Validate SAML assertion #6

wichert · 2020-04-14T18:49:56Z

This needs a few things:

Update the code to reflect that the X-saml-attribute-token1 (and successive) headers are base64-encoded, so we need to decode them
Add a utility function to verify the signature

Relevant code is in cmd/health-api-server

Example headers

X-uid: 1-900018101-Z-90000381-01.015-00000000
X-saml-attribute-token1: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwyOkFzc2VydGlvbiBJRD0iSUM1MzJBQ0U0NDMxOENGN0Q0OUM1RDI3QjBCMDc1RUQ0QzIzODA0NEQiIElzc3VlSW5zdGFudD0iMjAyMC0wNC0xNFQxODoyNjowOC4wNTFaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3NpYW0xLnRlc3QuYW5vaWdvLm5sL2FzZWxlY3RzZXJ2ZXIvc2VydmVyPC9zYW1sMjpJc3N1ZXI PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI PGRzOlNpZ25lZEluZm8 PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8 PGRzOlJlZmVyZW5jZSBVUkk9IiNJQzUzMkFDRTQ0MzE4Q0Y3RDQ5QzVEMjdCMEIwNzVFRDRDMjM4MDQ0RCI PGRzOlRyYW5zZm9ybXM PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8 PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgUHJlZml4TGlzdD0ieHMiIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8 PGRzOkRpZ2VzdFZhbHVlPnNVRGJDaUJSYlZnTDFCOE5tazE4OTVUU2pLbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU Qmdzc3JobmJHQnhpYWVSOHUzQmh5SEp4WUNlMjV0QXpqaE8zVi8xODRFWGljL0xHcGdaTVQzUmp4OGtrOXFWT1QvV1owNnpleDlreWI3dWY2VURjZnlhcVhOZEdDUWRMQ21KQ0U1Ukc3SVZWclBOeWROUTM2RnZuVzl6Zkw1NVR4RklFcTJuckpVeVJIc1RWbGJvTGpsQnpCQlRaYVpaS1c5WFhnQ2tHRlRYc2VaMWZOQ0VoZWNXSDl5U1QxNGx4T0pGeTA2WlNSMkdRRHY4d2s2Z243UWZBTDJsUHViQ2xxbndQakdydjI3TVUzeTdJNlhTWlZUcHZuQzdSNWl0WUtaTGwxKzdKaWdBNTRnQ0VRUThjcGdpZDlBREk3WkhIRXhUdHlWYmdOVTh1dGRxSkg4d3BBZk8wVm44WmRjVmsrdXExQVpLTFVXbENXMGM4YnJTOEx3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0IHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBOYW1lUXVhbGlmaWVyPSJodHRwczovL3NpYW0xLnRlc3QuYW5vaWdvLm5sL2FzZWxlY3RzZXJ2ZXIvc2VydmVyIj4wM0EzNkQxODZGRjAzRDI1MUQ1NDRGMTgxQUVCQzgyNkJENkM1QTQ4MTc1MzVBNjdENzBBRUYzNjEzNENFODcwQkZBODgxRjQwMjQ5MkNFQTc1OUQ3MkFDQjQwOUI3Q0EyNEJEMjM1RjZDQUIyMkVFNzdCMEZFMjNFMTYzREIxRTI1Rjc0MzBBNjY4RjhDQzIxOEU3ODM4RDI3RDEzRTc2OUY1QzgxM0U5NTRDMjJBQTNGNTgxOTZGREExOTRENDdGOTIzRjJGNDNFMjg0REFFOUU1NDYwQzlGNEREMTY3MjRBMkI1MUEyODhEMkZFQ0Y8L3NhbWwyOk5hbWVJRD48L3NhbWwyOlN1YmplY3Q PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjEtOTAwMDE4MTAxLVotOTAwMDAzODEtMDEuMDE1LTAwMDAwMDAwPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Imxhc3RzeW5jdGltZSI PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI MTU4Njg4ODc2Nzk5NDwvc2FtbDI6QXR0cmlidXRlVmFsdWU PC9zYW1sMjpBdHRyaWJ1dGU PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ PC9zYW1sMjpBc3NlcnRpb24

Example SAML assertion

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="I52BBD41096FDC5520F194ED63535F54D0CE58BE4" IssueInstant="2020-04-14T18:53:16.539Z" Version="2.0" xmlns:saml2="urn:oasis:
names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:enti
ty" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://siam1.test.anoigo.nl/aselectserver/server</saml2:Issuer>
  <ds:Signature xmlns:d="xmlns:d" s="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:Sig natureMethod="natureMethod" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#I52BBD41096FDC5520F194ED63535F54D0CE58BE4">
        <ds:Trans forms="forms"><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml
-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
        </ds:Transforms><ds:Di gestMethod="gestMethod" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>PdRGFJGGlNhePM8cJfxL41HPeFs=</ds:DigestValue>
      </ds:Reference>
    </ ds:SignedInfo>
    <ds:SignatureValue>ZNDOAmm00w4KiZaJo9UFNRkrOanZglDofVaC4F8Ab6FJTrcHniOS4KIhM/iHD2GGZYds3LINwPvOhFBKxTO1nNlEzXUHk6GMbKiXdOTH8PAs      wJjKD1imSZoaa0xLKtwKcQO8aYbyxZJ6ZY8MKHjmkTYJoglmvROACMbaxoP5AbGjFgKxLA7QXzlg69I6EL7MG0tE6BOgcsGZlX0qUITFSQayI8FTFqp7gqD3s5m4Nj+hLNteAz0p7p4vh D8g1ApBzRAHF4NTET3pBKRxgQz67eNmUsc9R4oCNr9EKAium9g3ravUz6+zkp4BOfR/nBQD9OzO4MjjxwHaCScQs9Updg==</ds:SignatureValue>
  </ds:Signature>
  <saml2:Subj ect="ect" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualif="NameQualif" ier="https://siam1.test.anoigo.nl/aselectserver/server">B0BFB5A75C24CF6B7C9BD56113D0EA018AD578B08C6B6A66DC554CEC4526D3E96A06D2C73B03BA1D90A3442D743BB3FF45F7D686FAC872493C7AD3E41E4F2D4DAECAC003E2BB7EA964A538CDC753B4FBC7F948A9B6A015D22C9DEC6FCF0A2836F16646AE3205B7930BD85251D45ED84095E9D048CE3B7C62</saml2:NameID>
  </saml2:Subject>
  <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute N="N" ame="uid">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="x
s:string">1-900018101-Z-90000381-01.015-00000000</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lastsynctime">
      <saml2:Attribut eValue="eValue" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1586890396484</ saml2:AttributeValue>
    </saml2:Attribute>
  </saml2:AttributeStatement>
</saml2:Assertion>

Server public key

The text was updated successfully, but these errors were encountered:

jap · 2020-04-15T07:29:10Z

Completed step one, the code now does base64 decoding of these headers.

jap · 2020-04-15T07:33:14Z

Implemented base64 decoding, now on to validation..

wichert assigned wichert and jap Apr 14, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate SAML assertion #6

Validate SAML assertion #6

wichert commented Apr 14, 2020 •

edited

Loading

jap commented Apr 15, 2020

jap commented Apr 15, 2020

Validate SAML assertion #6

Validate SAML assertion #6

Comments

wichert commented Apr 14, 2020 • edited Loading

Example headers

Example SAML assertion

Server public key

jap commented Apr 15, 2020

jap commented Apr 15, 2020

wichert commented Apr 14, 2020 •

edited

Loading