stackoom
  简体   繁体   中英

OneloginPHPSAMLSdk::processResponse() fails processing encrypted messages

 原文  2016-11-02 08:00:24       php/ saml/ onelogin

Question

Problem

OneloginPHPSAMLSdk::processResponse() fails processing encrypted message.

A signed SAML Response that contains a signed SAML Assertion is successfully processed by OneloginPHPSAMLSdk::processResponse() .

However, if the same signed SAML Response that contains a signed SAML Assertion is encrypted, then OneloginPHPSAMLSdk::processResponse() fails processing the encrypted SAML Response. In this case decryption is successful but the XML fails saml-schema-protocol-2.0.xsd validation.

Summary:

Un-encrypted message succeeds:

  • SAML Assertion in SAML Response message is signed
  • SAML Response message is signed
  • Full signed SAML Response (un-encrypted) is processed by OneloginPHPSAMLSdk::processResponse() successfully

Encrypted message fails:

  • Same full signed SAML Response is Encrypted (using Onelogin online tool) and processed by OneloginPHPSAMLSdk::processResponse()
  • Decryption of full signed SAML Response is successful
  • OneloginPHPSAMLSdk::processResponse() processing of decrypted full signed SAML Response fails

Error returned by OneloginPHPSAMLSdk::processResponse() and libxml_get_errors() :

invalid_response - Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd - [{\\"level\\":2,\\"code\\":1871,\\"column\\":0,\\"message\\":\\"Element 'Assertion': This element is not expected. Expected is one of ( {urn:oasis:names:tc:SAML:2.0:assertion}Assertion, {urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion ).\\n\\",\\"file\\":\\"\\/var\\/www\\/sso\\/app\\/webroot\\/\\",\\"line\\":1}]"

The un-encrypted version of this message passes saml-schema-protocol-2.0.xsd validation and is processes successfully.

Below are all of the settings that were used:

x.509 Certs

For testing purposes the the Onelogin online Self Signed Cert tool ( https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs ) was used to generate Service Provider and Identity Provider x509 certificates:

Identity Provider Certs Used 

-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANYqvyrGgEQwRvY+
4sVV95P18z44qnojGWsWR7AXoom9M+UjIkN5jptonSUVqFXXOLXirruKoAMiTV9G
p72gyrhkksdml4VrNRLGJjnr6loL1N/VYa7YeYNTLFZKH5KDRJ1BB9sQo7TXz2Zg
GRwd+scYP9AFyK+wr5K7vGEPMK9pAgMBAAECgYAtJ9IquLOurOcpYFT7+oY64i6p
PdVj7yaa15XB4RnaJNReSawdwfF5fvMzMH/PqZNBdkwVKsNWJdNedU1ExDQ5jaBz
+eY/2Rtyyv5wgkMBQdeR3mxrJ6e92KdkYoF31+SMVHg2/eTo5V8MZLLpKYGAd/Gz
wK0iDzUcAPYTKzi6aQJBAP0v5LXWabmJm7+S2c1ILPAMzOBVr5aEhzA+1Nwigq44
QhRfDiwdi8qbL2WRFs2o1PZ7rlgLXf8SJ3peuhalbYMCQQDYi9+lQ4C2dnGblJuA
uNyTjxd6UlTsT4PRUFgUi4ZNiapphw4RLMYKWhZgZzs348mRqdRXgCF7PICrtPJs
jyejAkEA57gJjhJqOJCkprRz+djwp9JPP5GsXgl04MbgcYh0KZb7g0Fr6xwvcIKO
4lnjkN3P6rZPXe0pXeTzlJ9VmJxWmQJBAJ6v0dJv5zDPF23ltxbbYXkY0SGol+cc
VgLbl9BmdqL3kVQHzn0zjGUlo2Q+Ah1w5dPC2oLMuLxwl/I8hbKcLXUCQQDTkA5n
9vNjtkNC+vAz6BEAG0OdPt602iyImHkDKj/fbJuHw8D3lhu3XV44jY7REMYP2rk0
2qzCuQBQ2T5oFCS5
-----END PRIVATE KEY-----

Service Provider Certs Used: 

-----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----

Loaded OneloginPHPSAMLSdk settings: 

