mcguinness / saml-sp Goto Github PK

Simple Service Provider (SP) for SAML 2.0 Web SSO and Relying Party (RP) for WS-Federation

License: MIT License

JavaScript 59.38% CSS 0.10% Smarty 4.58% Handlebars 35.93%

sso federation saml saml-service-provider testing ws-federation samlp

saml-sp's Introduction

Introduction

This app provides a simple test Service Provider (SP) for SAML 2.0 Web Browser SSO Profile or Relying Party (RP) for WS-Federation Passive Requestor Profile

The following SAML 2.0 WebSSO features are supported:

Authentication Request
- Signatures (SHA1 or SHA256)
- HTTP-POST or HTTP-Redirect Bindings
Authentication Context Class
- NameID Format
- ForceAuthn
- Dynamic AssertionConsumerServiceURL
Assertion Consumer Service
- Signature Verification with Public Key Certificate or Thumbprint
- HTTP-POST Binding
- Encrypted Assertions
SAML Single Logout Service
- Signatures (SHA1 or SHA256)
- HTTP-POST Binding for Responses
- HTTP-POST or HTTP-Redirect Bindings for Requests
SAML Metadata
- Auto-configuration with IdP Metadata
- Publish SP Metadata

The following WS-Federation features are supported:

Security Token Service Response
- Signature Verification with Public Key Certificate or Thumbprint
- Encrypted Assertions
Federation Metadata
- Auto-configuration with IdP Metadata
- Publish RP Metadata

Installation

npm install

Usage

Dynamic IdP Configuration from IdP Metadata (Recommended)

node bin/server.js --idpMetaUrl {url}

The default protocol is SAMLP if metadata supports both SAMLP and WS-Federation

Example

node bin/server.js --idpMetaUrl https://example.okta.com/app/exkikd6nFJIdpcrZR0g3/sso/saml/metadata

Static IdP Configuration with Certificate

node bin/server.js --iss {issuer} --idpSsoUrl {url} --idpCert {pem}

Example

node bin/server.js --iss http://www.okta.com/exknnoOGPcwWSnKUK0g3 --idpSsoUrl https://example.okta.com/app/example_saml/exknnoOGPcwWSnKUK0g3/sso/saml --idpCert ./idp-cert.pem

Static IdP Configuration with SHA1 Thumbprint

node bin/server.js --iss {issuer} --idpSsoUrl {url} --idpThumbprint {sha1}

Example

node bin/server.js --iss http://www.okta.com/exknnoOGPcwWSnKUK0g3 --idpSsoUrl https://example.okta.com/app/example_saml/exknnoOGPcwWSnKUK0g3/sso/saml --idpThumbprint 77:87:4A:86:18:B3:CB:44:C2:EB:68:1B:77:0B:1D:F6:4A:0E:88:E7

