Ruby IdP response valid, but fails

[jkamenik]

I am using the https://github.com/sportngin/saml_idp gem as a basis for a IdP I am creating. No matter what I try I always end up on fail Saml#fail.

<h1> Saml#fail </h1>

Find me in app/views/saml/fail.html.erb

true

The last true, which is caused by @response.validatate!. So @response.is_valid? returns false causing the fail view, but when re-validated it works, even though internally they call the same code.

Here is the parsed response that was placed in the log.

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="http://ruby-saml-rails3-example.dev/saml/consume" ID="_89ce97f0-3e8c-0131-9bf8-482a14030d65" InResponseTo="_85d1e8b0-3e8c-0131-5e30-482a14030d65" IssueInstant="2013-12-03T21:05:18Z" Version="2.0">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://saml-idp.dev/saml</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_89ce9930-3e8c-0131-9bf8-482a14030d65" IssueInstant="2013-12-03T21:05:18Z" Version="2.0">
        <Issuer>http://saml-idp.dev/saml</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#_89ce9930-3e8c-0131-9bf8-482a14030d65">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>eNTPeAX3bLyCWmWGEk+MgCGWwn0=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
ZyhVmEkLf/wTMa2zJbhff5hyZTcQ3ki7c9wAxZIfC0rxGwwwJBzrbm/sd4H465Ydx97YdRVyvHAxLQK7Pt/zQzPXpL2PbMoDaQq4pPrSOH9ATAQn48m5V7TBADTg57HzE2G4k76rhl0tiqc7OJtOftW8sSaHx2rlMtq1lZoPXrg=
            </ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIICxzCCAjACCQC0xircGnUAzzANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
                        VVMxETAPBgNVBAgTCE1hcnlsYW5kMRQwEgYDVQQHEwtHbGVuIEJ1cm5pZTEbMBkG
                        A1UEChMSV2F0ZXJmYWxsIFNvZnR3YXJlMQswCQYDVQQLEwJJVDEVMBMGA1UEAxMMSm9obiBLYW1lbmlrMS4wLAYJKoZIhvcNAQkBFh9qa2FtZW5pa0B3YXRlcmZhbGx3c29mdHdhcmUuY29tMB4XDTEzMTIwMzIwMjc0OVoXDTQxMDQxOTIwMjc0OVowgacxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEUMBIGA1UEBxMLR2xlbiBCdXJuaWUxGzAZBgNVBAoTEldhdGVyZmFsbCBTb2Z0d2FyZTELMAkGA1UECxMCSVQxFTATBgNVBAMTDEpvaG4gS2FtZW5pazEuMCwGCSqGSIb3DQEJARYfamthbWVuaWtAd2F0ZXJmYWxsd3NvZnR3YXJlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvm+QYwIbuihkUx7yezKCGqirz6K6S1FujJoRxWFzFLiU71auqUGdfHH+b/Z34rJnIdHUWFY2jvtFIlZknyG5kReVtMpNUdmoNBwqG5nS7TpkLzSYzpYRdaNwq97m7JXMICHSUzQz/mHIZretWblN5A1e6sRQrfDmH5qKL1WPIq0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAium4/61wL9zfXepvfLUU54dNtuEqTBmGMwt+DQ3kSNSWSihS8e4ppQSCoQWCeEVMJRC9tcoPK2r203OUrl9VA8LinNA8JF0C7hzB7Zmnda3Vg0Tl9S35XFLWzpc16ilGxYhksdhWjikmNsG9/OAyyWW0JTkzUaeU6l4f7GDG4EQ==
                  </ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">89cf2480-3e8c-0131-9bf8-482a14030d65</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_85d1e8b0-3e8c-0131-5e30-482a14030d65" NotOnOrAfter="2013-12-03T21:08:18Z" Recipient="http://ruby-saml-rails3-example.dev/saml/consume"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2013-12-03T21:05:13Z" NotOnOrAfter="2013-12-03T22:05:18Z">
            <AudienceRestriction>
                <Audience>ruby-saml-rails3-example</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <AttributeValue>test@test.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2013-12-03T21:05:18Z" SessionIndex="_89ce9930-3e8c-0131-9bf8-482a14030d65">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

[calh]

@jkamenik, can you tell where the validation is failing at all? Also, which version of the ruby-saml gem are you using? My github copy is probably very far behind the official version. My patch wasn't accepted to the official project because too much had changed by the time I did a pull request. And it was a pain in the ass to try and manually change everything to merge.

If you're still using my ruby-saml gem, you might be able to try skipping the signature validation. See line 96 in ruby-saml/lib/onelogin/saml/response.rb. In the rails saml_controller.rb, line 30, you might be able to get away with:

@response = Onelogin::Saml::Response.new(params[:SAMLResponse], :skip_validation => true)

Of course, that doesn't really solve the problem, but it might get you closer. I didn't really touch XML X.509 signature validations because I couldn't find a really good XML parser for ruby.

[jkamenik]

I actually can't explain why validate! would fail and then is_valid? would be true except that it appears that XMLSecurity is slightly destructive.

Digging deeper by creating my own SP (https://github.com/WaterfallFMS/saml_client) I think the issue was Canonix. Nokogiri now includes canonical support. But it canonicalizes the XML without moving attributes around (which I think is the correct behavior), while Canonix does.

Your project worked against the sample IdP (https://github.com/drnic/ruby-saml-idp-rails3-example) because of a coincidence. The sample IdP uses the 'ruby-saml-ip' gem, which does simple string interpolation into a handcrafted XML document. It was handcrafted to match the Canonix canonical form already.

My IdP was based on the 'saml_idp' gem which uses an XML builder to generate the XML and Nokigri to canonicalize it for the signature. So canonical form did not match and therefore the .