I have a simple web application (JSF) based on Spring Security SAML to test the BIG-IP F5 as IdP. After the login on F5, everything works fine when there is no encrypted Attributes in the SAML response, but whenever one Attribute is encrypted, there is an XML parse error. The decryption is OK.
In debug I can see that all non-encrypted Attributes are handled without any problems(class: org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(SAMLMessageContext context)), also the first encrypted attribute (password) is correctly decrypted in class org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(EncryptedData encryptedData, Key dataEncKey): The value for variable bytes (as String) after decryption is :
<saml2:Attribute Name="password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>foo</saml2:AttributeValue></saml2:Attribute>
When this Attribute is being parsed in org.opensaml.xml.parse. StaticBasicParserPool.parse(InputStream input)
There is an exception: The prefix "saml2" for element "saml2:Attribute" is not bound
[org.opensaml.xml.parse.StaticBasicParserPool]: XML Parsing Error org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 103; The prefix "saml2" for element "saml2:Attribute" is not bound.
I suppose that not having the namespace in this decrypted XML fragment is causing the error? Any ideas how to solve this problem? Could it be just a configuration problem on the F5? Thanks in advance.
Here is the SAML Assertion, encrypted Attribute being in <saml2:EncryptedAttribute> ... <xenc:CipherData>:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b6cf253b4cb9338aca76d98c3a0bb12ba083c7" IssueInstant="2016-03-15T10:09:51Z" Version="2.0">
<saml2:Issuer>https://idp.foo.bar</saml2:Issuer>
…
<saml2:AttributeStatement>
<saml2:Attribute Name="mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>555-123-456</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>foo@bar.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="telephoneNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>555-345-678</saml2:AttributeValue>
</saml2:Attribute>
<saml2:EncryptedAttribute>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_76f515ac5b705170900e61bfc2e47c365496e1" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_e6bc635bd69d40954b107517e362560683e05d">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCA…</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>fdGfjQ2…</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>dEUUgk3A…</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAttribute>
<saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>userid</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
