ComponentSpace

Forums



SAMLValidator - documentation?


SAMLValidator - documentation?

Author
Message
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
Hi,

I'm new to ComponentSpace and the mostly to Saml.  I've evaluating the component for use to support a client who has very specific security requirements.  They want us to certify that our SSO solution for them conforms to these standards:

We "process" the following attributes of the Saml assertion:  
InResponseTo (to ensure the Response was intended for them and is still fresh)
Destination (to ensure the Response was intended for them)
SubjectConfirmationData (to ensure the Assertions was intended for them)
NotOnOrAfter (to ensure the Assertion is still fresh)
AudienceRestrictions (to ensure the assertion was intended for them)
AuthnContext (to ensure class of Authentication)

In practical terms, I'm not sure what some of these would mean.  I think (but can't really find documentation for) that the ReceiveSSO in the high-level API likely does all or most of this automatically.  There is also this SAMLValidator class in the component which seems like it might have facilities for some of these as well, but again, no documentation that I've been able to find.  If I need to do any manual "processing" of these tags, I'm not sure how to get access to internals of the Saml assertion at the time of the ReceiveSSO call, and I'm wondering if that means I need to switch to the low-level API instead.  

Any help or guidance would be much appreciated.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
The SAMLServiceProvider.ReceiveSSO will perform all the checks listed apart from the AuthnContext. However, that is something we can add.
The SAMLValidator class is used to validate the SAML message against the SAML XML schema. It doesn't perform the checks you've listed.
Please email support@componentspace.com to discuss adding support for checking the AuthnContext. This is something we could add to the next release but provide you a pre-release for your testing.

Regards
ComponentSpace Development
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
ComponentSpace - Tuesday, March 15, 2016
The SAMLServiceProvider.ReceiveSSO will perform all the checks listed apart from the AuthnContext. However, that is something we can add.
The SAMLValidator class is used to validate the SAML message against the SAML XML schema. It doesn't perform the checks you've listed.
Please email support@componentspace.com to discuss adding support for checking the AuthnContext. This is something we could add to the next release but provide you a pre-release for your testing.

Thanks for the reply.  Is there any way to access this AuthnContext object through a manual code-check?  It is unclear from the original security requirement what the appropriate type, so I guess the solution would be to just expose that, maybe as an additional OUT parameter on the ReceiveSSO method, something like that?  I will email support.

Thanks for your help.
jwoodie
jwoodie
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 9, Visits: 18
jwoodie - Tuesday, March 15, 2016
ComponentSpace - Tuesday, March 15, 2016
The SAMLServiceProvider.ReceiveSSO will perform all the checks listed apart from the AuthnContext. However, that is something we can add.
The SAMLValidator class is used to validate the SAML message against the SAML XML schema. It doesn't perform the checks you've listed.
Please email support@componentspace.com to discuss adding support for checking the AuthnContext. This is something we could add to the next release but provide you a pre-release for your testing.

Thanks for the reply.  Is there any way to access this AuthnContext object through a manual code-check?  It is unclear from the original security requirement what the appropriate type, so I guess the solution would be to just expose that, maybe as an additional OUT parameter on the ReceiveSSO method, something like that?  I will email support.

Thanks for your help.

Also, is there documentation that details the validations that are taking place in that high-level api call?  Even in the low-level api sample code I didn't find any references to this.  While I'm very impressed with the component and all that it does to make a complicated subject much more manageable, it does seem to be doing quite a bit of magic, without the supporting documentation to demystify the process.

Thanks again.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
I agree this could be better documented. I'll see this is added to out list of improvements. Thanks for the suggestion.

Regards
ComponentSpace Development
thinktime
thinktime
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 120
ComponentSpace - 3/15/2016
The SAMLServiceProvider.ReceiveSSO will perform all the checks listed apart from the AuthnContext. However, that is something we can add.
The SAMLValidator class is used to validate the SAML message against the SAML XML schema. It doesn't perform the checks you've listed.
Please email support@componentspace.com to discuss adding support for checking the AuthnContext. This is something we could add to the next release but provide you a pre-release for your testing.

in which version "ReceiveSSO will perform all the checks listed apart" was added?
i can see, that it doesn't happen in v 2.6.0.13. As Additional info. Signing/decoding was turned off for these tests.
But my goal was to check:
1. InResponseTo
2. Audience Element and Recipient Attribute
3. Issuer

And ReceiveSSO method let assertion be parsed and proceed. Even if parameters above were wrong.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
The ReceiveSSO method is part of the SAML high-level API which was introduced in v2.5.0.

There have been various updates where we've tightened up some of the checks we make. However, the checks you're referring to are included in the product version you have.

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Also include your saml.config with any passwords removed.

Thanks.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 4 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search