Array
(
    [strict] => 1
    [debug] => 1
    [sp] => Array
        (
            [entityId] => https://sso.serviceprovider.com/metadata
            [assertionConsumerService] => Array
                (
                    [url] => https://sso.serviceprovider.com/saml/consume
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                )

            [singleLogoutService] => Array
                (
                    [url] => https://sso.serviceprovider.com/saml/logout
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
            [x509cert] => -----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----
            [privateKey] => -----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----
        )

    [idp] => Array
        (
            [entityId] => https://app.onelogin.com/saml/metadata/123456
            [singleSignOnService] => Array
                (
                    [url] => https://app.onelogin.com/trust/saml2/http-post/sso/123456
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [singleLogoutService] => Array
                (
                    [url] => https://app.onelogin.com/trust/saml2/http-redirect/slo/123456
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [x509cert] => -----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----
        )

    [compress] => Array
        (
            [requests] => 1
            [responses] => 1
        )

    [security] => Array
        (
            [wantMessagesSigned] => 1
            [wantAssertionsEncrypted] => 1
            [wantAssertionsSigned] => 1
            [wantNameId] => 1
            [signatureAlgorithm] => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
        )

    [contactPerson] => Array
        (
            [technical] => Array
                (
                    [givenName] => Support
                    [emailAddress] => support@serviceprovider.com
                )

            [support] => Array
                (
                    [givenName] => Support
                    [emailAddress] => support@serviceprovider.com
                )

        )

    [organization] => Array
        (
            [en-US] => Array
                (
                    [name] => Service Provider
                    [displayname] => Service Provider
                    [url] => https://serviceprovider.com
                )

        )

)

Signed SAML Response that contains the signed SAML Assertion that was used ( successfully processed by OneloginPHPSAMLSdk::processResponse() )

Signed using https://developers.onelogin.com/saml/online-tools/sign/response with the above certs. 

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxa414281f-8c20-d4b9-6cd5-f713aca895e9" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
  <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfxa414281f-8c20-d4b9-6cd5-f713aca895e9"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>OH53i4NTaUj8M29kPGDQEZimvGE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>edMuHtgqaRJiAGBUdGCSJiWxQ2CDXi3THKotbgkDhU1uMrD3vxRnopFlaUGFW/3GCt9Q9CScMmkamS2s6JZqo0iGuuzsaIl7NPhM502iHp6BIjinrGARtjOjfamLahVrIGBggvgNbbfzwPKSNCf+T9PNtnWNBwKVNIIHZeNNJ3I=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca" Version="2.0" IssueInstant="2020-06-17T14:54:14Z">
    <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hRtng2jDhJfDGYAkp6W89Ei96Jc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>fgNDg7BAHZgqtA67png8JVeAciUt9Bfopf/UaFvTN+vOpeK/NsCh6YQ06RBqDOGKpA7X9SiK4olXy8wqUV2wNguP77Q/48DoYoWoG8InlzL2nEFg7tjp5Fp60Ywc+zmiFPD9Xahhvjpo8QVHQbbPAnJFKMa3SFP5zS905BXOOUY=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID SPNameQualifier="https://sso.serviceprovider.com/metadata" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@testmail.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2040-06-17T14:59:14Z" Recipient="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-06-17T14:53:44Z" NotOnOrAfter="2040-06-17T14:59:14Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://sso.serviceprovider.com/metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2020-06-17T14:54:07Z" SessionNotOnOrAfter="2040-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@testmail.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Norin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Radd</saml:AttributeValue>
      </saml:Attribute>           
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Encrypted Signed SAML Response that contains the signed SAML Assertion that was used ( caused OneloginPHPSAMLSdk::processResponse() to fail )

Encrypted using https://developers.onelogin.com/saml/online-tools/encrypt-decrypt/encrypt-xml , with the Service Provider public key. 

