu3RHlZZnvoedIKVWrYY5cONJ058gA1I+wqtTv0kJxFqlGQw3UsuQxN+dE1tUDWQcf1RwnTBHux7uChNpeZwD6wB3onZNH+OsxkZvWyVlYWFh+30Co+DF++250o4PYZUaCAKXoVDfb58SfxYY06qsikK4czMuhX9muV6dT2KDAMlAyGMy8PpmNOjDtgSzNkqHiJCWLpAFSKQhEaMiiqN5p59Zz+98xXH+cttQ+U4RyChGhN96hDNeLl1zsR4tDe4hDmJ6KAtL02Vl5aV+mslsK89uVZIUxxobcaWjWBA93KituqRd/7aOZypaXQbLgi4G5e+MdyIvD9cCySt8eCXjJyhjHy7kGDANacl4vwph0IBiYKY1oIl+5fQA+VwGWmpCTLwKApaZ+sZOSyezICI2n6yUbIQtz0SwOL3CUn23o5lpu8U/y6B56wHFpVU17uCEs2qHUiikoovpo3U5iDzUw6Yvw6oR1/KyRn/bU33LsyLcwMBlMSlFoG1vsJ2XInrNM9p2LE7IIpcstww5SYo2VOtIhKRnRwvizXWZhhoMSNjNAZ1D3pKzZqtVTBMTP3BbYD70wmvxS2YuTtRftdjogP8JpgeiLr0lETwuBCbXwgFC4rRUR+V+6FDZ70sCnbD4lyyFEx67K6YKBdtFRunry8Dc2c2gAAC+/LRSgqnNniFoJrj9u/opuhxA1NrI5yJ64xfXHT4WZyyjdIMmf5dFtjQywPclJx0Np6NXbwF6h4RFKVVLT4ej7BCV8S9c46S5m6Gi7IPoJPrPIjod1eMoh35cci3tFzHy9NXmC37sWUSWPpwwu83+DGMF8aJJleGE4XXA9ZtQq/oEOg3dVnop0nMJAZQoRlzwN9o7Uc8+AdsjqFKgXfv5jRFlb05MRjlURpE50BOaP8J6nkPvVwNfbIQvRvL14/CmU5cBPMaOJbFlkYm0mMk5DPCVn2DoNKvsK7vbYj38J0qF/lAtET0tpwb+eSb3KAFAMQw8RNKHVhV0c4HHBXaDXtfkVx6t1ASGFna03Qz89XIC4pcJ3smhBUmmRUJmtLmHOxxMtCMFGseCb34fpAYXDzsNFxBPyShMn3RuJegvMjRvbEPWaCYcUszd0IMtwQKBjEudzmBnZHlA1oA7D7jxhaOr5Qgr00Y2cA/zE4yl3RiAFQDJjFwHtUvIkDzpm64DSE52jsReopYJGH6rSwBh7W0e7RshIbklaBFY7HvbUpjoqmyqOUYtvip/Vpw3oiqeDyk3rDjGqY8X00E1Ar4j9EzWStDhvvybb4bdy5UVtytBpedgc2zyMuhq8sYONi/tfzeJugi1cv6E1SG0nlSftb4/4gWBPdPC3QMIwHFELFgEp9ahYiW/2zClntXr4oIUJmli7TQWIC1yQj6cleR0rMSoGPOeO9BnFCc1hBDd3pmL3cj5jz18JppXX8+8gBTAv5V6XDOrMkgD0VztkxOevcTWsjVgizFev1dgzhkZaq1FwqmyQB6S4pJZH9txSgpHtcdTQ8u1O4q/5EMGeEL5omEgw8Qc+ch8u2M/TSZnnOOjWNML1Jkb+qJHxcc1/Xa3XMkzRODpiCYWhwVUzUbbXQaYcdYL3EPY2Q0SdyRztnmsG3NM7e/aaUvAmy59rEH04KcgBHkN9aqhYfpZuhGuTg1TRb4wqyXZC5fM+9UqtY4RQMUhH+eiH4RgzpTAeDwDtlglmydSyzZUmWPFS/CMJqAbFNaYKIRy4bRm97fM8RAOf1WhFdmL0meBTPUqY56hh1v6XyGgYEZgcWKnZpxzTaYxJ62NKY9JBHwz7EnCyffxKPl7l6Y9q6geBti8ZZ+8ZpTxLz4iGBz3BZDjsh9Tpy4d4kozMfy6JEjyN0a2gQl5BSbp1OJjWax7tDeXL/dFFy1XyoZPTgwI0PGCY1buV1kNCEwkmECy6a/qBx/UiwpmvkdNrZr/uH8tvylaSStW6jF+tcbjaEydKq789F6pX0MoMSPYWQCHlt9Sy4/aFvMSmPx7EMOzfHIgmz5vypgFPw7r7yCPVUh2GiF/onL9luPjox91NyNF6yG/E2wGkiyQIKiZG3ouE5UVj2g2DqzNymMDqZcl+fVhPM9/AASNsCjvBqglMmYS/q1DMc6eizJ+flTFleuMVWbE2eYCIsXrKt5AQKA8AqFL9FtTeZ6g7EBms45Qs3HrcTySUms1j9LnkQdaGxFV2uBviju299EcueLtLXg/IKopm3F2yXbu6wXFEnqGU6D8Lx1V0ua7FpB1nJwwySX/QcZIbSfJN6j97EqDLr5xXaxp0QESyr2+Lkh9Q4Gao5Dp7eYHXc4mT1JIQOSUFmDV6oceQKPkuIMt51OZPbL9QyTUfgdGm/bMuZ1F0Tsb2of77hgoNXkMR5WVpNNJlGnxPGWypmJP7TvcISLB2+95TnDgvz5zk6v/9bqVMmnDZXADE3YVEajMfGR9hEO++p5E9f5/thDXpyOf0JTboVspthuca0gQutfnl5STBvgMUwvvajQOzjos+qNhzgHCIxzV0IWyEDEGLwSt1lSG6CtuAe3XTEtqfUbro1S1XYb7sWH56PZgWvvqOTblr86qkNlT8bXsfYBRIfjq+Zct9fkd0akYQrDm/bwQ8KHgH9L1FcwmIOqjl1iS80j/MbJ45a4foxyA2Q+G4iS2+/PdmezkstDUUvnmpxsmN/vCSV5JsD7EZvMIrN1mk/9/Gpr65xyj6wsE5gzXM2YzeVd0eyyFIV1mYFevcOpAjuPD4Gng3deCB7qaMUqtXiF90zrjnZ3YsOa4XINH+nWDOe5CdrUWnjLJiGBmGYjjc8GnNaUn8HXEDLYaxjmLULk9MwtH1CxgfIu4F6inINv8kFeiUjDB00u7LLUij0MbEb1hvmIoTHdXR3O0Xo8xniMKASETiaxN2Kw68eniuOnM5tDlJh4vXmA472mVIRh2DBbv2raapu//lUp2ycXhuJUj4v4GPaolVTCZSkpPQ5T63wPQOV6X4juPJ24NC2SL/bbvIcD/+7Uj845bzRRlFzldQeE3BrBAeMPZXSSkEQFUX3227G7J028GNzLO/1oAJgCm06RtqbsIDlQG0RvFP3h/jI4e4Cd5sw73yF3JzAmeZtsgajq2WyKgeibfEOLn0FMN0AppoF1Wg5BAOFVNO5vZ10nrKVDo+Tl6EaEbKx1fXFQEFM2vpPwq0/noUW2PSxVqSV90Hmx286rTbP2rHNpr3N392ISUBW6rk7Va1IF0cpHxnuyOK5ai73dN/80m5LUF/yJDOH31+OYOSE30DltS66O7BTXq/gk+FmnXszjnBpJ5nLiWcBEa0tuD+tegGJMy6TiH4IT8AWkLzhzHdT+//agAeYHJCe4Ba9KS+N10a0g7pNx9wgvUi2nzmjmh9I4fe7jpoLSrA2AzgJqDuusuldV1JaZZXn888nF3cpZ5dOSInugXbDV0JyOPM5smqXsgAMuVc+/F8twnNcuOuB2ohxSusuU5a25IPJy8zd6m/pgDoz9Cpr6GTRwYGWsCp+vo1wMRmMX4pldArJd05BAaa6NDI+EAq2vACUIal0DFj/TPSR6SZ9XxbhqVKUN93CEGlwl4xyRCqArkebBVGqAhu4Q/qO+6ZJOY7F9HTmrnWUgjU/VSu0AqjLMi/CE1e+I6s9PtbSazd3oNfXaPM4oUyKTweW6g/j8olxS4XpINBFCp81eb/YZCPzf9tJfyCa7bUslxxs+bQEqy4EX2RkswbY2jFr6UoizOMIx673KIRb0ciSfm+d75XYvxOCwj74W479yRf/q4s/UDJqYPcV1N8y/s3DNP3A6t8VIb1xJfq3U82zAv9u6lvy5dneIXUl7e/OY+k7u01ekDPOWwaknwylQanqKS7Xy+6byNLFVhqLN083g7+kd+Ni5p7uUI1uEA8EpadTIqMcxJFYiUz54Vm/kq0MSlkfmWObwf5c6J8jaHJY+pwGlsje2+n5FZ6bQyc8pF1I89JG+Gp0bUx0zuCyBKNJ1SLd/1HWAWd0LYOQQlwAfA+65KUFEWd2MdREiH43aXhV+X2EhdlMI0rjcOdJ/Oing750lsGEP4ddTHHWUenHOTvZZSEiiZZlfoy2ZqX1lojgoucdx4eTLfhTm64cYnZsxgsyBuHoTaLumdQwxvqY/Cp1jOdGOGoNXe8E3PSM5+MFGm9MdGrZQOPG4xg00rEOXge9H20vqmfd9PDJcPxxC12v+gTo4TAYkR66McnnN6oGsqmhwQzy2TKTjB0MzyQGaThJWgt2bFvRNu1DFMipqTzNdup9mXUdJoVFuEORXH2EoEHYCAsEQDaN2GZEqpoDEbmjOJFCvMSiDslXqelhlyGpudM+E2wN0jzphFuFHmlIMEfjfNDWKxxELe0ds0RJgnBpYzcCvv25AHrecmvzOPxZKt2uHQYXxMG/xuLHlCzwLg1P8o6X6XlKQpVsQc4k9QLSX7ax0LHoaPpGkuR0ILwDe9aWQSRlzpiDktTfd6ua3FbGpAn3w2NaLSddzXIufEZmcoihqlisI+qtMgIgQ/+OnARf6fJukdMomqQByy3Yc8ZBIfDEWWZePEmAP6hwI3toeRXM5BCiAoMXTvDQrStsU+IUX5m0tbz5CZABhRhMSfF/K0/SB5y0d5LVANBpBAPMEx+DAB3rDuvPdkgBanpX+QGp95tePefSTSqiZFJvy6JajeGeBi8hu8EHePTf2hty5Bu/b+AkdLhQ7EDq2NtxfxMAq/VJRLmFz0OiftyydvQIx3ohsNEvko3vQlbJwkVYZNaH0+yqSCGbhIdkRR6104kcWIDe7+PDIf0FSGeQzzzv75/EP5QtZ8Zy9V1QCW7rXcZyLeCblBsC+F/RjEbDcjbsFEbLuMvzdtoibSVy+PNbtlHcTE9WrH/HclUOHqybCBNg8pEAU7EKe4Gy37ditaL/Gyz2r8CHpWkYJ/KxsY1haB9x9QJDXbfoPVAFhOPHnUTJqS2bdcSNSbMVY3iL9vH1E1DEYSx5+ctMCltNg8m4ReOY4vxGy7/5stFG5El+IR7YQIJZS1F93F1/ZCtlSSvpBB1/0MqhRwY/GM+ooNHmo/a+WFd+BSRN2M6LbzIKcVUmgOnUxClDf/fKNHbh2uiWzCmx/tS3Mr1VXyx/i9pzOH22vluNiKRzbNUHrGo7p3L1TH7HdzCkY+HltW0iMybXW0D6MCqflV1cUM7xRbyNX3klPvKbiHyN1jU5JqA5HjZv4+umnfo/AcjtWT1h9HqNr642RDfHBDngtzKaQqcKrQQaKTWkLxYd4jShZEStCkSkVwuVjuI671/JkYzq8aVUEicFJD28CS4rXoSL0k07on4ZIIlJ65/h4dAcFfnCWY8YI+f755neJ5ztbhA3ozhBZvhzOtHuc7ITIMt7DPf1IogtBdGi5C5xn8I37g+P87JyW/8tvFJDRvzhRXZ7jag8Amb5hN6DG+iQs7IPxcja0W0RQyR7jTXzSW93M1MEmZyxf2RvFzlxvBuBsRPEpBpFaNTfWkNuX3ZT9A7qtsmemTNvV39/zlkZ3v448EpWyOEhECECaVmDNl/ekIcXbXzyll+mrTz2KyoD4BgLCb+o+MOGT0U1fHvqKcJGopX25H9S3m4vzl8CPm+2ZzCJO3YP18rzV6RSZHicHOj+Vl+4P4f4tFA+ceoJyE5Y8w3qdMXhicEjTm0PAaeyQcehE7mBnnOgpADu6N35Ahb02ACB8BmwxfTTuQTSbAZegI78vtyHkfWIrlvMxqcCW3lRttbWTXRL+zc+IdYR7W8r</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>

      Here is the unencrypted assertion (from the TestShib logs):

      <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6cc260e48c5842b7699d9b6029687401" IssueInstant="2015-02-11T23:08:35.051Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#_6cc260e48c5842b7699d9b6029687401">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>p1QN16zE4mhRQ6FteYoYbMsyFFs5agViDBwuqQiTczo=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>e63ryyD8zoeMNoKN+90gF0Lfb2EQQ2QJLTiYQsrc/wIPaNmjQSn25t+0YhbOeZS+7+baFCir7vNDD93TI92AYq9Im2UGATZkTsD3t0mvW/H3kZoQttYIUH7sDiUVyVVykkxQfcf/HwLzJuPkAG6BpKlxDNKM/c5ews00X15mkgU8wpnqM9HB1VuXNS+4jR1c8x0q8PKAUkic1gM9unHd3quJuKsRhZ+lDEyW4EwpiNSl4vKfJE4j2IDbP9TPAiUe2nvjD3IVZI9UCHhVZncPnfWgRkqcy7UN2GYhm9G1YIAmnQGTd3x+fEePYAT3c+MrkESOc6kHRWBNL1IAwvBVTw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYDVQQKEwhUZXN0U2hpYjEZMBcG
A1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcx
CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gx
ETAPBgNVBAoTCFRlc3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7CyVTDClcp
u93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe3OQ01Ow3yT4I+Wdg1tsT
pSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aTNPFmDixzUjoYzbGDrtAyCqA8f9CN2txI
fJnpHE6q6CmKcoLADS4UrNPlhHSzd614kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB
5/9nb0yh/ojRuJGmgMWHgWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HE
