Integrating python-saml with an ADFS IDP

[kowsari]

Hi
I am recent user of python-saml and trying to get it integrated with an ADFS IDP and having a difficult time. Everything seems setup correctly on both sides with the URLS and certificates.

Even when all the signing options (authnRequestsSigned, wantMessagesSigned and wantAssertionsSigned) are set to false, I am getting a response from the IDP that the response is either:

The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

or

The verification of the SAML message signature failed.
Message issuer: https://dev.site.com/api/saml/metadata/
Exception details:
MSIS1016: Relying party trust 'https://dev.site.com/api/saml/metadata/' indicates that authentication requests sent by this relying party will be signed but no signature present.

My advanced_settings are
{
"security": {
"nameIdEncrypted": false,
"authnRequestsSigned": false,
"logoutRequestSigned": false,
"logoutResponseSigned": false,
"signMetadata": false,
"wantMessagesSigned": false,
"wantAssertionsSigned": false,
"wantNameId" : true,
"wantNameIdEncrypted": false,
"wantAssertionsEncrypted": false,
"signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
},
"contactPerson": {
"technical": {
"givenName": "Site Admin",
"emailAddress": "info@site.com"
},
"support": {
"givenName": "Site Support",
"emailAddress": "support@site.com"
}
},
"organization": {
"en-US": {
"name": "Site",
"displayname": "Site",
"url": "https://site.com"
}
}
}

I did try the lowercase urlencoding option which didnt make a difference. Anybody have experience with integrating python-saml with with ADFS?

Thanks!

[pitbulk]

If you read the error message of ADFS:

MSIS1016: Relying party trust '-----entityId-------'
indicates that authentication requests sent by this relying party will be signed
but no signature present.

so the AuthNRequest sent by python-saml is not signed... if you review your settings:

"authnRequestsSigned": false,

you will need to turn it:

"authnRequestsSigned": true,

and also provide x509 certificate and private key on the 'sp' settings section

If you want to create self-signed certs, you can do it at the https://www.samltool.com/self_signed_certs.php service, or using the command:

openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout saml.key

Remember to register SP's x509 certificate on the ADFS in order to let it validate the Signature of the AuthNRequest.

In addition review what NameIDFormat and what requestedAuthnContext values ADFS expects, and be sure you configure them properly on python-saml (review the settings documentation)

[kowsari]

Hi,
Thank you for your quick reply. I have tried authnRequestsSigned set to both true and false, as well as tried other signed options on/off. I have also tried changing the nameid format, but all of these return the same error.

Also I have configured the certificates to use valid certs and not self signed. Also I put the sp certs in the sp.crt and sp.key files locally in the certs directory.

Do you have any other suggestions that I can try?

Thanks!

[pitbulk]

Have you tried the signature algorithm?

[kowsari]

I tried sha-256
signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

and that returns a
<samlp :StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
but the error that I get back on my server is
Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd

[pitbulk]

Then this was the issue, a SAMLResponse with Status = Success is ok.

Now let's try to figure out why the SAMLResponse is invalid...can you validate the SAMLResponse XML here:
https://www.samltool.com/validate_xml.php

[kowsari]

Line: 18 | Column: 0 --> Element '{http://www.w3.org/2000/09/xmldsig#}X509SerialNumber': '137159247534293833333515219826463830998' is not a valid value of the atomic type 'xs:integer'.

[kowsari]