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx5f2c7a86-1714-916f-551a-07250ddd4edd" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
  <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx5f2c7a86-1714-916f-551a-07250ddd4edd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>72IRpA9rPgadwFJ2UTi8nGQI/tM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>buqEO/5rw/XqX8TLQ6FmejlxzdN6+DTlK+jRprQnCKOdq4vcykex5lsq1zfLS+SRfU8MYdmBbKSll04u737aMnLCvc1552MXeG55z8JtSVzfaUmNAyfl+QQDLeBSGipMTQm2Wya4VSNYt/SbDkJ1EgRNIla8VXjr3JYgbqh2RfI=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>

<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>ke/VijNVVwAgMIRK3jz6jQ/fBMKsVOzbIKtrtoP7bQCm2iZi1UHtZ5rZzdSJgpYP8EEHddqxdv51RCQheBuCpfFjI1GRlk18sbxUkvAQ0qxV45AdBcUecvHRsRFBOl3G9QGEHr3aYD1QqQx+1CBiA+t2RYHKVaJdlX+sVRFBR/Q=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>p0e4GbSLMp+CsEfj9k1aHGK4p65JmHu/wof+GTCFtIFkr8pShqAH/6Rtnxbhcyph4rg1Hf97d5A/XArKjUfp0QCYyz/0EQTFjs1WuZFS0NuUN9lgO98exbkhCQHgxx2TkYoAY4/0hkfERMc4yWbA11K74utCqVq8o8z7QsShpzoyC+10xmbXqy1mnV1XnpkkoqWDClvTCUQvzeCo42ps4hac6l5dk+qH2jcMPNIZh92scLV3OG/A0l5zvtd67rgRQgMOOZeCX8+FJ29BYb+APAL7YPmS5ybVzzhVHY7oB1KWyy8eRW9vNfY7mVHIeIWBuZZ19cY9wNtVpOrzlebDVrygbOUl8XbT4KDW2hIcPdKcU67hixH+jc0SNq4cEr2fxM9+E8CUdkygtxa9keI6k7ipOTXTtpx1gS5U0mUdIHCC2rh/1rjwHL0MmRD8q5wKOKcXuqCvAZIsMKOWAgI43q23xD9z5zZuExWQIv38zsBkxYtLLiI1b3Jcv02NRC9Vm7FJCEUMyCM9cYaqzKv/0miXSex50VqIMj8BciC43GN/shEVJmxqJ0SFEBEzTALdGDLIU+6c7uxf5oi4ss0k1lPzsb/CoBerErtWTSucX0gLdPE32H/8FlWcr/AWujgVQYVrZdn9BxaXXmk25vyZbdI4APqHgOWzs04YcNsCLgTDpRZPSXGWByaUzfdsbYQ6eSiKfVIWVmcfA2zHjVKdLFirLiCr5OLBhzDBT/8T50PzCxFipMbPAhxuXFfYMHPiuOgDBOCdq3NdsC7G0vX74GTLZgtHbbIg2tyovsChOXfU1GmJqkWJf+hq2zUgP9cpoh8tEPycMP2fsC2pleWgw8qaJZ2q2L8BzkIkzbLVm8Rkywzf1YyyJ20m2h8ThITApth5YpOVSVaMON4HSxloKQNrxccrAt2jemXBJxRps5+WOMoQPBYjxprNsPi3AkOTfqa7G5yY4nXpdpLqXfhPdSQAvcvYNfsqimrsG+OGneCOTlQDmN6rjwHG+kj1RrK6eWafwHqMdF62ZyDc/8/t4Mmi/+U3YLh+FXS5hZ9gWXdgOImupj7fsIpeinVAUiTYtGuf9bNbhHmxjA1jV68boI2SHonwFEUYbzw+B3LpDOY++Wz2ILxclW77LE+TL1yGUS2nfMKPxGhIUlrXusZfojkziT2sGl+0NLeianUw2RwRdtPQVJn2cEEC58LtgZnTHdg17qN6/siAnWUZ9ZvPcLErz/Im5QLBM2nnEshHDGZkSXzbyTEEg4CddEjuoY8P2obuB6euqzZI+spAoguP+6+/+rAd0VKCcHsnVf828HlmLwS5X3K/YXMiFM2ArHN5ZKSnz2coge6zx8Z3AywrMbGOQHUcvgu71mDEnuP5yNjhFmhHvJ/yAaJ2Nv00zKoDsNciotLXm11tyJimHiFI0pCfQX87/ZqmkofpiF2L/dINZWbqN1iX6Wxx93/BzZ2JKvUZ4t+hjsSfFS3EK08oMCLcG2Cd1FJYQ2H3RXVx8EwPSkVDqP2cc8ful8sB3z0NatEQb7/HRFxFeQxF7QzAaBSVloag9xyaP0T6hUYh5LWPSK/qabgiYdCIl+XqvrVBCBPos3VU1OAFNkitAuZeotMONUK6X+sK7XQz4lS9zAr4