Options

node bin/server.js --help

Options:
  --version                      Show version number                                                                                                       [boolean]
  --settings                     Path to JSON config file
  --port, -p                     Web Server listener port                                                                        [number] [required] [default: 7070]
  --protocol                     Federation Protocol                                                                          [string] [required] [default: "samlp"]
  --idpIssuer, --iss             IdP Issuer URI                                                                                [string] [default: "urn:example:idp"]
  --idpSsoUrl                    IdP Single Sign-On Service URL (SSO URL)                                                                                   [string]
  --idpSsoBinding                IdP Single Sign-On AuthnRequest Binding         [string] [required] [default: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"]
  --idpSloUrl                    IdP Single Logout Service URL (SLO URL) (SAMLP)                                                                            [string]
  --idpSloBinding                IdP Single Logout Request Binding (SAMLP)       [string] [required] [default: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"]
  --idpCert                      IdP Public Key Signing Certificate (PEM)                                                                                   [string]
  --idpThumbprint                IdP Public Key Signing Certificate SHA1 Thumbprint                                                                         [string]
  --idpMetaUrl                   IdP SAML Metadata URL                                                                                                      [string]
  --audience, --aud              SP Audience URI / RP Realm                                                                     [string] [default: "urn:example:sp"]
  --providerName                 SP Provider Name                                                                 [string] [default: "Simple SAML Service Provider"]
  --acsUrls                      SP Assertion Consumer Service (ACS) URLs (Relative URL)                                 [array] [required] [default: ["/saml/sso"]]
  --signAuthnRequests, --signed  Sign AuthnRequest Messages (SAMLP)                                                             [boolean] [required] [default: true]
  --signatureAlgorithm           Signature Algorithm                                                                                [string] [default: "rsa-sha256"]
  --digestAlgorithm              Digest Algorithm                                                                                       [string] [default: "sha256"]
  --requestNameIDFormat          Request Subject NameID Format (SAMLP)                                                                     [boolean] [default: true]
  --validateNameIDFormat         Validate format of Assertion Subject NameID                                                               [boolean] [default: true]
  --nameIDFormat, --nameid       Assertion Subject NameID Format                        [string] [default: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
  --requestAuthnContext          Request Authentication Context (SAMLP)                                                                    [boolean] [default: true]
  --authnContextClassRef, --acr  Authentication Context Class Reference      [string] [default: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"]
  --spCert                       SP/RP Public Key Signature & Encryption Certificate (PEM)          [string] [default: "/Users/karl/src/saml-sp/config/sp-cert.pem"]
  --spKey                        SP/RP Private Key Signature & Decryption Certificate(PEM)           [string] [default: "/Users/karl/src/saml-sp/config/sp-key.pem"]
  --httpsPrivateKey              Web Server TLS/SSL Private Key (PEM)                                                                                       [string]
  --httpsCert                    Web Server TLS/SSL Certificate (PEM)                                                                                       [string]
  --https                        Enables HTTPS Listener (requires httpsPrivateKey and httpsCert)                                          [boolean] [default: false]
  --relayState, --rs             Default Relay State                                                                                                        [string]
  --help                         Show help                                                                                                                 [boolean]

Passing key-pairs from environment variables

key-pairs can also be passed from environment variables.

node bin/server.js --iss {issuer} --idpSsoUrl {url} --idpCert="$SAML_IDP_CERT" --spCert="$SAML_SP_CERT" --spKey="$SAML_SP_KEY"

SAML 2.0 SSO Protocol

The SAML 2.0 protocol is specified with --protocol samlp (default)

Identity Provider Settings

The IdP settings needed for federation can be auto-configured via IdP SAML Metadata. If IdP SAML metadata is not available you can manually specify service endpoints, binding, and signing credentials.

If you need an IdP to test with, use Simple Identity Provider (IdP) for SAML 2.0 for all your end-to-end SAML 2.0 Web Browser SSO flows!

Endpoints

Endpoints	Argument	Default
SSO Service URL	`idpSsoUrl`
SSO Service Binding	`idpSsoBinding`	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`
SLO Service URL	`idpSloUrl`
SLO Service Binding	`idpSloBinding`	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`

Response/Assertion Signing Certificate

You must specify the public key certificate with the idpCert or SHA1 thumbprint with idpThumbprint argument to validate the SAMLResponse message from the IdP.

Service Provider Settings

You need to create a SAML trust in your SAML IdP for the SP web app. The following settings are required and can be customized via command-line arguments or within the /settings page.

Audience (EntityID)

The default SP audience is urn:example:sp. You can change this with the --aud argument.

Binding

The Service Provider only supports the HTTP-POST binding for the Assertion Consumer Service

Service	Binding	URL
Assertion Consumer Service	HTTP-POST	`http://localhost:port/saml/sso` (Default)
Single Logout Service	HTTP-POST	`http://localhost:port/saml/slo`

You can specify additional endpoints (relative paths) for the Assertion Consumer Service with the acsUrls argument. The first ACS URL in the array (e.g. acsUrls[0]) is used by default for AuthnRequests. You can select any configured ACS URL for requests with the /login?acsUrl=/path query param or by going to the settings page in the SP and selecting the default ACS URL.

Request Signing Certificate

You should generate a self-signed certificate for the SP.

openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Service Provider' -keyout /config/sp-key.pem -out /config/sp-cert.pem -days 7300

This key-pair will be used to sign SAML AuthnRequest and LogoutRequest messages generated by the Service Provider. You can disable AuthnRequest message signatures with the signAuthnRequests argument. LogoutRequest messages always require signatures.