This is the whole response
<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://dev.site.com/api/saml/?acs" ID="_212f8130-4f8e-4b64-a7fe-ec187750dfe0" InResponseTo="ONELOGIN_a61130917f6c1ed6c4c22e8af0548575cd59c209" IssueInstant="2017-02-06T20:19:14.684Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://edc-adfs-lb.chw.edu/adfs/services/trust</Issuer> <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/></e:EncryptionMethod> <KeyInfo> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=RapidSSL SHA256 CA, O=GeoTrust Inc., C=US</ds:X509IssuerName> <ds:X509SerialNumber>137159247534293833333515219826463830998</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </KeyInfo> <e:CipherData> <e:CipherValue>UO2lgtfl/UdhhM23vWrXavml+B5DJLtEf9ZAtpt/O7fCRXlgSnQ2VpHht+Mz+MOA3y0o6wi/1+h0R1+epux11FMtbkpdLr95DniUx1q13555Mxfs+fLWdOdQc3r/tuXuB0W/+LWIcMjHPs+ftkuui8dA7cHVGafxBK4K/hUgMO0Jn+zpurzKEUQ3dSQMZONaUBdeg0IClXzl9JUAcaRhDFczRzGchklYI7plR2wQVzib+Oc5HSqFJSgGke2S6Eqer+gi+1NJ7VZkX16rM/Hqz7tm4T2VT4S/ONYHHfdSh1dECVozmgVV1c9JgFHyYVur0iJlenVEa5QudpAhVphAcw==</e:CipherValue> </e:CipherData> </e:EncryptedKey> </KeyInfo> <xenc:CipherData> <xenc:CipherValue>KA046S+L95t2fpZUopilcF7C5By89kQhAnTzxyB7qh5xbEJoTEC01o/6a9keU5hfJu71MTein3UG2dIaSpjCDDenwBpczHaIn7rgZR30IcecTUp67Pe1NEG7uuZGmwwy1eKfzWuuY8Pei5azWIfnwZxFs9pMl2TZeKuldKw2stAbpvbVSwMuJHdgGy1W9z1JKxGVfniw1oeZu8YnY/4dZanVDg/6nRp2VAsFg6st9GvwtK0qO8Hi5sF7DREHzb0nnZd0KQq699WbfzSjAtEKkk5zPGF5APYYsYaxrpuD6d9f0NpfRuu14WNw3ePzExifj+R4r0TljQltYNYWqD/qTfQAmaosS02Ua9iNXDaarvImlZ1OSlkJhbzbyD+eTu2FumM1OyBGKVnwMb15hz1LpSr06Iym3DCZ0ZW3VspTC16Uhs7E+2mLmIYXFf5+XTrvT7amamtcVb4ta0rJqV3fc+iXo3bgWvnIvu3EjOEgI148N1JVvfkK7XFtcqR+59HjbPfqPRo666ezbis6cClhPgHIrEiGA82DUY1F2wfJi4H9Sx3AjOp2Qrjd6/QeA5E/cLJnHtIB2b906AwMv35LNRUMg2gjC46E0zNKV9dfsHx4XouR3MLqBrhe+of+GLzdrRftPcaAit2Yw6X5cPQAsRBmWI8UxUPwvUudRzbPYDr2WQJz+XPJsgdsQKWt3hCSOum03FEyMAzJOqCaZ7SX2mc1Y5gHFF1d6j3fB+vAO/uyzfeUWcC+9BTFUD9nzcJETgVJKRzRUF1KgSctelXN2P7aHdG+1iSoytMr5ZkLZ1gLOIQXb4iuvCjj396/YWcFdbuyj/FEbtYm0IB1G6SYOhjvKfvf4PkUKtan+tpNvJjiw1mTZq7wUiHagWeyNeaZczgpXCx6xbx65R5boDkPiQIjr/5l5a40ROcTxR14/As7+t0ZhCJWwubt/Nhm5zj+0hO5mdorq9CYLzLykW1fMDY5lPkvkiLv3BOOMhkk3sx2JCbWok/wXdFQPg7f823kTrYlqSZNYvGM7m2A7JzPBbfMTD6FOOzdEgasHuyr9kBysMvUlxKcmq3YlXESHNXADVScAHCAaDEbzEuYgT6bDOxZsnPveZW1cRKkrqrcuoA2er4CYgBxiZ7o+4CeE3KJck4GW//3i1dmINP0zOTSi7SlNQ4fx9kdSed6M4K9QQrqkRo+fZJ2L7X+8WtUPnhKJw40Bhi4y62NKe6jPHPcG0iK8FKN17zbgg0puot3tTB3eMG4UVK5B11XgxJw2ucKZbX7WNgNyXi8Vlr1BPHzZ8lH02IdxMVxbGipCjJ/m6EigOrIu8n3RSspt5qGVTane0aM8mTRLEPBmZLTg/l/qJgM6kVVBFzON9W0sw8LLhpCQVTvF/QqBWAbpx2dakQGfCOTMWkxSpImz8uRojU5MLNNfI8Yx3CYGeblCW+qC9Mo52LYTFSQsCoUQcnlEgd3Yn1oKX1HFmPcIymH+a3MfDwaFfE/nE+b3Bxwf0SaeGn0mBPvVFukWxxbK8AtiaPcDahQLNG1NQBU9l+zuKCU8qWm4Dd8XGbZqnoIT3BbgHtR53fT88ZKH5si/hepLdmEzkuXl771GXtFk37If10Oa8uw6spmt38aQ0HGDYtOZdMIK3q2wTY52MXsx7cZkaSq85ULGLmWwUl/2QbNHkKXDLxwrMgdOGUTpTLbGeWViJTPorrMhUnzkJ82CnZfK3CtAQE85io02ux8tpEJz8DJi5Tz/yrBogSoRZGp9QNciGIcnc1SBjaNpQrB+GG12KFWrpa7cwn2uF2rm1NzVAkhnpCzCJTTJkAr9tYAhZRp2//vwD9S50WPjm9PaLM0ZTs7E4QrGWroyHqRa6GEla8VdT9F21VP8/Aa6XaZDk5s13kIjw20uJznaepnyFT/DnxQSaXDjQds4at72/Sxqzyi7P/+gU3KURGg2DOLxxenr1sIPNBn7HVir2c20anB+hanink0Mt0xQywA5zyeF5W6ND3j4R+Rb9KbeJlUioWP6SvcMaq5Eanhfspfk9j9jRhpiA0KhiEJdlwwTql+4hAZhXAx2to7ST0lr3XzkuzzwS48uSv4b90Tdm0AnLDMoAdh2/5hxMv2vL8CpNFCinPTj3z2XS5VLrk6uPRZ6K+avJLnGWYeRo0Li+DIxWANtWW1/RCsI6mDzUt6l7bPIMzIAUPvovblKLjH8aZbhS6q7G5MocgJzEk5GHCO9aRltNI+h3idFcObKO7H1RoYxYigOYs/1Qfz1zpb4+fGj66rTJHiFnETjS05Lx0Djj1gPrZz8AEzA+5ikghZSicGyQl3jxt73A/HNnDfOsfM9lUNHQKIYymeqsJ1MNZeprhcXJB0EnKeawm4LatUIdRSns0wAxUZPuDg7rYAq///iitStwuXpudSS2XUDEdFsiYN66izTMNgLcfo2SVkGCtq2MjsMT9uMvsw3ElpE6Gkmm2/Biuq7D4Fv0zWjuURgmWIcePhnPlBfeAu1waR0ua0QH7YNJJEOw6/491LWakPdvHtYEMCD1jQZ+OtD/UKDeTBqCtSC3CrBR5Folkoi5LXdAuF2PIbShzeRHlC5mDn9+psLSSJdI4zwVk+sG0ESRhUCyRgz0N4ty4W/OXOHvNVaOx7DOoDhSxXT2KzIfWQkH493DBxS5HhtOWGtINnY8EkQHVwygr2K342az+0CmX0wvs61snvi51ss0Hk5jbYIY+QNiceebHsteB0VcQWX9I9MH9MGd0NjRWX3hvUJU3HBTLv1v5yfTSpZHrxhr6IEn6ejhOhYH8VZrL0842jDxEnNKpEzzWEb+mg2YAQLMzuaZrYrJwNNOMWSWSEBxRZQZq5pjl1hQ/MZ+n