Processing SAML response with Spring SAML

spring saml saml-2.0 spring-saml
vdenotaris picture vdenotaris · Jul 29, 2014 · Viewed 7.5k times · Source

I developed a Service Provider by using Spring SAML. I've configured several IdPs, each of them with a different naming conventions for the attributes.

  1. Could I log (on Tomcat's logs/catalina.out file) an entire SAML response after a successful AuthN process?
  2. Are there some native features in order to define an association between a certain IdP's EntityID and the attribute that maps the returned userID?
  3. I'm also reading about the OID format: how can I properly decode this kind of data?

Update:

About the first question, according to the documentation, I setup up both debug logging and authentication logging as follows:

// Logger for SAML messages and events
@Bean
public SAMLDefaultLogger samlDefaultLogger() {
    SAMLDefaultLogger samlDefaultLogger = new SAMLDefaultLogger();
    samlDefaultLogger.setLogMessages(true);
    samlDefaultLogger.setLogErrors(true);
    return samlDefaultLogger;
}

Then, by defining a log4j.properties as follows:

log4j.logger.org.springframework.security.saml=DEBUG
log4j.logger.org.opensaml=DEBUG

And by properly configuring the Maven pom.xml

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-logging</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

Despite that, the complete SAML response doesn't appear (I'm expecting an XML message). The output is as follows:

[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Attempting to retrieve credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Retrieved credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to verify signature and establish trust using KeyInfo-derived credentials
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Found 0 key names: []
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Attempting to extract credential from an X509Data
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 1 X509Certificates
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 0 X509CRLs
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Single certificate was present, treating as end-entity certificate
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: A total of 1 credentials were resolved
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Attempting to validate signature using key from supplied credential
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Creating XMLSignature object
[2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
[2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Signature validated with key from supplied credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- ExplicitKeyTrustEvaluator: Successfully validated untrusted credential against trusted key
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully established trust of KeyInfo-derived credential
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Processing Bearer subject confirmation
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3ab2fc5f against requested null
[2014-07-29 14:13:52.001] boot - 1118  INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response      EntityID: urn:com:vdenotaris:mysp
[2014-07-29 14:13:52.001] boot - 1118  INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response      RemoteEntityID: http:/test.idp.prv/services/trust

Note that the last two lines are defined manually by me.

Answer

Vladim&#237;r Sch&#228;fer picture Vladimír Schäfer · Jul 29, 2014

  1. You can use either debug logging (chapter 6.5), or authentication log (chapter 9.5) with logMessages property set to true. Both are able to log messages to catalina.out (as they just send logs to slf4j).

  2. No, you need to implement such logic to your SAMLUserDetailsService

  3. You can load all received attributes from the SAMLCredential object by calls to getAttributeByName and getAttributes, the returned Attribute object contains methods which allow you to parse any received attribute structure. There are no specific parsers included inside Spring SAML.

    The attributes with data in some OID type are typically encoded as xsd:string or xsd:xsd:base64Binary and you can get the raw string value for both as in the example of chapter 9.4. Providing additional possibilities to parse the encoded string into a corresponding Java type (based on OID) is out of scope for Spring SAML.

Is there some paricular type/OID you're interested it? Are you referring to this profile?

Related questions

Recipient endpoint doesn't match with SAML response

Usually my Spring SAML-based Service Provider (SP) implementation works fine, but sometimes it returns this error: [2014-07-17 16:00:58.767] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseMessageDecoder: Successfully decoded message. [2014-07-17 16:00:58.767] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Checking SAML message …

Read More
No IDP was configured, please update included metadata with at least one IDP

I'm trying to execute Spring Security SAML Sample application following all steps referenced here : http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#quick-start-steps. However, when I try to test single sign-on, an error page is opening with message : "…

Read More
SAMLException: InResponseToField of the Response doesn't correspond to sent message

We are working on an application, which is protected with spring security saml. Authentication works fine, but there is one problem with the following workflow in production environment. user requests the unprotected address www.server.com response is a html …

Read More