Decryption Private Key

The Service Provider uses the same key-pair for signatures and decryption. Use the same signing public key certificate to encrypt SAML assertion in the IdP.

SAML Metadata

Service Provider SAML metadata is available on http://localhost:port/metadata

WS-Federation Protocol

The WS-Federation protocol is specified with --protocol wsfed

Identity Provider Settings

The IdP settings needed for federation can be auto-configured via IdP Metadata. If IdP metadata is not available you can manually specify service endpoints, binding, and signing credentials.

Endpoints

Endpoints	Argument	Default
IdP Passive Requestor Endpoint	`idpSsoUrl`

Assertion Signing Certificate

You must specify the public key certificate with the idpCert or SHA1 thumbprint with idpThumbprint argument to validate the SAML 2.0 security token returned from the IdP.

Relying Party Settings

You need to create a federation trust in your IdP/STS for the RP web app. The following settings are required and can be customized via command-line arguments or within the /settings page.

Realm (Audience)

The default RP realm/audience is urn:example:sp. You can change this with the --aud argument.

Binding

The Relying Party only supports the HTTP-POST binding for the Security Token Response Endpoint

Service	Binding	URL
Security Token Response Endpoint	HTTP-POST	`http://localhost:port/saml/sso`

Decryption Private Key

Use the same signing public key certificate to encrypt SAML assertion in the IdP.

RP Metadata

Relying Party SAML metadata is available on http://localhost:port/metadata

Web Server

You can customize the port and optionally provide a TLS/SSL certificate for the Service Provider to enable HTTPS

HTTP URL Routes

The web app hosts the following URL routes:

Route	Description
`/profile`	Displays the user profile for the authenticated user
`/login`	Initiates a SSO request to the IdP
`/logout`	Attempts to logout via SAML SLO if configured otherwise just destroys the user's active session
`/settings`	Service Providers settings
`/saml/sso`	SSO Assertion Consumer Service / Security Token Service Response Passive Endpoint
`/saml/slo`	SLO endpoint
`/metadata`	Service Provider/Relying Party Metadata endpoint

HTTPS

Specify the https argument to enable TLS along with public key certificate and private key in PEM format

node bin/server.js --https --httpsCert {cert} --httpsKey {key}

saml-sp's People

Contributors

Stargazers

Watchers

saml-sp's Issues

Are you supporting this?

I have been tasked with getting Saml service provider up and running with node, and this project looks like an excellent place to start.

I've set up the project and have read your readme, but I'm not clear at all in how to proceed. The example doesn't work as is, nor does the example provided when I try the readme sample. It appears that I need an idp-cert.

Are there any online resources for testing something like this so I can understand how stuff works and get it going in my own environment?

I understand if you aren't able to support this.

Thanks!

Can we upgrade node version to >12.13.0 please?

I am not able to create a branch or submit a PR else would have done that.

Issue with SLO

Hi,

I am trying to use saml-sp to test diffrents use cases of an internal SLO implementation (Using saml-sp as an SLO-initiator or as another relying party).
At this time, SLO seems broken to me on the saml-sp part.

When clicking on the Sign-out button on the saml-sp profile page; I get an error message :

the following xpath cannot be signed because it was not found: //*[local-name(.)='LogoutResponse' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']

Error: the following xpath cannot be signed because it was not found: //*[local-name(.)='LogoutResponse' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']
at SignedXml.createReferences (/home/node/node_modules/xml-crypto/lib/signed-xml.js:595:13)
at SignedXml.createSignedInfo (/home/node/node_modules/xml-crypto/lib/signed-xml.js:711:15)
at SignedXml.computeSignature (/home/node/node_modules/xml-crypto/lib/signed-xml.js:531:25)
at Object.module.exports.signXml (/home/node/node_modules/samlp-logout/lib/signers.js:47:7)
at prepareAndSendToken (/home/node/node_modules/samlp-logout/index.js:48:23)
at WsFedSaml2Strategy.logout (/home/node/node_modules/samlp-logout/index.js:312:5)
at /home/node/app/app.js:338:18
at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
at next (/home/node/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/node/node_modules/express/lib/router/route.js:112:3)

