The SP metadata generated by 1.4.0 can not be imported into ADFS when configuring relying party trust

[ctosgh]

With the latest 1.4.0 release, the SP metadata file generated by library can not be imported into ADFS when configuring Relying Party Trust. The error message from ADFS is "Cannot resolve the '' URI in the signature to compute the digest".

Looking at the SP metadata, the "Signature" node is moved out of node "SPSSODescriptor" and becomes a sibling of node "SPSSODescriptor". Looks like the 1.4.0 version introduce this in purpose.

Looks like two additional tasks need to be done if the position change is introduced.
1 Add "ID" attribute for node "SPSSODescriptor"
2 Add the attribute "URI" for node "Reference" and value of "URI" is "pointing" to the node "SPSSODescriptor"

Correct me if I am wrong.

[pitbulk]

Here you can see the MD specification for the EntityDescriptor element.

1. ds:Signature [0..1]
2. md:Extensions [0..1]
3. Choice [1..1]
      Choice [1..*]
          md:RoleDescriptor
          md:IDPSSODescriptor
          md:SPSSODescriptor
          md:AuthnAuthorityDescriptor
          md:AttributeAuthorityDescriptor
          md:PDPDescriptor
      md:AffiliationDescriptor
4. md:Organization [0..1]
5. md:ContactPerson [0..*]
6. md:AdditionalMetadataLocation [0..*]

An example of generated md:EntityDescriptor (pretty printed):

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2018-04-22T16:20:31Z" cacheDuration="PT604800S" entityID="http://stuff.com/endpoints/metadata.php">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference>
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>10fctPNvRnCRI6BGWKTjO6Sovzc=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>    <ds:SignatureValue>cbBplBlxKZLqWtkliRNKmhYHXM/8svYv4hCep9TmXABjtBKBZVCXiTzo8Lamp5lz
3hOikluArbSjZj87y76vuKbpvhh/xMlwrA5Pph0f6wZ/cduk0FzyN6QPLe0b3yNr
hcBAJg+J79rN98clH/l7Hpbqoc4Jv4hXdsAP1z2OuMw=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
Q4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

As you mentioned, the issue is that we need an ID for the EntityDescriptor so the URI will be generated on the Signature element. Otherwise ADFS seems to reject it.

[ctosgh]

Good to know we have the same understanding. Is the fix will be included in the next release?

[pitbulk]

@ctosgh can you test if the code on master fixed your issue?

[ctosgh]

OK, will try and get back to you soon. 2018-04-24 8:43 GMT-07:00 Sixto Martin <notifications@github.com>:

…

@ctosgh <https://github.com/ctosgh> can you test if the code on master fixed your issue? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#94 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AkdccA6-tM3HI8cV9S_qd7MQI7ThZ43Nks5tr0gigaJpZM4TciR-> .

[ctosgh]

Hi, Sixto I tried with the master branch and it work fine! The reference node has the URI attribute and it can be imported into adfs automatically~ Thanks very much! Thanks, Jacky 2018-04-24 9:19 GMT-07:00 Jacky Sun <ctosgh@gmail.com>:

…

OK, will try and get back to you soon. 2018-04-24 8:43 GMT-07:00 Sixto Martin ***@***.***>: > @ctosgh <https://github.com/ctosgh> can you test if the code on master > fixed your issue? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#94 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AkdccA6-tM3HI8cV9S_qd7MQI7ThZ43Nks5tr0gigaJpZM4TciR-> > . >

[ankur11]

Hello,

Sorry to bother further but I need to know how to add ID for the EntityDescriptor. Is it to be added from settings.json file ?
And does this ID field has to be same as 'ID' in Idp metadata ?
I am new to this so please pardon any silliness.

[pitbulk]

The ID is generated randomly and is used to identify a SAML element.
The current code of java-saml will generate it.

[ankur11]

Yes, but when I generate SP metadata, that ID is not shown in EntityDescriptor nor in Reference URI. I have to integrate it with ADFS and it needs that Reference URI.
Do I have to manually add that after the metadata has been generated ?
I am using Python3-saml toolkit.
I am using below command to verify the xml generated
xmlsec1 --verify --X509-skip-strict-checks --id-attr:ID EntityDescriptor --id-attr:URI Reference --trusted-pem certificates/certificate.crt test_xml_metadata.xml