<ds:Signature> data not coming in saml request

[mandeep5299]

I am using java onelogin toolkit in my project. I am able to send the SAML request and is getting response
But only thing which is not working for me is that the signed SAML request is not coming. Please help.

If 'strict' is True, then the Java Toolkit will reject unsigned
or unencrypted messages if it expects them signed or encrypted
Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = true

Enable debug mode (to print errors)
onelogin.saml2.debug = true

Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://installs.mycompany.com/start/metadata.jsp

Specifies info about where and how the message MUST be
returned to the requester, in this case our SP.
URL Location where the from the IdP will be returned
onelogin.saml2.sp.assertion_consumer_service.url = http://installs.mycompany/start/login.jsp

SAML protocol binding to be used when returning the
message. Onelogin Toolkit supports for this endpoint the
HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Specifies info about where and how the message MUST be
returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url = http://installs.mycompany/start/Logout.jsp

SAML protocol binding to be used when returning the or sending the
message. Onelogin Toolkit supports for this endpoint the
HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Specifies constraints on the name identifier to be used to
represent the requested subject.
Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Usually x509cert and privateKey of the SP are provided by files placed at
the certs folder. But we can also provide them with the following parameters
onelogin.saml2.sp.x509cert = MIIDyzCCArKgA..................

Requires Format PKCS#8 BEGIN PRIVATE KEY
If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey = MIIEwQI................

Identity Provider Data that we want connect with our SP
Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid = https://testIdp.com/

SSO endpoint info of the IdP. (Authentication Request protocol)
URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://testIdp/nidp/saml2/sso

SAML protocol binding to be used when returning the
message. Onelogin Toolkit supports for this endpoint the
HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

SLO endpoint info of the IdP.
URL Location of the IdP where the SP will send the SLO Request
onelogin.saml2.idp.single_logout_service.url =

Optional SLO Response endpoint info of the IdP.
URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =

SAML protocol binding to be used when returning the
message. Onelogin Toolkit supports for this endpoint the
HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert = MIIFJDCC..................

Instead of use the whole x509cert you can use a fingerprint
(openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
or add for example the -sha256 , -sha384 or -sha512 parameter)
If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
'sha1' is the default value.
onelogin.saml2.idp.certfingerprint = 14:F3:42:DC:0A:DF:8A:6A:F8:6E:E3:F7:06:47:11:46:A9:2B:0A:73
onelogin.saml2.idp.certfingerprint_algorithm = sha256

Security settings
Indicates that the nameID of the samlp:logoutRequest sent by this SP
will be encrypted.
onelogin.saml2.security.nameid_encrypted = true

Indicates whether the samlp:AuthnRequest messages sent by this SP
will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = true

Indicates whether the samlp:logoutRequest messages sent by this SP
will be signed.
onelogin.saml2.security.logoutrequest_signed = false

Indicates whether the samlp:logoutResponse messages sent by this SP
will be signed.
onelogin.saml2.security.logoutresponse_signed = false

Sign the Metadata
Empty means no signature, or comma separate the keyFileName and the certFileName
onelogin.saml2.security.want_messages_signed =

Indicates a requirement for the samlp:Response, samlp:LogoutRequest and
samlp:LogoutResponse elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = true

Indicates a requirement for the Metadata of this SP to be signed.
Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata = false

Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = false

Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = false

Authentication context.
Set Empty and no AuthContext will be sent in the AuthNRequest,
Set comma separated values urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Indicates if the SP will validate all received xmls.
(In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true

Algorithm that the toolkit will use on signing process. Options:
'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha256

Generated Saml request as below:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_50826410-f003-4df5-854a-6440b185c628"
Version="2.0" IssueInstant="2018-01-18T06:50:30Z"
Destination="https://testIdp.com/nidp/saml2/sso"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://installs.mycompany/dpc/start/login.jsp">
saml:Issuerhttps://installs.mycompany/start/metadata.jsp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

[mandeep5299]

@pitbulk Could you please check the properties, If they are correct or not.

