PHP Signing SAML Document

Question

I'm working on a project and have basically reached a point where I don't know what to do to get much farther.

Trying to work with a vendor to setup an SSO process using SAML. We are, at this time, doing this process by hand because we don't have a solution implemented like SimpleSAMLPHP.

In order to test this process, We've setup SimpleSAMLPHP as a Service Provider. It has been a LARGE help in our testing phase, but we are currently getting this error:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /portal/server/htdocs/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Neither the assertion nor the response was signed.
Backtrace:
3 /portal/server/htdocs/saml/modules/saml/lib/Message.php:554 (sspmod_saml_Message::processAssertion)
2 /portal/server/htdocs/saml/modules/saml/lib/Message.php:518 (sspmod_saml_Message::processResponse)
1 /portal/server/htdocs/saml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /portal/server/htdocs/saml/www/module.php:135 (N/A)

Here is the SAML request that we are sending to our SP to see if we can auth.

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="efmlkhlddlofoifkbikjkbemicpndhjingeioamb" Version="2.0" IssueInstant="2014-04-14T15:09:50Z" Destination="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>

<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm" Version="2.0" IssueInstant="2014-04-14T15:09:50Z">
    <saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>

    <saml:Subject>
        <saml:NameID SPNameQualifier="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">123456789</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2014-04-14T15:19:50Z" Recipient="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-04-14T15:04:50Z" NotOnOrAfter="2014-04-14T15:19:50Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-04-14T15:09:50Z" SessionNotOnOrAfter="2014-04-14T16:09:50Z" SessionIndex="hkckflaackcdmckckpipgjpdgdlhmiieclpigaij">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="eagleID" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
            <saml:AttributeValue xsi:type="xs:string">123456789</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
            <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"><ds:Transforms>    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>    </ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>    <ds:DigestValue>p/aLBlix/UI0oNiHgg4t5fgkwJg=</ds:DigestValue></ds:Reference>    </ds:SignedInfo>    <ds:SignatureValue>AsVSwH8mVNHhOak3z2A9j8F/1Q67Yuw472K9BI649EUePdT8QOCW/+BTS+OG+CM++Yn1J7ceT+pwYvOLMr5HFcUcdr8VMZNfPuk2oefs4afK8BpP2ndskPlGhfFx7UlkdXdu41dzWMJeaULo1KfcHtKF0e1ZgObucN3GCNDs97s=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data>    <ds:X509Certificate>MIIC2DCCAkGgAwIBAgIJAMCu9vwLblc3MA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTETMBEGA1UEBwwKU3RhdGVzYm9ybzEkMCIGA1UECgwbR2VvcmdpYSBTb3V0aGVybiBVbml2ZXJzaXR5MSgwJgYDVQQLDB9FbnRlcnByaXNlIEFwcGxpY2F0aW9uIFNlcnZpY2VzMB4XDTE0MDMyNTEyMjg1NVoXDTE0MDQyNDEyMjg1NVowgYQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRMwEQYDVQQHDApTdGF0ZXNib3JvMSQwIgYDVQQKDBtHZW9yZ2lhIFNvdXRoZXJuIFVuaXZlcnNpdHkxKDAmBgNVBAsMH0VudGVycHJpc2UgQXBwbGljYXRpb24gU2VydmljZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN71CK2aSfTTd63cEkhG/DlpIOMtkUTLQLRfUFZ1U5RX8TA0NcmVMwJcIKVHllsJiwNZBl2RT/GUb+1PwLUkiUxFNZ6eT1qQ6t8SaPosv40ofnD4AXEGwG5Rzx3BvBSuz+viCc8/yjNY4RqSQ/wS34tMd0Eu9Z+Q6MZsmVmBWefAgMBAAGjUDBOMB0GA1UdDgQWBBS46JUAvJGsu79wMjdba7q3iOQ3xTAfBgNVHSMEGDAWgBS46JUAvJGsu79wMjdba7q3iOQ3xTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL+iVErbdU6lCISWWE7Dr3efaDAhyAxQVU/nLIi8aHvniQCQ6uACQhkQbfZpRdB6cbBDKzzsZD2pqIwY+N/yeomyRhpGqw0Y+q3Wa5tOoyY/AheCfqfRgVSfWkNFLv8Ri4G5Gz+2PJeMuZq4aJ5II/m0OUCn+84OOXDBiPs8+K</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></samlp:Response>

Now, I've thrown a couple extra spaces in there by mistake when formatting this for the code.

I'm signing the SAML file with this PHP library: https://code.google.com/p/xmlseclibs/ and using the following code:

$doc = new DOMDocument();
$doc->load($tempFileName);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key */
$objKey->loadKey( $privKey, TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
$objDSig->add509Cert(file_get_contents('gsukeys/academicworks_pub.pem'));
$objDSig->appendSignature($doc->documentElement);
$doc->save($tempFileName.'.out');

I will say, if I don't have the last part of this line

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));

Specifically , array('force_uri' => true,'uri_context'=>$encHash1) the service provider sees the file and successfully auth's my request.

Any suggestions as to how I can create this file to send? We don't want to implement SimpleSAMLPHP as our login because that would require changing our entire login process which we are already changing over the summer to integrate with CAS.

Edit to clarify how the change I do makes it work.

When I tell it to get rid of the reference URI portion, it gets rid of this: URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm" and no longer points to a specific part of the document that is signed. So I feel either the entire document is signed, or the signature is just added to the document and SimpleSAMLPHP just ignores the signature.

Edit 2: I forgot to update this, I ended up finding this code: http://michaelseiler.net/2013/08/23/cas-and-google-sso-integration/ which really helped me and I was able to do what I wanted after 2 tries.

Answer 1

You might consider using lightsaml library. Making the signed response with assertion looks something like this

$response = new Response();
$response->setID(Helper::generateID());
$response->setInResponseTo($request->getID());
$response->setIssueInstant(time());
$response->setDestination($destination);

$assertion = new Assertion();
$response->addAssertion($assertion);

$subject = new Subject();
$assertion->setSubject($subject);    
$assertion->setNameID(NameID($username, NameIDPolicy::PERSISTENT));

$subjectConfirmation = new SubjectConfirmation();
$subject->addSubjectConfirmation($subjectConfirmation);
$subjectConfirmation->setMethod(Protocol::CM_BEARER);
$data = new SubjectConfirmationData();
$subjectConfirmation->setData($data);
$data->setInResponseTo($request->getID());
$data->setNotOnOrAfter(time()+$this->expirationTime);
$data->setRecipient($recipient);

$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time()+$this->expirationTime);
$assertion->setValidAudience(array($request->getIssuer()));

$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($this->authnContextClassRef);
$assertion->setAuthnStatement($authnStatement);

$assertion->addAttribute(new Attribute(ClaimTypes::COMMON_NAME, array('username'), 'Common Name'));


$signatureCreator = new SignatureCreator();
$signatureCreator->setXmlSecurityKey($xmlSecKey);
$signatureCreator->setCertificate($certificate);
$response->setSignature($signatureCreator);

$bindingManager = new BindingManager();
$r = $bindingManager->send($response);
$r->render();