saml Integrating Ruby(IDP) and Java(SP)

Question

I am implementing saml SSO. In this IDP is writen in ruby and SP is written in java. for ruby we are using saml_idp & ruby-saml gems. For java i am trying to use spring-security-saml-dsl. The saml authrequest from SP is in the following format

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:9090/saml/SSO" Destination="https://localhost:3000/sso/saml" ForceAuthn="false" ID="a1g952c8gehic8503id5fbdi1cchhic" IsPassive="false" IssueInstant="2020-04-09T09:08:06.814Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:9090/saml/metadata</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#a1g952c8gehic8503id5fbdi1cchhic"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>59Sqiz0XoMFOwgquHILLLnmtzb0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sign</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>cert</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
</saml2p:AuthnRequest>

But this is not getting accepted by the IDP. Upon investigating I found The IDP allows if the format is as given below

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8000/saml/acs" Destination="http://localhost:3050/saml/saml_assertion" ID="_06f89146-44ad-48e3-9110-cf068b7cd639" IssueInstant="2020-04-09T07:15:16Z" Version="2.0">
  <saml:Issuer>http://localhost:3050/saml/metadata</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>

How do i make either spring-security-saml-dsl(java SP) to send in 'samlp' format and not 'saml2p' ? or how do i make saml_idp(ruby IDP) to accept 'saml2p' format as well?

score 0 · Answer 1 · answered Apr 11 '20 at 12:01

I was totally wrong in my setup. hence the issue. These libraries (saml_idp & ruby-saml) accepts both 'samlp' and 'saml2p' prefixes. I created saml AuthnRequest with HTTP-POST binding in my SP and passed this to IDP manually for testing.In the IDP SamlIdp::Controller.decode_request is being used to decode this request. This partially decoded the request. Hence the issue.

When i changed from HTTP-POST binding to HTTP-Redirect binding This started working. Seems this SamlIdp::Controller.decode_request expects the AuthnRequest to be compressed which happens in HTTP-Redirect binding. Now i am able to integrate both my SP and IDP successfully.

saml Integrating Ruby(IDP) and Java(SP)

1 Answers1