szDzqFsm0QbhXDXeqYuXqwzAnb8pT+k+X1yS0p2plft9a5VSBJFo0EmSlhQ8qYItUnfBdxZ7lGfAw2tJQaOoJ2xp8ayBVew92n1H+mmvLFjOZwQ37rI9ibMrR5i59RIoMejWa2OSlTWcCSA8wR6uY2bHC6y8i3Bqky5Vv5DjSnpmXB8ssDcDZ66hMGZRNMdZch6cCqlrsEdgAw1K8Lr1oiqiqGe+Tx3UoADOibUS123tWsuUh5rmXEVJf4FFOw+o+itFvImDl7FepmDogRADUR53p01PTJ8i7QGdnensrgz16iP4TR4RpUzUP0RN5q5NhMTKEIM9XxMZ+h3M0sTpth86BedQdHSdeJWkT0PzGrA8qdxb/22/XMKzphbIP/JvjaaR4xkKx+n9LxxT5JhWEzt2UFI4LHSl6YkC9OHjr5Oed/fGJRaLuNCbZUkqq7lPJSyHwsOdOGM1kjHUvF1t66dsawaPIKdvUYdp2eIgwEGTQSzDf6bh4yZaNrdx17JkfViyWlG9I9e7A3iKEZMqmCl0kwthMjlZpjFIYZkQWIlgiGtz4OACTgnkk7MrIu+pwFu4z+wSADHuDF+dhq33epZ7yywq2ITEtEa2gQxYG4HaU4/z2AGlJi+ggeqVKK4rlN4k+Ss9Y9Rr5Grji66wh+UlDmMd8zF+rvpoSs3vf0Ck1eymWz4jkBLdTyd4+my9cM+Qg/CWc+zLKCsR8CK0YOuhUWMKY43oos20ekz55+JWZM6eIQbOy1quEFsLCZU2jJLhG6g2T8zOb28NBVxIqPl4Ea6fqQpk1lkJxg0d4AfIQBgO6b0qoOrAC7ZmB6QkpB5+kLRXiUsvRxgjQIrJZ8GRTPR02eW/QvyNdsgFlsLKf5MQ2gd4tlCwUjZEtlQS7J5UxbVpKF7WCfixG9qef3br+BXYXRges2ebWE4/DJPT0WM61AqQXXQ/MdGMxymB22JH6ZdXpe17MsE/mukrsZyILIM57yEilfENVRZzR7ebeq5VMvZYARjdhatE6C3nhpE+BoCul+DtKEFU5Yz9eve232vxqP9fmqrmxhouWzdjgCs+A8UgKpdRmYKfAbAknVxbIOmxBwfs66Sgx2C7+LfLK0uNKQMsA7M6O7m+CbTA9tfljbvR3fX/gKZC/5bpzNDt+xr+zdxE48sXcl5rflPxURu29HxFBme1qeo0fw==</xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>

1 answers

solution1
 1  2016-11-04 09:10:58

When you have a valid SAMLResponse that contains a signature for the whole message, and you encrypt the Assertion element, you modify the XML so the signature validation will fail.

If you want to generate an encrypted unsigned assertion on a signed whole message the process is:

  1. Encrypt the assertion.
  2. Sign the whole message.

An alternative valid SAMLResponse with encrypted assertion element is the one where the signature is on the decrypted assertion. In order to generate that:

  1. Sign the assertion
  2. Encrypt the assertion
  3. (Optional) You can also sign the whole message.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypted and signed MIME messages using RFC 1847 Blowfish-encrypted messages between NSIS and PHP How to decode encrypted soap messages with PHP Processing numeric input in php fails Wordpress jigoshop endpoint wont call processResponse() How to decrypt IRC Bot's blowfish encrypted messages Chat-API get messages encrypted in v3.2 What datatype should I use to store long encrypted messages on MySQL? Deleting messages from SQS queue after processing Exporting encrypted record to csv file from mysql table in PHP fails
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM