Layer7 API Management

  • Private Community
 View Only

  • 1.  How to convert the XML Saml Request into a deflated, encoded SAML Request URL Parameter?

    Posted Aug 28, 2020 07:28 AM
    we generated the XML Saml Request using the assertion "Build SAML Protocol Request" and this XML resulted.

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header/> <soapenv:Body> <samlp2:AuthnRequest Destination="" ID="samlp2-e21c606283917c3433185e981d41aca7" IssueInstant="2020-08-25T16:46:09.000+02:00" Version="2.0" xmlns:ac="urn:oasis:names:tc:SAML:2.0:ac" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <saml2:Issuer>https://OurSPUrl.com</saml2:Issuer> <saml2:Subject> <saml2:NameID xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotBefore="2020-08-25T16:46:08.000+02:00" NotOnOrAfter="2020-08-25T17:46:09.000+02:00" Recipient="https://OurSPUrl.com/samlConsumer"/> </saml2:SubjectConfirmation> </saml2:Subject> </samlp2:AuthnRequest> </soapenv:Body> </soapenv:Envelope> ​


    Now we have a question, how this XML is converted into a deflated and encoded SAML Request URL Parameter(&SAMLRequest=) and how the Signature is generated, so we can construct the following URL:

    https://oneIdp.com/samlsso?SAMLRequest=nZNNj9MwEIb/ijX3f...2z2Bw==
    &Signature=FVwART...EuaMZzI=

    According to the SAML protocol (e.g.: gttps://developer.pingidentity.com/en/tools-for-devs/saml-decoder.html) the SAML Request has to be:
    Step 1: Encode UTF-16 to UTF-8, Step 2: Deflate, Step 3: Base64 encode, Step 4: URI encode. We tried different options and unfortunately it didn't work. Which assertion can be used to deflate and to sign it? 

    regards,
    Oleks



    ------------------------------
    --
    Oleksij Donets
    APIIDA AG
    ------------------------------


  • 2.  RE: How to convert the XML Saml Request into a deflated, encoded SAML Request URL Parameter?
    Best Answer

    Broadcom Employee
    Posted Sep 03, 2020 01:17 PM
      |   view attached
    The problem *might* be because what the Build SAML Protocol Request assertion generates is wrapped in SOAP. This is a holdover from the early days when everything was SOAP from the Layer 7 perspective. You can generate the signature as part of the Build SAML Protocol Request, use XPath to extract the AuthnRequest (which envelopes the signature so it should not break it), then just GZIP, Base64 and URL encode it. Import the attached policy into a test endpoint to see what I mean. Hopefully the GZIP algorithm is the correct DEFLATE needed.

    Cheers!

    JayMac

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Attachment(s)

    xml
    SAMLP-AuthnRequest_Parameter_Policy.xml   5 KB 1 version
    Original Message


  • 3.  RE: How to convert the XML Saml Request into a deflated, encoded SAML Request URL Parameter?

    Posted Sep 23, 2020 09:56 AM
    I have just read that the "deflate" (based on the zlib compression) is not supported by the Gateway, it would be great to know when it will be though, since I just got another customer who would like to use the accept-encoding=deflate and it does not work

    ------------------------------
    Maurizio Garzelli
    APIIDA
    APIIDA Chief Technology Advisor APIM
    maurizio.garzelli@apiida.com
    https://apiida.com
    ------------------------------

    Original Message