alex842007

Dear all,

Thanks for your help, the STS finally works properly...

After the decryption of the response, I can view the claims along with the value provided by STS, that's good..

However, Im still wondering on some encrypted values. I'll give you examples:

<Reference URI="#uuid-c0e4dda8-1afa-4a98-8d74-8313218d7e4d">

- <Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ZFBWUPGGUMlW+LzpZ4ZQHpLFhtM=</DigestValue>
</Reference>
and
<SignatureValue>Lg17uOcVq5Y2jQcyGQNp1xsyCzLkBFkQbOi2OC9RCRecZlVAV8VXR7AU/bCWrB/hSzb3zeULC3WZAgT+1LDNnHWl/beZfSmITFPoZiI56PHeSQaK15mjjYlhQDGhLThiXiMCtGi0XzKXRTyZd4Uulbw7
HwQ5pE/98hI4hZ2CHqt8r4KkqRdf3UdUHzVqYUqVjOdETwkHH3DHRRPKJhIlAy5iyRXC9SqEqMlUfjSQ6jHN9FcQO4G93CoGkt/joQId5YRUcXZ90zqfG5dGvOQJOs+QVGLCglYzaapjJ4iOubuBaY5BkgzAahha9XHCSbXNmMui32tW9rt0/McFiZmxDw==</SignatureValue>
and
<X509Certificate>MIIDZjCCAk4CAQQwDQYJKoZIhvcNAQEFBQAwgYMxCzAJBgNVBAYTAnNnMRIwEAYDVQQIEwlzaW5nYXBvcmUxEjAQBgNVBAcTCXNpbmdhcG9yZTEPMA0GA1UEChMGY2Fzc2lzMRQwEgYDVQQDEwsxMC42NS44LjE2
NTElMCMGCSqGSIb3DQEJARYWbmdvcXVhbmdoYTg0QHlhaG9vLmNvbTAeFw0wNzAzMjcwNjM0MzJaFw0wODAzMjYwNjM0MzJaMG4xCzAJBgNVBAYTAnNnMRIwEAYDVQQIEwlzaW5nYXBvcmUxEjAQBgNVBAcTCXNpbmdhcG9yZTEPMA0
GA1UEChMGY2Fzc2lzMRAwDgYDVQQLEwdVbmtub3duMRQwEgYDVQQDEwsxMC42NS44LjE2NTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIE4bn9g1VwH42nhfRgGVQc1pxCr+oCf2yL7zGbqXWZgWPLdE+PNjRNPpes5YEI
cTcxK0IvwILFYmqXjstKvEnNCaaB3pr2zgCUBY/Rqy0m1k7io6GqW6j7i+wECf03fkGO4fzmNoOEjLGQUCx5s8VYQTIvUl2LpRNyV1kWt6xMRV0D7+KqVWmXRlIfwCQiY9mcNxDxejlT4mb/lGlO7L5j+snttLuKx8sLyMHDvpGMPOCgxxFaCswb+c4SXD
TaV75pjzjwbHGuEynDuEmiStNuwOuACx+te+DZxZY/3igik7TQFEgH0c7dB46iXuUR8e0RtCoNz4HPOlykCrnWjbCMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAqU93h9bRhAkT5z5/A+8bDom8K/w3gUjGs69175H0Ay72OTE6bpjxbz+u/9KjQ8+L
5tOKrit06N2dZkAxOfERkkp9/kvm2D+UJxA+Sfc1DpOUpiugNa0YtHJKMVKYaXWrTasq9VYgDk/MFUgvs0Iq0psrrxOuCcxyKh0s4Ghs2e86tLrMKzK6D57/qAZKi8uoXGKa35VnFYkTBAh80gmpnv/52d3VdQwGdtK7bY6RRCaXf/VXTIGLUXgWAFHrPO
3kfrQvVfIuBR8897itVWk53GFhGaONcOULL0HXe/AcPksJ9iMvtMcol1f4Coz0MFdtXMcRbABuJGceVdUR4+gTXg==</X509Certificate>
They look quite messy....
My question is: where did they come from Since I read the STS source code, I tried to print out the value of SAML token, but it is impossible.
If you guys can show me, that helps me alot..Smile
Thank you !!!!


Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

Toland Hon - MSFT

are you asking what the DigestValue is or what a signature is in general

from: http://www-128.ibm.com/developerworks/webservices/library/ws-security.html

while lines 11 and 12 specify the digest algorithm and the computed digest value, <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>FLuQTa/LqDIZ5F2JSaMRHSRuaiQ=</DigestValue>.

