Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SAML IDP issue

852300Apr 5 2011 — edited Apr 6 2011
I currently have a working Service Provider-IDP SAML solution working inside Enterprise Manager (both setup by an Oracle Engineer).

I'm trying to use my own IDP (created using OpenSAML - which does work successfully with other products) to interact in the same way. I've overcome a few issues (made difficult by the not very helpful error messages) but I'm now stuck on what appears to be incorrect assertion timings:

From the browser:
Federation SSO Operation Result

SSO Authentication Result Authentication Failed
User Identifier
Authentication Instant
Session Expiration Instant
Authentication Mechanism
SSO Primary Status Code RESPONDER
SSO Secondary Status Code
SSO Status Message The assertion could not be validated
IdP Provider ID http://192.168.0.180:8080/SAMLOracle
Relay State

From log messages:
FED-18018 Assertion has expired or is not yet valid: {0}
FED-18012 Assertion cannot be validated.

However, as previous error messages were misleading (some turned out to be omissions in the IDP metadata I provided) I'm doubtful its that. I've also removed all timings except the mandatory authorisation and issue instants.

This is my assertion (which I automatically validate so I know, as much as I can, is valid)

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="gkpakaanklepldgdcbkldcjmdhjldodkemhollpj"
IssueInstant="2011-04-05T13:33:06.484Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://192.168.0.180:8080/SAMLOracle</saml2:Issuer>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="lomhembcokbdhnnlhjkiejmchkmjgacbcbaalioe"
IssueInstant="2011-04-05T13:33:06.484Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://192.168.0.180:8080/SAMLOracle</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Reference URI="#lomhembcokbdhnnlhjkiejmchkmjgacbcbaalioe"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ec:InclusiveNamespaces PrefixList="ds saml2"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">A6CyjTZQ6dcAG7LyhxewOLomLG8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">sPbNCQ7QdosRpcOJgfeLw+llUoIOTt204/mvs0aRvKKr1E3+2XfABg==</ds:SignatureValue>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@abc.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Recipient="http://fed.demo.oracle.com:7779/fed/sp/authnResponse20" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>http://fed.demo.oracle.com:7779/fed/sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2011-04-05T13:38:06.535Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Could anyone give me some pointers on what I'm missing please?

Thanks,
Andy
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 4 2011
Added on Apr 5 2011
#identity-management, #identity-manager, #time
4 comments
894 views