Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Anonymous_User Absent Member.
Absent Member.
331 views

Verify SAML2 Digital Signature with OSP


I am trying to use a Shibboleth v3 IDP to so SAML2 authentication for
OSP. I am getting the message below which leads to eventual more TRACE
and WARN level messages.

[OIDP]
Time: 2015-09-12T22:57:43.676-0500
Level: INFO
Java Execution:
Class: com.novell.oidp.saml2.protocol.SAML2Type
Method: validate
Line Number: -1
Thread: http-bio-443-exec-4
Message: Validation failure on message from
https://****.****.edu/idp/shibboleth : An improperly formatted SAML2
message was received.
LocalizableLoggableMessage
Code: com.novell.oidp.saml2.protocol.SAML2Type.validate() [-1]
Thread: http-bio-443-exec-4
Correlation Id: 2e2283c3-19db-495e-957a-2390622c8501
Text: Digital signature is required


I know that the IDP is setup properly, and I know that OSP (IDM 4.5.1
with OSP Hot Fix 2) is likely setup properly. I can use my Shibboleth
v2 IDP (which is still around for troubleshooting if SPs are having a
problem with v2 vs v3) which is using the same certs/keys and it is
verifying fine. Also the SAML2 message of the v3 IDP verifies when
using https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool.
The SAML messages look nearly identical between v2 and v3, except the
ordering for v2 has the SAML Status block before the signature block,
while v3 has the Status block after the Signature block.

Any suggestions?


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54287

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Verify SAML2 Digital Signature with OSP

schwoerb,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.netiq.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.netiq.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.netiq.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team
http://forums.netiq.com


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Verify SAML2 Digital Signature with OSP


Is there a better spot than bugzilla.netiq.com to file this as a bug? I
submitted this on 9/24 there and have not got any acknowledgement.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54287

0 Likes
Knowledge Partner
Knowledge Partner

Re: Verify SAML2 Digital Signature with OSP

On 10/9/2015 12:16 PM, schwoerb wrote:
>
> Is there a better spot than bugzilla.netiq.com to file this as a bug? I
> submitted this on 9/24 there and have not got any acknowledgement.


Open an SR, alas. Things get prioritized at they get prioritized.

Side note: Thanks for the comments on my OSP article! I did not know
that setting was there.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Verify SAML2 Digital Signature with OSP


An update ...

I got an official response from my SR. "IDM 4.5 RBPM only supports SAML
authentication through NAM at this time." and "SAML authentication
through other means beyond Access Manager is not considered a defect
with IDM 4.5 RBPM, as it was not designed to do so." They did encourage
entering an enhancement request.

This is understandable, and I respect their decision. It is just
unfortunate.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54287

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Verify SAML2 Digital Signature with OSP


Another update...

I was sloppy in my first go at looking at the differences between v2 and
v3 SAML Responses.

My Shib v2 IDP was sending below, where the assertion is signed:

<Response>
<Issuer></Issuer>
<Status></Status>
<Assertion>
<Issuer></Issuer>
<Signature></Signature>
<Subject></Subject>
Etc
</Assertion>
</Response>


In Shib v3 IDP, it was sending a signed response instead.

<Response>
<Issuer></Issuer>
<Signature></Signature>
<Status></Status>
<Assertion>
<Issuer></Issuer>
<Subject></Subject>
Etc
</Assertion>
</Response>


After following the documentation (and example at the bottom of the
page) for Shib v3 IDP at http://tinyurl.com/jplj962, I was able to get
it to work. So, for my relying-party.xml in Shib v3, I added a config
block like:

<bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://FQDN/osp/a/idm/auth/saml2/metadata'}}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"

p:securityConfiguration-ref="Sha1StaticSecurityConfig"
p:encryptAssertions="false"
p:signAssertions="true"
p:signResponses="false" />
</list>
</property>
</bean>


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54287

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.