Assertion &#13 ending characters

book

Article ID: 194286

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running SiteMinder as IDP and when the Assertion arrives at Federation
Services on foreign SP side, the SAML response signature failed validation.

The SiteMinder IDP uses the following certificate to sign :

     We are using below SP certificate for encrypting the assertion and
     IDP certificate saml.mycompany.com.

     Issued To:
      CN=saml.mycompany.com 
     Issued By:
      CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

     Valid From:
      Oct 26, 2018 02:00 AM CEST  

     Fingerprint: 99:DE:AF:37:FA:23:B7:51:57:D1:EE:AC:99:3B:5F:74:56:0W:B8:CDy

After investigation, we've found that there might be an issue with
the base 64 encoding of the SAML Responses before they are being sent
to the the foreign application. 

The certificate form the Assertion looks like this :

  <ds:X509Certificate>
  MIIGr [...] QG&#13;

How can we solve this ?

 

Cause

 

When we look to the SAMLResponse sent to the browser and then to the
SP side from Fiddler traces, the decoding and decryting the
samlresponse value doesn't show any end chars as &#13;

We see on line 32 the SAMLResponse and using
https://www.samltool.com/decode.php, we can see the assertion showing
correctly without the "&#13;" :

When it gets out of the IdP side :

Line 32 :

GET https://myidp.mydomainidp.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=https://saml.mycompany.com&SAMLTRANSACTIONID=411f5f1w-97446195-5578f301-5f2d916c-9f53846c-be5
SMSESSION=qMw21FiusaZbYqgiwtVtZh8PBX [...]

  HTTP/1.1 200 OK
  Date: Fri, 26 Jun 2020 09:35:26 GMT
  Server: Apache/2.4.4 (Unix) mod_jk/1.2.37
  
  <form action="https://mysp.mydomainsp.com/loginaccount/saml" method="POST">
  <input type="hidden" name="SAMLResponse" value="PFJlc3Bv [...] c2U+

decoded :

  <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://mysp.mydomainsp.com/loginaccount/saml" ID="_5s22ff5411eb4 [...]" IssueInstant="2020-06-26T09:35:26Z" Version="2.0">
      <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://myhost.mydomain.com</ns1:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_2c33ss5122eb4f6eb6d4dccc67bd126c90bc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>sdfdsaqawssdDSK53IvL9ZUGK [...] </ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ASDsdweasdsadsADsASDsadvrL [...] </ds:SignatureValue><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGrDC [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
      <Status>
   <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      </Status>

  <ns2:EncryptedAssertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>aDSADwewadsas [...] </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey><ds:X509Data><ds:X509Certificate>MIIDSADSEedsad [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>8i07RtfHK [...] </xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:EncryptedAssertion></Response>

Then the browser sends the same to the SP side, and no "&#13;" :

Line 35 :

POST https://mysp.mydomainsp.com/loginaccount/saml
SAMLResponse=PFJlc3Bv [...]

decoded :

  <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://mysp.mydomainsp.com/loginaccount/saml" ID="_2c33ss5122eb4f6 [...] " IssueInstant="2020-06-26T09:35:26Z" Version="2.0">
      <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://myhost.mydomain.com</ns1:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_2c33ss51 [...] "><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>sdfdsa [...] </ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ASDsdweasdsadsADsASDsadvrLAY [...] </ds:SignatureValue><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGrDCCBZSgAwIBA [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
      <Status>
   <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      </Status>

  <ns2:EncryptedAssertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>aDSADwewadsasdaDSDS [...] </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey><ds:X509Data><ds:X509Certificate>MIIDSADSEedsad/DSddc [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>8i07RtfHKva [...]

and the embedded certificate is readable :

openssl x509 -in cert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:54:e8:1b:df:c3:ec:4a:e3:3d:d5:2f:2f:d4:aa:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
        Validity
            Not Before: May  6 00:00:00 2020 GMT
            Not After : May  7 12:00:00 2022 GMT
        Subject: C = ES, ST = Barcelona, L = Barcelona, O = Support, CN = myhost.mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bd:f7:4c:a4:43:ab:d1:b8:c0:e1:47:cb:a6:03:
      [...]

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:24:6E:2B:2D:D0:6A:92: [...]

            X509v3 Subject Key Identifier: 
                FA:41:54:85:DB:42:74:81:4A: [...]
            X509v3 Subject Alternative Name: 
                DNS:fss9.ericsson.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/DigiCertGlobalCAG2.crl

                Full Name:
                  URI:http://crl4.digicert.com/DigiCertGlobalCAG2.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS
                Policy: 2.23.140.1.2.2

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalCAG2.crt

            X509v3 Basic Constraints: 
                CA:FALSE
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                                [...]
                    Timestamp : May  6 03:02:09.935 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:76:CC:9D:82:F6:59:30:AC:DB:FD:F4:71:
    [...]

                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86:
                  [...] 
                    Timestamp : May  6 03:02:09.957 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:BF:C0:82:9A:B8:F9:3B:BF:33:E5:8C:
    [...]
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
                  [...]
                    Timestamp : May  6 03:02:10.031 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:7C:E3:90:AF:44:68:0E:D9:8B:72:E5:C8:
    [...]

    Signature Algorithm: sha256WithRSAEncryption
         46:cd:00:e4:df:5c:71:44:b0:3b:55:c9:1c:5e:c1:6c:9a:21:
  [...]

 

Environment

 

  Policy Server 12.8SP2 on RedHat 7;
   JDK 1.8.0_181;
  Policy Store on CA Directory 14;

 

Resolution

 

Investigate on the Partner side the reason why the &#13; characters
are added to the assertion once it receives it.