When initiating the SLO from another app, when the IdP redirects me to the saml-sp slo url, I am then redirected to the IdP with a Response (which is OK), but the IdP fails to decode it and generate an error (which breaks the SLO process). The IdP is Keycloak, and the error message is :

14:56:07,026 ERROR [org.keycloak.saml.common] (default task-47) Error in base64 decoding saml message: org.keycloak.saml.common.exceptions.ProcessingException: PL00102: Processing Exception:
14:56:07,026 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-47) Uncaught server error: java.lang.NullPointerException

    at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364)
    at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
    at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
    at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
    at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
    at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at java.lang.Thread.run(Thread.java:748)

So my questions are :

is the SLO part has been tested recently and is it supposed to be in a working state ?
have you any idea why the Sign-Out option gives this error ?

For the Keycloak not liking the Logout Response, I'll dig a little more when I have time, I won't ask you to debug another piece of software :), but I was wondering if the SLO functionnality was supposed to be functionnal or not.

POST binding doesn't work after the re-write

Looks like no matter how you configure the app (either passing --idpSsoBinding explicitly or setting it after startup via the /settings page), it always sends the AuthN request via redirect binding.

Unable to do npm install

Getting the below error when trying to do npm install,

/usr/local/bin/saml-sp -> /usr/local/lib/node_modules/saml-sp/bin/server.js

> [email protected] install /Users/<user_name>/Desktop/Kannan/projects/saml-sp/node_modules/x509
> node-gyp rebuild

