Comments on: SAML, SSO and ColdFusion http://blog.tagworldwide.com/?p=19 Tue, 07 Sep 2010 17:36:25 +0000 http://wordpress.org/?v=2.3.1 By: CFFusionDev http://blog.tagworldwide.com/?p=19#comment-436 CFFusionDev Wed, 15 Apr 2009 16:10:08 +0000 http://blog.tagworldwide.com/?p=19#comment-436 Hi there, I have my code running thanks to your blog. :-) One question about line isValid = xmlSignature.checkSignatureValue(x509cert); isValid returns *NO* in my case. Only thing different from your case is that assertion sent to me is not Base64 Encoded which means I dont use this line from your code on SP side xmlResponse=CharsetEncode(BinaryDecode(form.SAMLRequest,”Base64″) ,”utf-8″); Does that make any difference or you think it has to do with certificate in ds:X509Certificate element meaning this public key/certificate is different than what was used for signing? Thanks, Hi there,

I have my code running thanks to your blog. :-)

One question about line
isValid = xmlSignature.checkSignatureValue(x509cert);

isValid returns *NO* in my case. Only thing different from your case is that assertion sent to me is not Base64 Encoded which means I dont
use this line from your code on SP side
xmlResponse=CharsetEncode(BinaryDecode(form.SAMLRequest,”Base64″)
,”utf-8″);

Does that make any difference or you think it has to do with certificate in ds:X509Certificate element meaning this public key/certificate is different than what was used for signing?

Thanks,

]]> By: CFFusionDev http://blog.tagworldwide.com/?p=19#comment-435 CFFusionDev Mon, 13 Apr 2009 17:10:27 +0000 http://blog.tagworldwide.com/?p=19#comment-435 Update... I still need code as mentioned in my earlier post and I am getting error when using current code below xmlResponse= tokenXML; docElement= XmlParse(variables.xmlResponse).getDocumentElement(); SignatureConstants=CreateObject("Java", "org.apache.xml.security.utils.Constants"); SignatureSpecNS=SignatureConstants.SignatureSpecNS; xmlSignatureClass = CreateObject("Java","org.apache.xml.security.signature.XMLSignature"); xmlSignature = xmlSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,"Signature").item(0),""); // this lines gives error. see details below //Exceptions 13:00:53.053 - Object Exception - in **** Object Instantiation //Exception. keyInfo=xmlSignature.getKeyInfo(); X509CertificateResolverCN = CreateObject("Java","org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolverClass"); keyResolver=CreateObject("Java",X509CertificateResolverCN).init(); keyInfo.registerInternalKeyResolver(keyResolver); x509cert = keyInfo.getX509Certificate(); For clarification purpose, its this line that throws error. xmlSignature = xmlSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,"Signature").item(0),""); I am trying to find solution but if you have suggestions please email me at CFFusionDev AT Gmail Dot Com. Thanks, Update… I still need code as mentioned in my earlier post and I am getting error when using current code below

xmlResponse= tokenXML;

docElement= XmlParse(variables.xmlResponse).getDocumentElement();

SignatureConstants=CreateObject(”Java”, “org.apache.xml.security.utils.Constants”);

SignatureSpecNS=SignatureConstants.SignatureSpecNS;

xmlSignatureClass = CreateObject(”Java”,”org.apache.xml.security.signature.XMLSignature”);

xmlSignature = xmlSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,”Signature”).item(0),”"); // this lines gives error. see details below
//Exceptions 13:00:53.053 - Object Exception - in **** Object Instantiation //Exception.

keyInfo=xmlSignature.getKeyInfo();

X509CertificateResolverCN = CreateObject(”Java”,”org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolverClass”);

keyResolver=CreateObject(”Java”,X509CertificateResolverCN).init();

keyInfo.registerInternalKeyResolver(keyResolver);

x509cert = keyInfo.getX509Certificate();

For clarification purpose, its this line that throws error.

xmlSignature = xmlSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,”Signature”).item(0),”");

I am trying to find solution but if you have suggestions please email me at CFFusionDev AT Gmail Dot Com.