In our application, the Transform algorithm is once again the W3C Exclusive XML Canonicalization algorithm discussed above. The method used to compute the digest, the Secure Hash Algorithm, is part of the U.S. Department of Commerce/National Institute of Standards and Technology's Secure Hash standard.

I personally don't really know what the DigestValue is, but it appears to be used with signatures.

//Toland





Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

Colin Dellow

To prove that the SAML token was issued by the person you trust, it gets signed. This means that someone uses their private key to produce a ciphertext that you can decrypt using their public key to verify the thing presented actually came from them.

The Reference element indicates what is being signed (the whole thing), what canonicalization method is used (to standardize <a/> vs. <a></a>, for example), and what digest method is being used. The digest is used to minimize the amount of data that has to be encrypted/decrypted to speed things up. I'm not sure why the DigestValue tag itself is included -- it seems to me that the recipient always has to digest the whole thing anyway so that they can trust the digest.

The signature value is the encrypted digest value. This is what you will decrypt to verify the digest.

The x509certificate isn't actually encrypted -- it's just encoded in base64. You can run this through a base64 decoder to produce a .cer file that you can import into the Certificates console snap in to learn more about the certificate. This is where you get the identity information about who signed the token, including their public key, common name, and who issued them the certificate.

Hope this helps!





Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

alex842007

Thanks all ..Smile

Actually your quote is very useful for me..

Im still wondering abt the tag <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

Anyone knows exactly the structure of the xml file after canonicalization I cant find any example of this...

Thanks again.Smile





Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

Colin Dellow

If you're really hardcore, the spec is available at http://www.w3.org/TR/xml-exc-c14n/



Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

alex842007

Colin Dellow wrote:
If you're really hardcore, the spec is available at http://www.w3.org/TR/xml-exc-c14n/

Thanks Colin, I read it, of course....

But, you know, that is a brief documentation. I dont know exactly how the XML-EXC-C14N works with the SAML response.

Let say, if I want to verify the response from the server, I need to do SHA1withRSA algo to get the signature value, do hashing to get digest value...etc...


This is my SAML response:

<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="uuid-c0e4dda8-1afa-4a98-8d74-8313218d7e4d" Issuer="10.65.8.165" IssueInstant="2007-03-27T07:39:11.628Z" xmlnsTongue Tiedaml="urnSurpriseasis:names:tcTongue TiedAML:1.0:assertion">

<saml:Conditions NotBefore="2007-03-27T07:39:11.628Z" NotOnOrAfter="2007-03-27T15:39:11.628Z" />
- <saml:AuthenticationStatement AuthenticationMethod="urnSurpriseasis:namespace:tcTongue TiedAML:1.0:am:unspecified" AuthenticationInstant="2007-03-27T07:39:11.628Z">
- <samlTongue Tiedubject>
- <samlTongue TiedubjectConfirmation>
<saml:ConfirmationMethod>urnSurpriseasis:names:tcTongue TiedAML:1.0:cmTongue Tiedender-vouches</saml:ConfirmationMethod>
</samlTongue TiedubjectConfirmation>
</samlTongue Tiedubject>
</saml:AuthenticationStatement>
- <saml:AttributeStatement>
- <samlTongue Tiedubject>
- <samlTongue TiedubjectConfirmation>
<saml:ConfirmationMethod>urnSurpriseasis:names:tcTongue TiedAML:1.0:cmTongue Tiedender-vouches</saml:ConfirmationMethod>
</samlTongue TiedubjectConfirmation>
</samlTongue Tiedubject>
- <saml:Attribute AttributeName="Account" AttributeNamespace=https://schemas.mycompany.com>
<saml:AttributeValue>987654321</saml:AttributeValue>
</saml:Attribute>
- <saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>123456</saml:AttributeValue>
</saml:Attribute>
- <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>myemail@yahoo.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
- <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
- <SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <Reference URI="#uuid-c0e4dda8-1afa-4a98-8d74-8313218d7e4d">
- <Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ZFBWUPGGUMlW+LzpZ4ZQHpLFhtM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Lg17uOcVq5Y2jQcyGQNp1xsyCzLkBFkQbOi2OC9RCRecZlVAV8VXR7AU/bCWrB/hSzb3zeULC3WZAgT+1LDNnHWl/beZfSmITFPoZiI56PHeSQaK15mjjYlhQDGhLThiXiMCtGi0XzKXRTyZd4Uulbw7HwQ5pE/98hI4hZ2CHqt8r4KkqRdf3UdUHzVqYUqVjOdETwkHH3DHRRPKJhIlAy5iyRXC9SqEqMlUfjSQ6jHN9FcQO4G93CoGkt/joQId5YRUcXZ90zqfG5dGvOQJOs+QVGLCglYzaapjJ4iOubuBaY5BkgzAahha9XHCSbXNmMui32tW9rt0/McFiZmxDw==</SignatureValue>
- <KeyInfo>
- <X509Data>
<X509Certificate>MIIDZjCCAk4CAQQwDQYJKoZIhvcNAQEFBQAwgYMxCzAJBgNVBAYTAnNnMRIwEAYDVQQIEwlzaW5nYXBvcmUxEjAQBgNVBAcTCXNpbmdhcG9yZTEPMA0GA1UEChMGY2Fzc2lzMRQwEgYDVQQDEwsxMC42NS44LjE2NTElMCMGCSqGSIb3DQEJARYWbmdvcXVhbmdoYTg0QHlhaG9vLmNvbTAeFw0wNzAzMjcwNjM0MzJaFw0wODAzMjYwNjM0MzJaMG4xCzAJBgNVBAYTAnNnMRIwEAYDVQQIEwlzaW5nYXBvcmUxEjAQBgNVBAcTCXNpbmdhcG9yZTEPMA0GA1UEChMGY2Fzc2lzMRAwDgYDVQQLEwdVbmtub3duMRQwEgYDVQQDEwsxMC42NS44LjE2NTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIE4bn9g1VwH42nhfRgGVQc1pxCr+oCf2yL7zGbqXWZgWPLdE+PNjRNPpes5YEIcTcxK0IvwILFYmqXjstKvEnNCaaB3pr2zgCUBY/Rqy0m1k7io6GqW6j7i+wECf03fkGO4fzmNoOEjLGQUCx5s8VYQTIvUl2LpRNyV1kWt6xMRV0D7+KqVWmXRlIfwCQiY9mcNxDxejlT4mb/lGlO7L5j+snttLuKx8sLyMHDvpGMPOCgxxFaCswb+c4SXDTaV75pjzjwbHGuEynDuEmiStNuwOuACx+te+DZxZY/3igik7TQFEgH0c7dB46iXuUR8e0RtCoNz4HPOlykCrnWjbCMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAqU93h9bRhAkT5z5/A+8bDom8K/w3gUjGs69175H0Ay72OTE6bpjxbz+u/9KjQ8+L5tOKrit06N2dZkAxOfERkkp9/kvm2D+UJxA+Sfc1DpOUpiugNa0YtHJKMVKYaXWrTasq9VYgDk/MFUgvs0Iq0psrrxOuCcxyKh0s4Ghs2e86tLrMKzK6D57/qAZKi8uoXGKa35VnFYkTBAh80gmpnv/52d3VdQwGdtK7bY6RRCaXf/VXTIGLUXgWAFHrPO3kfrQvVfIuBR8897itVWk53GFhGaONcOULL0HXe/AcPksJ9iMvtMcol1f4Coz0MFdtXMcRbABuJGceVdUR4+gTXg==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml:Assertion>
I noticed that the saml namespace and the signature part must be removed from the encryption algo (to get the signature, for example)..I tried to do something like that, however, the results are not the same as they are in XML file...that's why I wonder..
Anyone can give me a hint for the XML after canonicalization with XML-EXC-C14N
Thanks thanks alot..




Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

Colin Dellow

If you're going to dig in, I'd recommend getting a tool that'll do the transformations for you, e.g. http://xmlstar.sourceforge.net/ ( see chapter 6 of the user manual for more info - http://xmlstar.sourceforge.net/doc/UG/ch04s06.html )





Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

alex842007

Colin Dellow wrote:

If you're going to dig in, I'd recommend getting a tool that'll do the transformations for you, e.g. http://xmlstar.sourceforge.net/ ( see chapter 6 of the user manual for more info - http://xmlstar.sourceforge.net/doc/UG/ch04s06.html )

Thanks Colin,

Although the final results are not my expected results, the tool is really useful....

Thanks alot alot alot!!!!

Regards,
Alex





Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

alex842007

Any suggestions if I use SHA1 with RSA on the signedInfo (after canonicalization) to verify the signatureValue, is that correct



Re: Windows CardSpace (InfoCard) Question about encrypted values of the SAML response.

hoangoanh

how about sso with saml and have you demo about sso with saml

How do SAML works at the second site