  CXX(target) Release/obj.target/x509/src/addon.o
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
In file included from ../../nan/nan.h:194:
../../nan/nan_maybe_43_inl.h:88:15: error: no member named 'ForceSet' in 'v8::Object'
  return obj->ForceSet(GetCurrentContext(), key, value, attribs);
         ~~~  ^
../../nan/nan_maybe_43_inl.h:220:17: error: no member named 'CloneElementAt' in 'v8::Array'
  return array->CloneElementAt(GetCurrentContext(), index);
         ~~~~~  ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
In file included from ../../nan/nan.h:200:
In file included from ../../nan/nan_new.h:189:
../../nan/nan_implementation_12_inl.h:40:38: error: too few arguments to function call, expected 2, have 1
  return v8::BooleanObject::New(value).As<v8::BooleanObject>();
         ~~~~~~~~~~~~~~~~~~~~~~      ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:5224:3: note: 'New' declared here
  static Local<Value> New(Isolate* isolate, bool value);
  ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
In file included from ../../nan/nan.h:200:
In file included from ../../nan/nan_new.h:189:
../../nan/nan_implementation_12_inl.h:40:60: error: expected '(' for function-style cast or type construction
  return v8::BooleanObject::New(value).As<v8::BooleanObject>();
                                          ~~~~~~~~~~~~~~~~~^
../../nan/nan_implementation_12_inl.h:40:62: error: expected expression
  return v8::BooleanObject::New(value).As<v8::BooleanObject>();
                                                             ^
../../nan/nan_implementation_12_inl.h:340:28: warning: 'New' is deprecated: Use Isolate* version [-Wdeprecated-declarations]
  return v8::StringObject::New(value).As<v8::StringObject>();
                           ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:5241:3: note: 'New' has been explicitly marked deprecated here
  V8_DEPRECATED("Use Isolate* version",
  ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8config.h:326:29: note: expanded from macro 'V8_DEPRECATED'
  declarator __attribute__((deprecated(message)))
                            ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:820:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:173:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:93:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:834:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:166:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:93:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:848:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:159:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:93:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:894:44: warning: 'ToString' is deprecated: Use maybe version [-Wdeprecated-declarations]
      v8::Local<v8::String> string = from->ToString();
                                           ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:2548:10: note: 'ToString' has been explicitly marked deprecated here
  inline V8_DEPRECATED("Use maybe version", Local<String> ToString() const);
         ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8config.h:326:29: note: expanded from macro 'V8_DEPRECATED'
  declarator __attribute__((deprecated(message)))
                            ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:904:27: warning: 'WriteUtf8' is deprecated: Use Isolate* version [-Wdeprecated-declarations]
        length_ = string->WriteUtf8(str_, static_cast<int>(len), 0, flags);
                          ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:2753:3: note: 'WriteUtf8' has been explicitly marked deprecated here
  V8_DEPRECATED("Use Isolate* version",
  ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8config.h:326:29: note: expanded from macro 'V8_DEPRECATED'
  declarator __attribute__((deprecated(message)))
                            ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:1461:31: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return scope.Escape(node::MakeCallback(
                              ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:173:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/<user_name>/.node-gyp/11.14.0/include/node/node.h:93:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/addon.cc:5:
In file included from ../include/x509.h:7:
../../nan/nan.h:1965:7: error: no viable conversion from 'imp::NativeGetter' (aka 'void (*)(v8::Local<v8::Name>, const v8::PropertyCallbackInfo<v8::Value> &)') to 'Local<v8::Name>'
    , getter_
      ^~~~~~~
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:303:7: note: candidate constructor (the implicit copy constructor) not viable: no known conversion from 'imp::NativeGetter' (aka
      'void (*)(v8::Local<v8::Name>, const v8::PropertyCallbackInfo<v8::Value> &)') to 'const v8::Local<v8::Name> &' for 1st argument
class Local {
      ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:303:7: note: candidate constructor (the implicit move constructor) not viable: no known conversion from 'imp::NativeGetter' (aka
      'void (*)(v8::Local<v8::Name>, const v8::PropertyCallbackInfo<v8::Value> &)') to 'v8::Local<v8::Name> &&' for 1st argument
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:307:13: note: candidate template ignored: could not match 'Local<type-parameter-0-0>' against 'void (*)(v8::Local<v8::Name>,
      const v8::PropertyCallbackInfo<v8::Value> &)'
  V8_INLINE Local(Local<S> that)
            ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:3455:43: note: passing argument to parameter 'name' here
      Local<Context> context, Local<Name> name,
                                          ^
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:314:5: error: assigning to 'v8::Context *' from incompatible type 'v8::String *'
    TYPE_CHECK(T, S);
    ^~~~~~~~~~~~~~~~
/Users/<user_name>/.node-gyp/11.14.0/include/node/v8.h:268:39: note: expanded from macro 'TYPE_CHECK'
    *(static_cast<T* volatile*>(0)) = static_cast<S*>(0);      \
                                      ^~~~~~~~~~~~~~~~~~
../../nan/nan.h:1964:7: note: in instantiation of function template specialization 'v8::Local<v8::Context>::Local<v8::String>' requested here
      name
      ^
7 warnings and 7 errors generated.
make: *** [Release/obj.target/x509/src/addon.o] Error 1
gyp ERR! build error 
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/usr/local/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:262:23)
gyp ERR! stack     at ChildProcess.emit (events.js:193:13)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:255:12)
gyp ERR! System Darwin 18.5.0
gyp ERR! command "/usr/local/Cellar/node/11.14.0_1/bin/node" "/usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/<user_name>/Desktop/Kannan/projects/saml-sp/node_modules/x509
gyp ERR! node -v v11.14.0
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok 
npm WARN rollback Rolling back [email protected] failed (this is probably harmless): /Users/<user_name>/Desktop/Kannan/projects/saml-sp/node_modules/nan is not a child of /usr/local/lib
npm WARN rollback Rolling back [email protected] failed (this is probably harmless): /Users/<user_name>/Desktop/Kannan/projects/saml-sp/node_modules/x509 is not a child of /usr/local/lib
npm WARN rollback Rolling back [email protected] failed (this is probably harmless): /Users/<user_name>/Desktop/Kannan/projects/saml-sp/node_modules/passport-wsfed-saml2 is not a child of /usr/local/lib
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] install: `node-gyp rebuild`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] install script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

RSA signature verification failing due to Bad Padding Exception

Description

With the following SAML AuthN Request generated with this library, I was unable to validate the signature using the provided public key.

See certificate, signature and full XML AuthN request below.

When validating in Java, I receive a BadPaddingException exception. Can you confirm this signature is valid?