5+LygOM81X0DINh6tzfs8eU8a4zTxsdFMqmMOevFD4X5W9HLZ2Bd/N5aV8y9VbdrydVnUL0aAF5BG1ROJ8KQZ5dEY1jqlyizPdeBnIBjZJEHhIMnjbne4ZSfq0Cnr+g3J/SOXPYmmn4gSOJ6XeUcvZ8RlXWRmfdpei8QBjd0DX638CqQFWsuZL1KNcb4oBGevr5A1nyO18OIutS52dQZqaOKqrfLs/zpXsWVUsqT1iZv3gBY84yndatL6f4CBwT87NpJsgcTjrhH1zJtsEL3JX++eBgH88HPLzV17iDWjGR7gMVxXP7dS1KDf/rY6yi3hRVG4qXPT5KSzzFBMtfWv8K/d2MGockJ39I9zeuXZVao68YZZnrIoQzwGcycAKzV50EPytZn5V07C4zcxTaV8ckTX2c8JkCOEK08h0YO9No97Lp1AV7s4cCXe7VeFYzKsCF9Y3KauiZYQSmZ4uLRAVx2yGbmR3Nu0xeMGJuO7vl3LRaervwu6XcweSHkHpsratZhVbv9Sbc0ZIhA03WBtjalBbVifjpFPFYTSu4DNsN9u2TooFE2X6L6rgWRoLIAx34xhJRTX/ZahT0JtH/VqMLvQO9CFvG5xZzBTjX1K2x9xsY1hO+USBoQrLLhK+nevCTKv4dmHluQ0nnyYvpiNsG342M10VES3QKkvI5p8j+QJFBsO1jVS6cjMOaTghZciUzGCEZ9fdflEGiLpIll3R6DBeRI4zCKUgkuUwk/IEynDra35TvAZoukFZoBYA457jBfkWqxEsUapoku56FEpSGjwUYqvbUa13QkSWxtZ2Du+D+75kpYCIRq7HqHOPej5aKzwr7STBucm1q/xQmTouF1pMa+VHYzzmuMYS3uklrYUj8kulMQz8Dpj6GLsFfuEl4KbSOWAPPjtugUgcjqJHfWLMS6NJ1+2cn2YU6WX4KqEVIUVietogWL2rskbic61WfZTIIp/F/sSajVSR7i1iAlxjyBEWLGsTC7VKT28xHo8mmtgW7wppor+NOxyvNzbBkX78xPiJ9OYGRD9Ub3cJQBT6fq2f7Q08+czs17NmJmw8GHcAwVrbL9XJTBwaAfc1/tPepDmP9u2xDSOjusn02bheULWpWpxsTqzX7H2MGfiZ9DI4HpQ3VScGGfkzzEPLQMXi6SssOZvRnahG2kjPrKbz/UNnTf0Wz4rTiRi0PCvz6TVL//R7Zelhbr5RvAaHBxTPWeuO6VfKhMslbFcYhRbfVbr8VoCQdw2ZAqQ/HFTf083tDjksb4a4wYVKTb5Cg7uhIfFS9bQXUiCOxrEneQwIuglRivR0p5mPQGUZUQMPyfkPyN/J/7DLJYFApe/hIn4aoHQxtEmJMGYMxKXGycWtbLi9OpIokoSTgcNQ1U6GoBdRx2Zs/MfZts3qEpPEGiQL9S03qRbTBvVQNwvkv3I8rOnEY1sBnWY4owrt4IngQKuvgsh6Y5f8YriIXrwL42OkSKp3NeeRnxi68DryfLZ7KBl7vec+r1zv5h3BlEoKY4gVAf1XFLLFSqk4WaQSBtHm6zV1JxEnd9txUDf//iwLn5Ze1Fd2VbfU6voL6bY8yCUBdatD1kzE7pifG6hhJ6LZtBtQ7upMetrc52PfpVd2mOGZj1Z67e46kSs/uCeNCclKA9PHwB9ld8M2iXB2AvZhxAOgF4P+4rwnh/Gkk7nKlsHkEpu4l2zIfbtKCn/P19QzwPNDEm5Cn9zK6XVNetzu14ThLyFD1plhvxJxO3hGFh+9B3o5JfPhCEKor+SRgzIPz1JLO2V28JchiRlEu/xUSH2HQR4hLUpZgAhX3filjfhU56EuIsoCaH6DFr6FEINB+XIpUKxlVxuUvQ5qBSXwuyi7EeK6/oLwJA/Z54xdlsMrFZgtNaCizT1gyKVo+CoUyhGBF7D/S5/kPDmHS/GgrB4/4lNE8g4Vj3RxudJzMtalR1ptUdIV3i7XZvquIAd/SlSD9S1W9y5wR73UfSKhymgXZALtoGSo1VYUvavipA4Xx/nQX3qZ5ZPBDBGdonXRy6P/NY8UqXDcwHcV7jLAoqb6PBtP9bxYP/EYB5oDQNDKJzMRZpz74gkPe3cGQ97EXs/3EdwN6t7HJkClRSq7pd10fomiXxOPgmkrM4OjJ1VIeOJSR/tow33nyos5sXpXxhlY6ekFoaUL1MMgnvErki7yCGksx0dOTATa6WBHOKT567WZqUEgvxTG6096iingDePR2YHhob8uQSjxohaBy55Kz0inkbF2PpU9iuDi+aejBkhlleS1Mcas6QHGl+7V53o1SvlsAbnPotFReTJtSOJ09MUy8ylpW/7XLyHAvZyX1eQYQr4W0VTlkSfct99n9yzio8gRCA5swwPpI6DCRoooUICgGP+mjCxsjCzw9c4IS1SfTWPFswTG790xGCJsFNP/WI+nrmjEtQx3BZ8lgS1zTTnJIj/KT9cxWV6we+CabD/1j3NLl7A8m4lL19l7BWS6YukfDOSxxH5sWccDrbojw7zNNe9JOQyiRDzv5UTXdGJy8q1G10dRjBAz6+OfOs86ilU0T9NIFQ97dPRLdE8JO1cNbvzxN6rK7F2p7NF0WO7ic1tscVriLqHu3yGu1ssKQqEJQanXvaradxt81mbnz0euG/8/rae9BVnUn5EvIcWZE5Ya4Ggt3J5FqvMlBBBq66qN9pdoYMZcfuVZacSghieOaSXk9PZReC+eBfYTg700m9bUXL4Pme2k9Ps7yesMQrcXGh63NgiNXhONgql4paPs08L7n05SjFRV1HkW4DmVH58Y+hlsXxZ1lTj9i72SFkucLWnDxOnTyvjjgmN/a2aRjIo25zlf0fiycng5Kyb8WaynGr62wBsFiVjSl1ZFlsRewy1KYkVYTFb8f83i1tepBYPmuHy8LHS4MGHz8CBTLheoOmVlLz0somsh4U/Gqg5GnuF+W72E1PMYmHoeRprQ8eFFsABG9YN4SzXeKf9pBCDn+b7JkCWcJ5kjUTJXBe3RIJxzGN4A9Y1ue9QAoNNDGvkuZCEInH4Z/7pJsvBQG3AJlRfiM21pEyR8VTxUXCaBAqgFUcNuPpvAT5Kx/ILq7pS2c/8Mrw5+f+ti07bazNJbQis7EpRt0BmcEYKZYeBi7ijfvlMfVHqaOkUKrPa5w/QWfvm2UzhUG9uuV9n4UuBkz9nzl0AbRClhuB+f75GpI67+ynnNyuBHOMmSR+/TSywqVl/QZuVmLwz8tidtAF7aNu/DgA9YaYqajyKBZMrV0Gp5YWIPvHncvN906dvLZKCTQVDiInXAXHaUM7O3XyhLAlzQWUDpzVjc4aRmcWuJjfU7oaPZUfklpmYal8lgEBMfypIZaSI+HZpfJlQYaL95qkVmc0tlbFaCCGsoEkPMYAsxUtuAFWctFY3Qe66rJMWAY7JomJxEXaxC76FNG7NeOwh4/l0pv2w2xvKXzo=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </EncryptedAssertion> </samlp:Response>

[pitbulk]

I think I will neee to update the xsd file.

Here is a related issue:
benoist/xmldsig#31

Is related with the private key/public cert used at ADFS.

[kowsari]

It works...I had to change apply the same change to the xsd manually and it goes further. It still had issues with Issuer...and I had to turn off strict in python-saml.

Can you apply the same change to python-saml as you did for the ruby-saml project at your earliest convenience?

Thanks!

[pitbulk]

Done 616f9fd