javasingle-sign-onsamlsaml-2.0opensaml

OpenSaml AuthnRequest signature


I'm building a SAML 2.0 AuthNRequest. I managed to add signature informations using OpenSaml but i can't find a way to add <ds:SignatureValue/> and <ds:DigestValue/> VALUES using the library. Here is the code:

    public String buildAuthnRequest()  {
        QName qname = new javax.xml.namespace.QName(SSO_METDATA_QNAME);
        IssuerBuilder issuerBuilder = new IssuerBuilder();
        Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
        issuer.setValue(issuer.getValue());
        DateTime issueInstant = new DateTime();
        AuthnRequestBuilder authnRequestBuilder = new AuthnRequestBuilder();
        AuthnRequest authnRequest = authnRequestBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:protocol","AuthnRequest", "samlp");
        authnRequest.setAssertionConsumerServiceURL("http://test.com");
//      Signature sign = null;
//      sign.setSignatureAlgorithm("SHA256");
//      Credential credential = null;
//      sign.setSigningCredential(credential);
//      authnRequest.setSignature(sign);
        NameIDPolicyBuilder policy = new NameIDPolicyBuilder();
        NameIDPolicy pol = policy.buildObject();
        RequestedAuthnContextBuilder contextBuild = new RequestedAuthnContextBuilder();
        RequestedAuthnContext context = contextBuild.buildObject();
        authnRequest.setRequestedAuthnContext(context);
        authnRequest.setNameIDPolicy(pol);
        authnRequest.setForceAuthn(new Boolean(false));
        authnRequest.setIsPassive(new Boolean(false));
        authnRequest.setIssueInstant(issueInstant);
        authnRequest.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        authnRequest.setAssertionConsumerServiceURL(issuer.getElementQName().getNamespaceURI());
        authnRequest.setProviderName("RGI");
        authnRequest.setIssuer(issuer);
        authnRequest.setID(UUID.randomUUID().toString());
        authnRequest.setVersion(SAMLVersion.VERSION_20);
        SignatureBuilder signBuilder = new SignatureBuilder();
        Signature sign = signBuilder.buildObject();
        sign.setSchemaLocation("http://www.w3.org/2000/09/xmldsig#");
        sign.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
        sign.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        KeyInfoBuilder keyBuilder = new KeyInfoBuilder();
        KeyInfo key = keyBuilder.buildObject();
        key.setID(UUID.randomUUID().toString());
        sign.setKeyInfo(key);

        authnRequest.setSignature(sign);

//      RequestedAuthnContextBuilder requestContext = new RequestedAuthnContextBuilder();
//      RequestedAuthnContext rx = requestContext.buildObject(qname);
//      authne
//      rx.setComparison(arg0);
//      authnRequest.setRequestedAuthnContext(arg0);

        Logger.info("AUTHNREQUEST: "+authnRequest.toString());

        Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(authnRequest);
        /* Encoding the compressed message */
        String encodedRequestMessage = null;
        String redirectionUrl = null;
        try {
            Element authDOM = marshaller.marshall(authnRequest);
            StringWriter rspWrt = new StringWriter();
            XMLHelper.writeNode(authDOM, rspWrt);
            String requestMessage = rspWrt.toString();
            utils.saveToFile("authmnRequest.xml", requestMessage);
            Deflater deflater = new Deflater(Deflater.DEFLATED, true);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
            deflaterOutputStream.write(requestMessage.getBytes());
            deflaterOutputStream.close();
            encodedRequestMessage = Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
            String encodedAuthnRequest = URLEncoder.encode(encodedRequestMessage,"UTF-8").trim();
            String identitypProviderUrl = SignInUrl;
            redirectionUrl = identitypProviderUrl + "?SAMLRequest="+ encodedRequestMessage;
            Logger.info("RedirectionUrl: "+redirectionUrl);
            return redirectionUrl;
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        } catch (MarshallingException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }

        return redirectionUrl;

I can use both HTTP-POST binding and HTTP-REDIRECT binding. I was trying to use HTTP-POST but if someone can explain how to make a HTTP-REDIRECT signature is accepted as an answer.

The ouput of HTTP-POST looks like:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

My current output is:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="urn:oasis:names:tc:SAML:2.0:assertion" ForceAuthn="false" ID="371fd275-271c-4e4e-a94e-858d7f616170" IsPassive="false" IssueInstant="2015-09-08T08:49:12.216Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="RGI" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion" />
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#371fd275-271c-4e4e-a94e-858d7f616170">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue/></ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue/>
        <ds:KeyInfo Id="86ff0678-998d-4c97-bd1f-efdb9640de80" /></ds:Signature>
    <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" />
    <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" />
</samlp:AuthnRequest>

Thanks in advance


Solution

  • I solved it time ago, so i put the response here for someone's else need.

    When creating the AuthnRequest object with the builder:

        // Add signature to request
        SignatureBuilder signFactory = new SignatureBuilder();
        Signature signature = signFactory.buildObject(Signature.DEFAULT_ELEMENT_NAME);
                signature.setCanonicalizationAlgorithm(getIdpSignature().getCanonicalizationAlgorithm());
                signature.setSignatureAlgorithm(getIdpSignature().getSignatureAlgorithm());
                signature.setSigningCredential(this.getCredentialFromFiles(SP_PRIVATEKEY,SP_CERTIFICATE));
    // set signature
    request.setSignature(signature);
    

    The method this.getCredentialFromFiles() read x509 certificate from disk and build BasicX509Credential object

    This is how to sign the XML object

    private void signRequest(SignableXMLObject obj) {
            Credential credential = this.getCredential(SP_PRIVATEKEY, SP_CERTIFICATE);
            Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME)
                    .buildObject(Signature.DEFAULT_ELEMENT_NAME);
            signature.setSigningCredential(credential);
            signature.setCanonicalizationAlgorithm(getIdpSignature().getCanonicalizationAlgorithm());
            signature.setSignatureAlgorithm(getIdpSignature().getSignatureAlgorithm());
            SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration();
            try {
                SecurityHelper.prepareSignatureParams(signature, credential, secConfig, null);
                obj.setSignature(signature);
                Configuration.getMarshallerFactory().getMarshaller(obj).marshall(obj);
                Signer.signObject(signature);
            } catch (Exception e) {
    
            }
        }
    

    And then sign the request:

    this.signRequest(request);
    

    +1 if you found it userful!