Methods used to verify the signature

I used this online tool to attempt to verify the AuthN request. This validates ok until you add the signature to the validation, and then it fails.
- https://www.samltool.com/validate_authn_req.php
- Filled out request, SP Entity Id, Target URL, X.509, and signature fields
  - SAML AuthN Request
    - See XML below
  - SP EntityId
    - urn:example:sp
  - Target URL, Destination of the AuthN Request
    - http://localhost:9011/samlv2/login/5b2e483f-7572-4879-817e-1a90ac44e757
  - X.509 cert of the Service Provider (to check Signature)
    - MIIDUzCCAjugAwIBAgIJAPJ0mA6WzOpvMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKEwdKYW5reUNvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwMzEyMTk0NjMzWhcNMjcxMTE5MTk0NjMzWjBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtlNDy4DR2thZ2DDciITofUpwYZcnXk/9pqDt8V16jBD02uOd/TdysgiKLjrZZbC/X0OX1EFe5dN65UrLODQBBzZ3/8PYz6819MKc9irV8+732H5dGwzgmYBYD+qqf4BcR36L7TjmOwjke+1cMcGg+WXVSXQM/djSxhQHjWNjkRt1T/mLflqMqpopzcmAPQDLEHErtuam9XtudjiFM8r5jzvmu/UpIPibbwAY8q3sTPpE7JBLr6Iy4pBAciLlXa4NrDQ8aL8jFpihjvm+uHVMHMGmynGicGQLgrFKOWs655mVVWXfDOe6J5piBXr1mynnBstddSalZ5aLAWF8g6szfQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQClZy+gMYkNfo+dQjEuvbvx62MMR3Wdkpfey43ZgPqx18vpG0P7aIqTybkxTkhi/Aw8pLDcIvAPZHqlMfLCNBr/4+snqrLo3OiGZI1hl9QOG3hQmkrjT10hlyXRS3oTnjD5bhDj+inbG1i9QRK7PO0PQqWhIKgrtLyYp3WvS6Z9cYXwQt5FcYbhKp+C+kvCzq+TfbQamlvehWjBUNR27CE11M//WTF0nfbOFu32EC6kB0EGd6PTIwhty2zHxg++uYMjAUL+ZNuNiaMc355oXvLth1q5rk3Ga3unpBjmQ7obU2/4/WdJnPfvlD2ktAV/S5dVSKSDNmkag8IX0nHb/1FN
  - Signature of the SAML AuthN Request
    - lgNBHFxPqnxuJFeQkG07wMcBpfYwNEAsjLyjPM0lB+y6o+4KCK3tSjZuuRQYMY4IorzROyozbdklF+BOe1/KJ4XqDhEiqemA2Lk3pIbjBPn+z47FpDt5glAEqcsf2R6D8JNwd5bqJh1buHMsTCwH8XOTvityqAvkfjxYXMSotH1VIlkElcdQzip9fXlemYtLBuz2lnlLv2KMCJDia9PO6kHt2I4A/k4YpMFlv6QthiOr7eV4N9b1VN7ULXDreQ/NP8megmXeAqlZ0/5VyWtdXCQ4AIRQYTynfNVwL05TnI9sXd9yY7Omy9YRptF3hvAYQjwKujOtn3FRrMJWJ34akw==
  - SigAlg
    - http://www.w3.org/2001/04/xmldsig-more#rsa-sha2556
Java fusionauth-samlv2 library
- A BadPaddingException is thrown out of sun.security.rsa.RSAPadding. unpad
  In sun.security.rsa.RSAPadding. unpad, the switch hits unpadV15, and it then throws a BadPaddingException.
- Test https://github.com/FusionAuth/fusionauth-samlv2/blob/15fa48df134833ab86286474770f502a2c872f53/src/test/java/io/fusionauth/samlv2/service/DefaultSAMLv2ServiceTest.java#L244

  public byte[] unpad(byte[] var1) throws BadPaddingException {
    if (var1.length != this.paddedSize) {
      throw new BadPaddingException("Decryption error");
    } else {
      switch(this.type) {
      case 1:
      case 2:
        return this.unpadV15(var1);
      case 3:
        return var1;
      case 4:
        return this.unpadOAEP(var1);
      default:
        throw new AssertionError();
      }
    }
  }

