Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems integrating with Shibboleth IdP version 3.3 #526

Open
cjamison opened this issue Jan 21, 2020 · 2 comments
Open

Problems integrating with Shibboleth IdP version 3.3 #526

cjamison opened this issue Jan 21, 2020 · 2 comments
Labels
informative question resolved

Comments

@cjamison
Copy link

I am able to get ruby-saml version 1.11.0 to work as a service provider with OneLogin's IdP just fine. However, I am now trying to integrate with another IdP (Shibboleth version 3.3) and I am encountering errors on the IdP side.

Trying SSO, the Shibboleth IdP reports:

ERROR [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:75] - SPSSODescriptor for entity ID 'https://HOSTNAME/saml/metadata' indicates AuthnRequests must be signed, but inbound message was not signed.

It seems to work if encryption is disabled on the IdP. For example:

<bean parent="SAML2.SSO" p:encryptAssertions="false" />
<bean parent="SAML2.AttributeQuery" p:encryptAssertions="false"/>
<bean parent="SAML2.ArtifactResolution" p:encryptAssertions="false"/>

However, the IdP owners would like to get this working with encryption enabled.

Our ruby-saml service provider configuration settings are as follows:

    idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
    settings = idp_metadata_parser.parse_remote(saml_config.idp_metadata_url)
    settings.assertion_consumer_service_url = consume_saml_index_url
    settings.sp_entity_id = metadata_saml_index_url
    settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
    settings.idp_sso_target_url = saml_config.idp_sso_target_url

    settings.certificate = saml_certificate
    settings.private_key = saml_private_key
    settings.security[:authn_requests_signed] = true
    settings.security[:logout_requests_signed] = true
    settings.security[:logout_responses_signed] = true
    settings.security[:metadata_signed] = true
    settings.security[:digest_method] = XMLSecurity::Document::SHA256
    settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256

Is there something I am perhaps missing in my configuration to get this working? Any assistance you could provide would be greatly appreciated.
@pitbulk
Copy link
Collaborator

pitbulk commented Jan 27, 2021
edited

The signing process is described here: https://github.com/onelogin/ruby-saml#signing

It seems Shibboleth IdP is not able to recognize the Signature associated to the AuthNRequest.

Are you able to see the trace (Use SAMLTracer) and verify the Signature is there?

How are you providing it? Right now th toolkit uses the Redirect binding, so make sure you have

settings.security[:embed_sign] = false

@johnnyshields
Copy link
Collaborator

If Redirect binding, embed_sign should be false. See #606 for proposal to rename/rework this confusingly named parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
informative question resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@johnnyshields @cjamison @pitbulk