Message Authentication problem

[aleale]

First of all.... really good job!

I'm testing this spring mod and i still have a little problem, i'm sure you will help!


i have installed Shibboleth on my local Tomcat6.
( https://wiki.shibboleth.net/confluen...lay/SHIB2/Home )

in tomcat6 i have configured 2 connectors for my IDP

Code:

<Connector SSLEnabled="true" clientAuth="false" keypass="xxxxxx" 
keystoreFile="C:\\app\\shibinstall\\credentials\\idp.jks" keystorePass="xxxx" 
maxThreads="150" port="443" protocol="HTTP/1.1" scheme="https" 
secure="true" sslProtocol="TLS"
/>

Code:

<Connector SSLEnabled="true" 
SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" 
clientAuth="want" 
keystoreFile="C:\\app\\shibinstall\\credentials\\idp.jks"
keystorePass="xxxx" port="8443"

then apacheds as LDAP as Shibboleth LoginHandler

oracle XE as Shibboleth AttributeResolver

I'have installed in my local tomcat7 spring-security-saml2-sample

imported metadata both ways: idp to sp and sp tp idp

then i did some tests:


------------------------------------------

TEST1 (with no artifact):

Code:

<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
        <property name="defaultProfileOptions">
            <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <property name="includeScoping" value="false"/>
                <property name="assertionConsumerIndex" value="1"/>
            </bean>
        </property>
    </bean>

----> OK, user authenticated and attributes printed on web page


------------------------------------------

TEST2 (with artifact):

Code:

<! --  <property name="assertionConsumerIndex" value="1"/>  -->

IDP LOG:
14:49:25.717 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthent icatedMessageRule:37] - Inbound message issuer was not authenticated.
14:49:25.724 - WARN [edu.internet2.middleware.shibboleth.idp.profile.sa ml2.ArtifactResolution:198] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.

RESPONSE TO SP:

Code:

<soap11:Body>
      <saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_38a97cbb9ae5d4bde79c340afd780a27" InResponseTo="a2ja036g365833e753fi10d64gjh435" IssueInstant="2012-12-29T13:49:25.727Z" Version="2.0">
         <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idptest.xxxxx.xx/idp/shibboleth</saml2:Issuer>
         <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
               <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
            </saml2p:StatusCode>
            <saml2p:StatusMessage>Message did not meet security requirements</saml2p:StatusMessage>
         </saml2p:Status>
      </saml2p:ArtifactResponse>
   </soap11:Body>
</soap11:Envelope>

SP:
error : no response

------------------------------------------

TEST3 (with artifact and less security):

in idp relying-party.xml: no MandatoryMessageAuthentication

Code:

    <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
        <security:Rule xsi:type="samlsec:Replay"/>
        <security:Rule xsi:type="samlsec:IssueInstant"/>
        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
     <!--    <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>  -->
     <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
    </security:SecurityPolicy>

----> OK attributes printed on web page


-----------------------------------------

now my security context has:

Code:

    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            	<property name="requestSigned" value="true"/>
            	<property name="wantAssertionSigned" value="true"/>
            	<property name="signMetadata" value="true"/>
            </bean>
        </constructor-arg>
    </bean>

but something is missing .. need to do some tomcat7 authentication config maybe?

thanks for help and .. happy new year

alessandro

[aleale]

solved ...
<bean class="org.springframework.security.saml.metadata. ExtendedMetadata">
<property name="requireArtifactResolveSigned" value="true"/>
</bean>

maybe it should be true by default ?

[vsch]

Glad you found where the problem was, Alessandro. I think that making the value true by default is sensible, you'll find the modification in the trunk in the near future.

Vladimír Schäfer