Thanks,

]]> By: Howie http://blog.tagworldwide.com/?p=19#comment-403 Howie Tue, 05 Aug 2008 18:48:00 +0000 http://blog.tagworldwide.com/?p=19#comment-403 is this portion of code correct? transforms = TransformsClass .init(samlAssertionDocument transforms.addTransform(transformOmitCommentsStr); I changed it to transforms = TransformsClass.init(samlAssertionDocument); transforms.addTransform(transformOmitCommentsStr); transforms.addTransform(transformEnvStr); and got past that error but now i am getting Cannot resolve element with ID 940A010B-188B-73FA-E68F75D98735111E on the signature.sign(key); which is probably unrelated is this portion of code correct?
transforms = TransformsClass
.init(samlAssertionDocument
transforms.addTransform(transformOmitCommentsStr);

I changed it to

transforms = TransformsClass.init(samlAssertionDocument);
transforms.addTransform(transformOmitCommentsStr);
transforms.addTransform(transformEnvStr);

and got past that error but now i am getting
Cannot resolve element with ID 940A010B-188B-73FA-E68F75D98735111E
on the signature.sign(key);
which is probably unrelated

]]> By: Justin http://blog.tagworldwide.com/?p=19#comment-361 Justin Mon, 02 Jun 2008 20:36:37 +0000 http://blog.tagworldwide.com/?p=19#comment-361 Well, in one of those "is it plugged in?" kinda moments, I just realized I'm trying to process a SAML 2.0 packet with your SAML 1.0 processing code, so that's probably the source of my consistent failures :) I must not be getting the correct XML elements passed into the certificate validation functions because of the differences in protocols. Back to the docs I go! Well, in one of those “is it plugged in?” kinda moments, I just realized I’m trying to process a SAML 2.0 packet with your SAML 1.0 processing code, so that’s probably the source of my consistent failures :)

I must not be getting the correct XML elements passed into the certificate validation functions because of the differences in protocols.

Back to the docs I go!

]]> By: Jon Clausen http://blog.tagworldwide.com/?p=19#comment-360 Jon Clausen Mon, 02 Jun 2008 18:48:22 +0000 http://blog.tagworldwide.com/?p=19#comment-360 @all - sorry about the formatting, looks like the comment system stripped out the tags the above is inside a cfscript block. The cffunction tag has one argument, document whichi is the SAM assertion XML object. @all - sorry about the formatting, looks like the comment system stripped out the tags the above is inside a cfscript block. The cffunction tag has one argument, document whichi is the SAM assertion XML object.

]]> By: Jon Clausen http://blog.tagworldwide.com/?p=19#comment-359 Jon Clausen Mon, 02 Jun 2008 18:40:01 +0000 http://blog.tagworldwide.com/?p=19#comment-359 @David,@Justin - Guys actually, my suggestion works on CF8 and CF7. My dev server is CF8 and the production server is still CF7. Here's the full content of my signing function: var samlAssertionXML=arguments.document; var xmlout = ""; //Create our Signing Objects from XMLSEC var samlAssertionElement = samlAssertionXML.getDocumentElement(); var samlAssertionDocument = samlAssertionElement.GetOwnerDocument(); var samlAssertion = samlAssertionDocument.getFirstChild(); var SignatureSpecNS = CreateObject("Java", "org.apache.xml.security.utils.Constants").SignatureSpecNS; var TransformsClass = CreateObject("Java","org.apache.xml.security.transforms.Transforms"); var SecInit = CreateObject("Java", "org.apache.xml.security.Init").Init().init(); var XMLSignatureClass = CreateObject("Java", "org.apache.xml.security.signature.XMLSignature"); var sigType = XMLSignatureClass.ALGO_ID_SIGNATURE_DSA; var signature = XMLSignatureClass.init(samlAssertionDocument, toString(""), sigType); //transform class vars var transformEnvStr = ""; var transformOmitCommentsStr =""; var transforms =""; //Insert signature samlAssertionElement .insertBefore(signature .getElement(),samlAssertion.getFirstChild()); //transform document for XMLSEC into enveloped signature transformEnvStr = TransformsClass.TRANSFORM_ENVELOPED_SIGNATURE; transformOmitCommentsStr = TransformsClass.TRANSFORM_C14N_EXCL_WITH_COMMENTS; transforms = TransformsClass.init(samlAssertionDocument); transforms.addTransform(transformOmitCommentsStr); transforms.addTransform(transformEnvStr); //Scope our Cert and key variables getAuthCert(); //Now add our signature signature.addDocument("#chr(35)##controller.getBean("AssertionID")#" , transforms); signature.addKeyInfo(variables.cert); signature.addKeyInfo(variables.publickey); signature.sign(variables.key); xmlout = samlAssertionXML; return xmlout; HTH, Jon @David,@Justin

- Guys actually, my suggestion works on CF8 and CF7. My dev server is CF8 and the production server is still CF7.

