Subject: SAMLAssertion XML incorrect
Date: 2010-06-18 16:36:31
From: Mark Andre
Source: samlassertion-xml-incorrect
----------------------------------------------------------------------

Our customer is passing a "signed" SAML assertion using your UltimateSAMLcomponent and our application is using Windows Identity Foundation to process the SAML assertion and failing.  After dumping the assertion's XML and comparing to the SAML 2.0 standard, it looks like its incorrect.  The SAML 2.0 standard has the following:

<element name="Assertion" type="saml:AssertionType"/>

<complexType name="AssertionType">

<sequence>

<element ref="saml:Issuer"/>

<element ref="ds:Signature" minOccurs="0"/>

<element ref="saml:Subject" minOccurs="0"/>

<element ref="saml:Conditions" minOccurs="0"/>

<element ref="saml:Advice" minOccurs="0"/>

<choice minOccurs="0" maxOccurs="unbounded">

<element ref="saml:Statement"/>

<element ref="saml:AuthnStatement"/>

<element ref="saml:AuthzDecisionStatement"/>

<element ref="saml:AttributeStatement"/>

</choice>

</sequence>

<attribute name="Version" type="string" use="required"/>

<attribute name="ID" type="ID" use="required"/>

<attribute name="IssueInstant" type="dateTime" use="required"/>

</complexType>

The key item here is the ds:Signature element ... WIF and the SAML 2.0 standard has the Signature after the Issuer element; however, in your component, you are outputing the ds.Signature after the AuthnStatement element.  Example (entire SAML Assertion is not included):

<saml:AttributeStatement>

<saml:Attribute Name="http://schemas.domain.net/claims/customerId">

<saml:AttributeValue>1</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

<saml:AuthnStatement AuthnInstant="2010-06-18T16:58:36Z" SessionNotOnOrAfter="2010-06-18T13:58:36Z">

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

</saml:AuthnContext>

</saml:AuthnStatement>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="#_140B01410DB77FB9DF8BD4074FC36C6C">

<Transforms>

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

<InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />

</Transform>

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<DigestValue>PSuLu07YxoD8Fl9PevPEyu/osGY=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>CxdWxe5JPmJwP9NWLrZKz4ylMZfey/p2ao9wHeO77KXApAMxiMfg5dZM7Y+TB0v4SxPuF5RI1TLibnZ83bCV1LwrXxn28c3jyZ/96NiIdAw4bXVzp2qNG8jS+WWXN2pLi4AqVNDVr+N+A7Mv4A7gYn2y2HLpxgSK6Z9JyyCTjaqm2E6N4Wyg+xCt/Au5aHl1K2R6EdMkNSNNmyx2eghbZZf6IBNuClo5PXC2Tj0RA5/HuFU2e6kABmeklmCWoxJZKFsx1ch1FY02JAqEAQ4f3gJHshP9bLBQqiGXqJtxcPYU1C1pWBQIqTr0nD0dGx8tbav7WtkiG+uEpXKEXp5wLA==</SignatureValue>

<KeyInfo>

<X509Data>

<X509Certificate>MIIC8DCCAdigAwIBAgIQKqnhn2UTTaRIppYqva7JNDANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZ3c3BhMTIzMy5zdHJhdGFsYW4uY29tMB4XDTA5MDkzMDE0NTE0OFoXDTEwMDkzMDAwMDAwMFowITEfMB0GA1UEAxMWd3NwYTEyMzMuc3RyYXRhbGFuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM9vQmyPin8gGgDNfbV8TYrBC72lipHpfcspjwIj5CJJAFMl/9wI13M7guPYeOwhAzAlf/91tkX/Z6rxYEl7UWRI0pb4rSNfAAA3FujXbqHlGE22Z4hQQP0i+w5yt0jOxSBTZsY0yX/h/e2d+POg7M72SY80/af7/ufVy8hMTR2mxewwXcqD030JzxyY1kN6PCQwfGpGYpYNirUK7foKm9m3bhau8Q2eIRI2+gGNisewiX88bVNVglSLoEUmYa4xyD2brXean5cwos2DXoBxn2v6lF8m+owuxDYX1CLAzVTWg4azTeHeFulTkySuKqgkP2BvzTa9HCAg+BkJCeZqMkMCAwEAAaMkMCIwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQAu61zy6Z4MVUN4QSYw+9I0uPMbHfHaaIWKGc3G0MAdV/FgKyjGzRLaUfIYC/9DyrE2uRa02SOpMSCoh9w+wpDg1NeN8bjBDAyN1CujAv7zh3GU7vARTDQWHXuHmrQXZGUuNCQuyPiwULqycAjbJrUe5PfxSu2sROp2R3bkB3LO7P7bKEx6clXwcdzQqMmUFPVyu2UNjIS5UKIzm0mz1k9Xj+R9RWICPOgL5VVdFf0eK7OPjgJml8eAZhofhSHj7eikQcF83kSvolDmvyRcLIXwrN7HVchYpmM7+bBf9PZ9qr2ZRzZFD1Z/Uf/oV5r8ZV6eTY+rMh5mmDE6gUC+WpPH</X509Certificate>

</X509Data>

</KeyInfo>

</Signature>

</saml:Assertion>

Thanks
   Mark

---------------------------------------------------------------------- Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor who sold you the license and ask for your money back. Back to ComponentPro Q&A Forum Index