[pitbulk]

The properties are right and I don't see anything wrong on the AuthNRequest
A SAMLResponse should arrive to https://devinstalls.hughes.com/start/login.jsp

Have you configured the IdP side properly?

Try record the SAML flow with SAMLTracer or SAML Chrome Panel to verify that there is no reply.

[mandeep5299]

@pitbulk

• Idp Is not in my control. some other team is working on that.
• Idp is complaining, for missing ds:Signature info in the SAML is request. As per them, the request is not signed.
• In previous comment in the last i have added the SAML request generated by SP system, it is not having signature.

[pitbulk]

@mandeep5299
The AuthNRequest is sent using the HTTP-Redirect binding so the signature is not embed inside the AuthNRequest element, instead is sent as a Signature GET parameter.

[mandeep5299]

@pitbulk
I have tried HTTP-GET but that also not working.
Could you please specify the property name and value.

[pitbulk]

Your side is correct.

In your page, if you click on the "SSO Login" you send:

GET
SigAlg: http://www.w3.org/2000/09/xmldsig#rsa-sha1 SAMLRequest: jZJdT8IwFIb/ytL7bR0KjAZIUPwgQVgAvfDGnG1HqOna2dP58e8tQ6NeSLx9e57T90k7JKhULSaN2+kVPjdILnirlCbRHoxYY7UwQJKEhgpJuEKsJzdz0Ym4qK1xpjCK/UCOE0CE1kmjWTCbjthycTFfXs0WDwB9XuSYhgPe7YaneR/DwSBPQuD8BApM+71ByoI7tOTZEfOr/AKiBmeaHGjnI56kIU/CJN0kXHR7gnfvWTD1PlKDa6mdczWJOAYv+9SpO5GErYI8KkwVa1nW8b5/JyYyLMg+1c6kLqXeHrfKD0MkrjebLMyW6w0LJl+m50ZTU6Fdo32RBd6u5t9NSnyRewGlKNo12x1SW8Yn1sXKbKWOnqhm4+G+mWiF7fhfcIUOSnCw54fxT3x4ePGFt5hNM6Nk8R5cGluB+1syiZI2kWX42I6KRlONhXyUWHpXpczruUVwOGLONsiCeHy49ffXGn8A
RelayState: https://devinstalls.hughes.com/start/SingleSignOn.jsp
Signature: wrSmpBjK6FWMGfJSxd+Xfvvy0PC3LzsaB20LHPxQ356WAMEHAPbbm8a3u4AkJui+casgQcWqOLS/aL28BUwpkDu7SWTFYvpviPxZMxluYhsJdFANYv1sthtWnaJqutWv5JsyOzPWoqbJ4Az6xhSI8X1hfB3xviPsSateHRWCmwc= 

As you can see there is a Signature sent, so IdP is not configured properly.

[mandeep5299]

@pitbulk
I'll check with my IdP and come back to you if needed.

Thanks for your kind support.

[mandeep5299]

@pitbulk
thanks for your support. we are able to establish communication (IDP+SP) with signing enabled successfully.
Facing one issue, the validity of the metadata generated is just 1 day. Can we increase this & how?

FYR: (validUntil="2018-01-25T15:29:58Z)

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="ONELOGIN_3fe0e667-1d50-444f-bcd5-95ba6dc3ba12" cacheDuration="PT604800S" entityID="https://devinstalls.hughes.com/start/metadata.jsp" validUntil="2018-01-25T15:29:58Z">

[pitbulk]

There are 2 aprameters to control the cacheDuration and ValidUntil
See the Metadata constructor

[mandeep5299]

@pitbulk
Is Java-SAML safe from this Vulnerability ( https://www.kb.cert.org/vuls/id/475445 ), however blog has not reported about 'java-saml' but still need confirmation from your end. Please confirm. Thanks.

[pitbulk]

@mandeep5299 if you have a new issue on java-saml you should create a new one instead of reply on other not related issue thread.

java-saml is not listed on that report because was not vulnerable.