Here’s the full content of my signing function:

var samlAssertionXML=arguments.document;
var xmlout = “”;
//Create our Signing Objects from XMLSEC
var samlAssertionElement = samlAssertionXML.getDocumentElement();
var samlAssertionDocument = samlAssertionElement.GetOwnerDocument();
var samlAssertion = samlAssertionDocument.getFirstChild();
var SignatureSpecNS = CreateObject(”Java”, “org.apache.xml.security.utils.Constants”).SignatureSpecNS;
var TransformsClass = CreateObject(”Java”,”org.apache.xml.security.transforms.Transforms”);
var SecInit = CreateObject(”Java”, “org.apache.xml.security.Init”).Init().init();
var XMLSignatureClass = CreateObject(”Java”, “org.apache.xml.security.signature.XMLSignature”);
var sigType = XMLSignatureClass.ALGO_ID_SIGNATURE_DSA;
var signature = XMLSignatureClass.init(samlAssertionDocument, toString(”"), sigType);
//transform class vars
var transformEnvStr = “”;
var transformOmitCommentsStr =”";
var transforms =”";
//Insert signature
samlAssertionElement
.insertBefore(signature
.getElement(),samlAssertion.getFirstChild());
//transform document for XMLSEC into enveloped signature
transformEnvStr =
TransformsClass.TRANSFORM_ENVELOPED_SIGNATURE;
transformOmitCommentsStr =
TransformsClass.TRANSFORM_C14N_EXCL_WITH_COMMENTS;
transforms = TransformsClass.init(samlAssertionDocument);
transforms.addTransform(transformOmitCommentsStr);
transforms.addTransform(transformEnvStr);
//Scope our Cert and key variables
getAuthCert();
//Now add our signature
signature.addDocument(”#chr(35)##controller.getBean(”AssertionID”)#”
, transforms);
signature.addKeyInfo(variables.cert);
signature.addKeyInfo(variables.publickey);
signature.sign(variables.key);
xmlout = samlAssertionXML;
return xmlout;

HTH,
Jon

]]> By: David Rutter http://blog.tagworldwide.com/?p=19#comment-358 David Rutter Mon, 02 Jun 2008 17:23:07 +0000 http://blog.tagworldwide.com/?p=19#comment-358 Hi Justin, You can use this in CF7 - our original implementation was on CF7. We had to use some introspection code as follows Init = CreateObject("Java", "org.apache.xml.security.Init"); emptyArray = ArrayNew(1); initMethod=Init.GetClass().GetMethod("init",emptyArray); initMethod.invoke(Init,emptyArray); Jon's suggestion is obviously the better way but I think this is CF8 only. var Init = CreateObject(”Java”, “org.apache.xml.security.Init”).Init().init() Hi Justin,

You can use this in CF7 - our original implementation was on CF7.
We had to use some introspection code as follows

Init = CreateObject(”Java”, “org.apache.xml.security.Init”);
emptyArray = ArrayNew(1);
initMethod=Init.GetClass().GetMethod(”init”,emptyArray);
initMethod.invoke(Init,emptyArray);

Jon’s suggestion is obviously the better way but I think this is CF8 only.

var Init = CreateObject(”Java”, “org.apache.xml.security.Init”).Init().init()

