-
30. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 11:28 AM (in response to acoliver)Just show me what is in between <subject> </subject> in the assertion.
-
31. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 11:45 AM (in response to acoliver)the subject inside the assertion can have the name id at the top level or embedded inside the subject confirmation.
So I think PL 1.x has not been tested for the latter case. Again, we need more interoperability tests done.
Options include:
a) See if ADFS2 can send in the name id inside the subject. Some config maybe.
b) The offending code can be changed to.
Object obj = subject.getContent().get(0);
if( obj instanceof JAXBElement)
{
//Get the declared type of JAXBElement and see if it is name id or subject confrm
//then drill down to the subject confirm and get hold of the nameid
}
All, ugliness in glory.
-
32. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 12:10 PM (in response to anil.saldhana)So with some bit twiddling I have confirmed that the List contains only the SubjectConfirmationType, but getting the NameID from the subjectConfirmationType returns null... Let me see if I can get at the actual SAML response somewhere unencoded.... it doesn't show in the trace log. I'll also hunt down if ADFS can do my bidding.
Thanks,
Andy
-
33. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 12:16 PM (in response to acoliver)SAML is still "designed by a committee".
There is a debug valve which I have rarely used.
Put it before the processing valves in WEB-INF/context.xml
-
34. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 12:33 PM (in response to anil.saldhana)How will that help? the parameter is encoded. I need it after it is decoded...
So ADFS won't do my bidding wrt this.
I did this:
SubjectType subject = assertion.getSubject();JAXBElement<NameIDType> jnameID = null;log.trace("subject.getContent() size is "+subject.getContent().size())log.trace("subject.getContent() type is "+((JAXBElement)subject.getConent().get(0)).getValue().getClass().getName());if(((JAXBElement)subject.getContent().get(0)).getValue() instanceof NaeIDType) {jnameID = (JAXBElement<NameIDType>) subject.getContent().get(0);}NameIDType nameID = jnameID != null ? jnameID.getValue() : null;if (jnameID == null) {log.trace("ATTEMPTING A VERY DIRTY HACK BY ACO");nameID = ((JAXBElement<SubjectConfirmationType>)subject.getContent(.get(0)).getValue().getNameID();log.trace("AND THE DIRTY DEED WAS DONE DIRT CHEAP TOO! (IT WORKED));}final String userName = nameID.getValue();log.trace("userName is: "+userName);List<String> roles = new ArrayList<String>();SubjectType subject = assertion.getSubject();
JAXBElement<NameIDType> jnameID = null;
log.trace("subject.getContent() size is "+subject.getContent().size())
log.trace("subject.getContent() type is "+((JAXBElement)subject.getCon
ent().get(0)).getValue().getClass().getName());
if(((JAXBElement)subject.getContent().get(0)).getValue() instanceof Na
eIDType) {
jnameID = (JAXBElement<NameIDType>) subject.getContent().get(0);
}
NameIDType nameID = jnameID != null ? jnameID.getValue() : null;
if (jnameID == null) {
log.trace("ATTEMPTING A VERY DIRTY HACK BY ACO");
nameID = ((JAXBElement<SubjectConfirmationType>)subject.getContent(
.get(0)).getValue().getNameID();
log.trace("AND THE DIRTY DEED WAS DONE DIRT CHEAP TOO! (IT WORKED)
); // THIS PRINTS IN THE LOG
}
final String userName = nameID.getValue(); //NPE thrown here
log.trace("userName is: "+userName);
This results in an NPE when it gets the username, but the bla bla about the SubjectConfirmation prints. So baring some binding issue it looks like there is not a NameID before or in the SubjectConfirmation..
http://lists.oasis-open.org/archives/saml-dev/200802/msg00026.html
this seems to indicate a reason... I'm not sure why...
-
35. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 12:45 PM (in response to acoliver)Andy, thanks for the link.
I am not sure how we can construct a subject with the information coming in from ADFS (due to lack of a nameid). As a design enhancement, definitely we should look at making the subject construction based on a saml response pluggable (for custom behavior).
Let me point out to code showing you can marshall response into a byte stream to sink into a log. Give me few mins.
-
36. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 12:45 PM (in response to acoliver)OK I'm a doofus its base64 encoding.
-
37. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 12:47 PM (in response to anil.saldhana)sent you the SAML Response privately. Note that my id isn't in it anywhere...
-
38. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 12:52 PM (in response to acoliver)Seeing it. I think the ID has to be derived from the key or some other local translation.
Even the example on wikipedia for bearer type assertions (http://en.wikipedia.org/wiki/SAML_2.0) has the name id.
-
39. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 12:54 PM (in response to anil.saldhana)Andy take a look at this:
http://social.msdn.microsoft.com/Forums/en/Geneva/thread/5babaa93-3f18-4c32-ad5e-9a0b49d0a27f
I was looking at this:
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
-
40. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 3:36 PM (in response to anil.saldhana)<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" AssertionConsumerServiceURL="https://webeval08.dev-we.dev-dirsrv.com:8443/sales/" Destination="https://webeval07.dev-we.dev-dirsrv.com/adfs/ls/" ID="ID_c0199b74-7b95-49a6-b3f8-50909fe23b58" IssueInstant="2010-12-15T14:06:39.219-06:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"></ns3:AuthnRequest>ththis is the outgoing saml
<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" AssertionConsumerServiceURL="https://myserver:8443/sales/" Destination="https://myadfs/adfs/ls/" ID="ID_c0199b74-7b95-49a6-b3f8-50909fe23b58" IssueInstant="2010-12-15T14:06:39.219-06:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<Issuer>https://myserver:8443/sales/</Issuer>
</ns3:AuthnRequest>
note that it doesn't specify a nameid policy like in the wikipedia page
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
-
41. Re: Major security leak PicketLink and testing on ADFSv2
pipo1000 Dec 15, 2010 4:27 PM (in response to acoliver)Tomorrow I will post my working AuthRequest and AuthResponse in XML to a ADFSv2.
@Anil: I have got Picketlink working to Novell Access manager, and I needed one change in the java code. I will post it tomorrow in a separate thread!
-
42. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 4:20 PM (in response to pipo1000)So we got it working. As it turns out there is one more step in the ADFS side to set the transform mapping. I'm going to see if I can get a screenshot of that.
-
43. Re: Major security leak PicketLink and testing on ADFSv2
pipo1000 Dec 15, 2010 4:22 PM (in response to acoliver)I use firefox with httpfox to catch the requests and responses and use this website https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php to decode the decoded messages.
-
44. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 4:24 PM (in response to acoliver)Andy, can you do a service to humanity by creating a fresh cheatsheet or updating the already existing wiki article? I am glad it worked.