SAML response is valid using www.samltool.com but fails on php-saml

[soltmar]

Hi,

I'm using Laravel with aacotroneo/laravel-saml2 package and php-saml toolkit (2.10)

When I take base64 encoded saml response and use SAML Tool website to

1. Base64 DECODE
2. Decrypt SAML Response
3. Validate Saml Response

Resposne seems to be valid (and even without timing issues).
I've taken the same decoded and decrypted response inside of OneLogin_Saml2_Auth using Xdebug and it still passes through www.samltool.com

But when I'm trying to sign in using saml-php it fails giving "Reference validation failed".

In Xdebug it looks like xml is changed.
Script adds "default" to XML so it looks like < default:Assertion>...</default:Assertion>
Obviously as this XML is passed as a string to hash function it will give different hash result.

Any idea if this something on my end or problem with php-saml toolkit ?
Am I missing something ?

Let me know if you need more details.

[pitbulk]

www.samltool.com uses internally php-saml 2.9.1 (will be soon updated to 2.10.0).

Any modification on the SAMLResponse, even a simple extra space, will produce a "Reference validation failed". Try to use directly the demo of this php-saml toolkit and see if you experience the same issue, if not, maybe the problem is at lavarel integration or in your environment.

[soltmar]

I'll test that but I believe it will give me the same results. I have copied and tested Response in saml tool during my app debug, after Laravel handled it and it has been validated successfully but not in the app itself.

Just in case... I'm trying talk to ADFS 3
I'll get you my debug data so you can see what I mean.

Another weird behavior was that when on saml tool I entered encrypted, base64 encoded response and filled in private key I had "Reference validation failed" as well. Only when I've followed steps as in my first comment, response was validated.

[pitbulk]

Try with php-saml 2.10.0 and 2.9.1 version.

[soltmar]

I've tried both and I'm getting the same error.
I've found that when SAML response is not encrypted it is validated successfully.

So currently validation fails only when response is encrypted.
In that case response is decrypted correctly in php-saml but fails on signature/digest validation.

When I'll add code below in xmlseclibs.php on line 861:
$data = str_replace(":default", "", str_replace("default:", "", $data));
Response is validated properly (!?)

As in my first message xmlseclibs adds "default" namespace to Assertion node and its child nodes (I'm not sure why)

Any ideas ?
Thanks M

[pitbulk]

This seems a namespace issue. I think xmlseclibs adds the "default" namespace when the SAMLResponse does not contain it on the Assertion element.

If I'm not wrong, the signature is inside the Assertion, that is encrypted at the SAMLResponse.

In this case, the toolkit follow those steps:

• Base64 decode the SAMLResponse parameter to get the XML.
• Check if there is an EncryptedAssertion.
• If there is a Message signed, it validated the Signature with the original SAMLResponse.
• If there is a signature on the decrypted Assertion, it validates it.

I think that something is wrong on the original Assertion that was encrypted, something related with the namespaces that makes that the signature validation fails.

But if you think that the problem is at xmlseclibs, I recommend you to open an issue at xmlseclibs lib repository and there in order to let robrichards to debug I recommend.

• Generate a new pair of private key/certificate at https://www.samltool.com/self_signed_certs.php and use it on php-saml
• Upload the new public cert of php-saml at ADFS
• Generate a SAMLResponse encrypted that return the Reference validation failed and attach it to the issue you opened.

[pitbulk]

This user mentioned that experience a similar issue than yours and says that the signature validation pass on v2.8.0. Can you try that version?

[soltmar]

True. It is passing validation on v2.8.0.

[pitbulk]

Ok, I think that the issue is related to the namespace...on 2.9.0 I removed the EncryptedAssertion node that encapsulates the Assertion element, but it seems that if the Assertion has no namespace.. the signature process fail.

Can you provide an example of the SAMLResponse (base64encoded) and the public and private key of the SP in order to debug myself and try to fix the issue?

[pitbulk]

With that patch 5434c9d @sitecode solved the issue...but is not secure.

We must use the same decrypted document for extract data than for validate signature (in order to avoid signature wrapping attacks).

[soltmar]

Emailed you at gmail

Thanks

[pitbulk]

Got it, thanks

[seanBlommaert]

I can confirm this, just started having the same issue. I can also confirm downgrading to 2.8.0 works. Don't think I know enough to help out, but I'll be happy to test a patch if you have one.

[soltmar]

Just to let you know that patch 5434c9d doesn't work for me

Ignore this. It worked