]]> By: Justin http://blog.tagworldwide.com/?p=19#comment-357 Justin Fri, 30 May 2008 18:18:24 +0000 http://blog.tagworldwide.com/?p=19#comment-357 Hi David, I recently found your article while researching Coldfusion & SAML examples online. I'm in the middle of trying to put together a SAML Consumer-only SSO scenerio for a site that runs on CF MX 7. I noticed your steps assume CF 8, but nothing I've seen in there so far looks implicit to 8, except possibly some of the really lower-level Java stuff that I'm not quite as familliar with. As far as you know, will your example run on MX as well, or are there known road-blocks there? While implementing your SAML Consumer/decryption code as a test, I keep getting tripped up on the "keyInfo" field, which CF MX claims is never defined, thus the getX509Certificate() and final isValid() calls against that object fail. The one part that's a little unclear to me is where in the flow of the process the init override code snippit has to fall? I've written a saml.cfc file that has a comsume() method in it that handles the POST, and within there, have implemented your code. I just pasted the init block right at the top of that function, and it doesn't seem to be complaining... Anyhow... any insight into the CF MX vs. 8 issue would be appreciated. It'd be nice to know I'm not beating my head against a wall I cannot overcome :) -Justin Hi David,

I recently found your article while researching Coldfusion & SAML examples online. I’m in the middle of trying to put together a SAML Consumer-only SSO scenerio for a site that runs on CF MX 7. I noticed your steps assume CF 8, but nothing I’ve seen in there so far looks implicit to 8, except possibly some of the really lower-level Java stuff that I’m not quite as familliar with. As far as you know, will your example run on MX as well, or are there known road-blocks there?

While implementing your SAML Consumer/decryption code as a test, I keep getting tripped up on the “keyInfo” field, which CF MX claims is never defined, thus the getX509Certificate() and final isValid() calls against that object fail.

The one part that’s a little unclear to me is where in the flow of the process the init override code snippit has to fall? I’ve written a saml.cfc file that has a comsume() method in it that handles the POST, and within there, have implemented your code. I just pasted the init block right at the top of that function, and it doesn’t seem to be complaining…

Anyhow… any insight into the CF MX vs. 8 issue would be appreciated. It’d be nice to know I’m not beating my head against a wall I cannot overcome :)

-Justin

]]> By: Jon Clausen http://blog.tagworldwide.com/?p=19#comment-349 Jon Clausen Thu, 22 May 2008 21:39:43 +0000 http://blog.tagworldwide.com/?p=19#comment-349 Update: My problem was related to instantiating the org.apache.xml.security.Init object with createObject(). There's a known issue in the way that CF handles Init(). I simply changed: var Init = CreateObject("Java", "org.apache.xml.security.Init").Init() to var Init = CreateObject("Java", "org.apache.xml.security.Init").Init().init() and the problem was solved. Thanks again for you work on this. It was a lifesaver. Update: My problem was related to instantiating the org.apache.xml.security.Init object with createObject(). There’s a known issue in the way that CF handles Init().

I simply changed:

var Init = CreateObject(”Java”, “org.apache.xml.security.Init”).Init()

to

var Init = CreateObject(”Java”, “org.apache.xml.security.Init”).Init().init()

and the problem was solved.

Thanks again for you work on this. It was a lifesaver.

]]> By: Jon Clausen http://blog.tagworldwide.com/?p=19#comment-344 Jon Clausen Thu, 22 May 2008 04:26:38 +0000 http://blog.tagworldwide.com/?p=19#comment-344 David, Great post. Your walkthrough and Phil Duba's SAML and Coldfusion series have been lifesavers in trying to implement an SSO. Not to make you debug my code or anything, but I've tried both Phil's and your method and in both cases seem to be throwing an instantiation error when attempting to pass the samlAssertionDocument into the constructor of the XMLSignatureClass. Looking at the javadocs, the constructor for the XMLSignature class seems to be getting the correct types passed in but throws "The class must not be an interface or an abstract class" Any thoughts or lessons learned in your work on this which might provide me a clue? Thanks. David,

Great post. Your walkthrough and Phil Duba’s SAML and Coldfusion series have been lifesavers in trying to implement an SSO. Not to make you debug my code or anything, but I’ve tried both Phil’s and your method and in both cases seem to be throwing an instantiation error when attempting to pass the samlAssertionDocument into the constructor of the XMLSignatureClass.

Looking at the javadocs, the constructor for the XMLSignature class seems to be getting the correct types passed in but throws “The class must not be an interface or an abstract class”

Any thoughts or lessons learned in your work on this which might provide me a clue?

Thanks.

]]>