MIHBMB0GA1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ869nh8
3KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET
MBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNoaWIxGTAXBgNVBAMTEGlkcC50ZXN0
c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5M
FfSVk98t3CT9jHZoYxd8QMRLI4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpk
OAvZZUosVkUo93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
/SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAjGeka8nz8Jjwx
pUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr8K/qhmFT2nIQi538n6rVYLeW
j8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="urn:samltest:picketlink-wildfly8">_0b3384ca5448f3b3f24f5f0a9f9c4f40</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="38.242.3.210" InResponseTo="ID_49a9dbde-5a24-4657-8948-381f4963c41e" NotOnOrAfter="2015-02-11T23:13:35.051Z" Recipient="http://localhost:8080/sales-with-servlet-filter/"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2015-02-11T23:08:35.051Z" NotOnOrAfter="2015-02-11T23:13:35.051Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>urn:samltest:picketlink-wildfly8</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2015-02-11T23:08:34.949Z" SessionIndex="_4136f54390043d849aa77a967a97a763">
      <saml2:SubjectLocality Address="38.242.3.210"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myself</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member</saml2:AttributeValue>
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Staff</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myself@testshib.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">And I</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member@testshib.org</saml2:AttributeValue>
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Staff@testshib.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Me Myself</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Me Myself And I</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="urn:samltest:picketlink-wildfly8">ar2pXJMfeVuBDs3fCwFYiztxuOo=</saml2:NameID>
         </saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="telephoneNumber" Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">555-5555</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            atomicknight_jira Abraham Lin (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: