The problem *might* be because what the Build SAML Protocol Request assertion generates is wrapped in SOAP. This is a holdover from the early days when everything was SOAP from the Layer 7 perspective. You can generate the signature as part of the Build SAML Protocol Request, use XPath to extract the AuthnRequest (which envelopes the signature so it should not break it), then just GZIP, Base64 and URL encode it. Import the attached policy into a test endpoint to see what I mean. Hopefully the GZIP algorithm is the correct DEFLATE needed.
Cheers!
JayMac
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------
Original Message:
Sent: 08-28-2020 07:28 AM
From: Oleksij Donets
Subject: How to convert the XML Saml Request into a deflated, encoded SAML Request URL Parameter?
we generated the XML Saml Request using the assertion "Build SAML Protocol Request" and this XML resulted.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header/> <soapenv:Body> <samlp2:AuthnRequest Destination="" ID="samlp2-e21c606283917c3433185e981d41aca7" IssueInstant="2020-08-25T16:46:09.000+02:00" Version="2.0" xmlns:ac="urn:oasis:names:tc:SAML:2.0:ac" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <saml2:Issuer>https://OurSPUrl.com</saml2:Issuer> <saml2:Subject> <saml2:NameID xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotBefore="2020-08-25T16:46:08.000+02:00" NotOnOrAfter="2020-08-25T17:46:09.000+02:00" Recipient="https://OurSPUrl.com/samlConsumer"/> </saml2:SubjectConfirmation> </saml2:Subject> </samlp2:AuthnRequest> </soapenv:Body></soapenv:Envelope>
Now we have a question, how this XML is converted into a deflated and encoded SAML Request URL Parameter(&SAMLRequest=) and how the Signature is generated, so we can construct the following URL:
https://oneIdp.com/samlsso?SAMLRequest=nZNNj9MwEIb/ijX3f...2z2Bw==
&Signature=FVwART...EuaMZzI=
According to the SAML protocol (e.g.: gttps://developer.pingidentity.com/en/tools-for-devs/saml-decoder.html) the SAML Request has to be:
Step 1: Encode UTF-16 to UTF-8, Step 2: Deflate, Step 3: Base64 encode, Step 4: URI encode. We tried different options and unfortunately it didn't work. Which assertion can be used to deflate and to sign it?
regards,
Oleks
------------------------------
--
Oleksij Donets
APIIDA AG
------------------------------