SAML v2 AuthN Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7fe510cc8e51aa41558a"
                    IssueInstant="2021-01-21T16:46:05Z" ProviderName="Simple SAML Service Provider"
                    AssertionConsumerServiceURL="http://localhost:7070/saml/sso"
                    Destination="http://localhost:9011/samlv2/login/5b2e483f-7572-4879-817e-1a90ac44e757"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml:Issuer>urn:example:sp</saml:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <Reference URI="#_7fe510cc8e51aa41558a">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>5xWg/idj8jMWfwedfjK2BEYkd/yLWcjMkfJ+Vf8t+FA=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>
      lgNBHFxPqnxuJFeQkG07wMcBpfYwNEAsjLyjPM0lB+y6o+4KCK3tSjZuuRQYMY4IorzROyozbdklF+BOe1/KJ4XqDhEiqemA2Lk3pIbjBPn+z47FpDt5glAEqcsf2R6D8JNwd5bqJh1buHMsTCwH8XOTvityqAvkfjxYXMSotH1VIlkElcdQzip9fXlemYtLBuz2lnlLv2KMCJDia9PO6kHt2I4A/k4YpMFlv6QthiOr7eV4N9b1VN7ULXDreQ/NP8megmXeAqlZ0/5VyWtdXCQ4AIRQYTynfNVwL05TnI9sXd9yY7Omy9YRptF3hvAYQjwKujOtn3FRrMJWJ34akw==
    </SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>
          MIIDUzCCAjugAwIBAgIJAPJ0mA6WzOpvMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKEwdKYW5reUNvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwMzEyMTk0NjMzWhcNMjcxMTE5MTk0NjMzWjBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtlNDy4DR2thZ2DDciITofUpwYZcnXk/9pqDt8V16jBD02uOd/TdysgiKLjrZZbC/X0OX1EFe5dN65UrLODQBBzZ3/8PYz6819MKc9irV8+732H5dGwzgmYBYD+qqf4BcR36L7TjmOwjke+1cMcGg+WXVSXQM/djSxhQHjWNjkRt1T/mLflqMqpopzcmAPQDLEHErtuam9XtudjiFM8r5jzvmu/UpIPibbwAY8q3sTPpE7JBLr6Iy4pBAciLlXa4NrDQ8aL8jFpihjvm+uHVMHMGmynGicGQLgrFKOWs655mVVWXfDOe6J5piBXr1mynnBstddSalZ5aLAWF8g6szfQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQClZy+gMYkNfo+dQjEuvbvx62MMR3Wdkpfey43ZgPqx18vpG0P7aIqTybkxTkhi/Aw8pLDcIvAPZHqlMfLCNBr/4+snqrLo3OiGZI1hl9QOG3hQmkrjT10hlyXRS3oTnjD5bhDj+inbG1i9QRK7PO0PQqWhIKgrtLyYp3WvS6Z9cYXwQt5FcYbhKp+C+kvCzq+TfbQamlvehWjBUNR27CE11M//WTF0nfbOFu32EC6kB0EGd6PTIwhty2zHxg++uYMjAUL+ZNuNiaMc355oXvLth1q5rk3Ga3unpBjmQ7obU2/4/WdJnPfvlD2ktAV/S5dVSKSDNmkag8IX0nHb/1FN
        </X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Only allows wsfed protocol with idpMetaUrl

When using idpMetaUrl. The protocol says wsfed. When using saml tracer it verifies that it is using wsfed. I need saml. I tried using the --protocol samlp but it still says wsfed.

mcguinness / saml-sp Goto Github PK

saml-sp's Introduction

Introduction

Installation

Usage

Dynamic IdP Configuration from IdP Metadata (Recommended)

Example

Static IdP Configuration with Certificate

Example

Static IdP Configuration with SHA1 Thumbprint

Example

Options

Passing key-pairs from environment variables

SAML 2.0 SSO Protocol

Identity Provider Settings

Endpoints

Response/Assertion Signing Certificate

Service Provider Settings

Audience (EntityID)

Binding

Request Signing Certificate

Decryption Private Key

SAML Metadata

WS-Federation Protocol

Identity Provider Settings

Endpoints

Assertion Signing Certificate

Relying Party Settings

Realm (Audience)

Binding

Decryption Private Key

RP Metadata

Web Server

HTTP URL Routes

HTTPS

saml-sp's People

Contributors

Stargazers

Watchers

Forkers

saml-sp's Issues

Description

Methods used to verify the signature

SAML v2 AuthN Request

Recommend Projects

Recommend Topics

Recommend Org