How To Generate SAML2Response Specified By Destination

Question

I am very new to SAML and am very confused at this point. I am using Kentor to generate a Saml2Response, but it is not looking anything like my relying party is expecting. They are specifically looking for the certificate to be embedded in the response.

I need to generate this.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_09f6a725ecf844128a5f7ef8cc1e7620"
IssueInstant="2013-12-11T03:52:21.770Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
            <ds:Reference URI="#_09f6a725ecf844128a5f7ef8cc1e7620" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:Transform
                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>[removed]</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cadd3488f62c6d3b9933fdb56d9e8ddc"
    IssueInstant="2013-12-11T03:52:21.770Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">[removed]</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                <ds:Reference URI="#_cadd3488f62c6d3b9933fdb56d9e8ddc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:KeyName>CN=, O=, C=US</ds:KeyName>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="com.sms">0500555</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotBefore="2013-12-11T03:47:21.770Z" NotOnOrAfter="2013-12-11T03:57:21.770Z" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2013-12-11T03:52:21.770Z" NotOnOrAfter="2013-12-11T03:57:21.770Z"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" />
        <saml2:AuthnStatement AuthnInstant="2013-12-11T03:52:21.770Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="AppData" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">A_Party_PI.Person.FirstName =John& A_Party_PI.Person.LastName =Smith</saml2:AttributeValue>
            </saml2:Attribute>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

What I am getting from Kentor is this:

<?xml version="1.0"?>
<saml2p:Response
    Destination="https://[destinationUrl]"
    ID="ide5470d1f5a9a48d1822f71ea5a5363f2"
    IssueInstant="2015-05-28T13:35:44Z"
    Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ritterim.com
    </saml2:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#ide5470d1f5a9a48d1822f71ea5a5363f2">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>7YmTpqZR6Ba4/eDrEqQt7BGit0A=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
        </SignatureValue>
    </Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="_77b39d8e-bcc4-48c2-b6c7-fe6e87414461"
        IssueInstant="2015-05-28T13:35:44Z" Version="2.0"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>ritterim.com</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID>0500555</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
        </saml2:Subject>
        <saml2:Conditions NotOnOrAfter="2015-05-28T13:37:44Z"/>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="AppData">
                <saml2:AttributeValue>A_Party_PI.Person.FirstName =John&amp; A_Party_PI.Person.LastName =Smith</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Any help would be appreciated, as I'm not even sure I'm in the right arena.

Answer 1

I'll answer by commenting on the differences in the responses.

• There's no encoding in the xml declaration. Probably won't matter.
• Issuer, which is optional is added.
• I assume you've removed the SignatureValue from the AuthServices response.
• AuthServices currently does not include the KeyInfo in the signature (it's optional)
• AuthServices does not sign the assertion, only the response.
• XML namespaces declarations are put in one place by AuthServices and not repeated all over.
• There's no Format on the Subject NameId (it's optional)
• There's no NameQualifier on the Subject NameId (it's optional)
• There's no NameFormat on the Attribute (it's optional)
• There's no xml type (xsi:string) on the AttributeValue (it's optional)

Basically Kentor.AuthServices leaves out a bunch of optional stuff, but otherwise the messages are equivalent.

You'll have to provide more details on what things are causing problems to get help on those.