ElasticSearch SAML AuthNRequest with embedded signature

Elastic Stack Elasticsearch
1

Hi Guys,
is there a way to add the saml sign inside the saml authnrequest xml?
Here is my SAML token example:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://elk.example.com/elk/api/security/v1/saml"
                     Destination="https://IDP.example.com"
                     ID="_0754a7df1b6afe6c266305bca8514dc0b72c4f23"
                     IssueInstant="2019-06-03T11:57:45.994Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://elk.example.com/</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="false"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         />
</saml2p:AuthnRequest>

What i need to be trusted by IdP is a SAML AuthReuest like in the example below:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Is there a way to embed this information in the SAML token?

2

Hi there

Yes you can configure elasticsearch to sign SAML authentication requests , please read through our documentation and in specific the " Configuring Elasticsearch for signing" section that has the details you need

3

Hi,
Thank you for answer.
Indeed i read that documentation.
But, if there is only sign, the xml does NOT contain the embedded part.
If the encryption is added, the xml contain the embedded part.

Thank you,
Victor

4

Hi,
So what i test:

  1. without signings
GET
SAMLRequest: fZLLbtswEEV/heBeJPWMSlgO3BhBDaStEStZZFPQ1DghKpEqh1KTv4/iF9xFs525vHfmDGfXr11LRvBonK1ozAQlYLVrjH2u6EN9G5X0ej5D1bVJLxdDeLH38GcADGR6aFEeOh0RSMyIbK0LJtsu80Kkad5s8u1LlRTKLHVkxxxgJXFoGyoaCLiL5EoIpHWcSbjWOYluyrzJ0rWx6Wp1P/2OyXi3XrjX6jSza1v298aACVHSnWgRKbp3vVPj/NDGL9xXTRLu9VA4We9BmZ6ChfH7M/feTzd8B

SAML Token:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://elk.example.com/elk/api/security/v1/saml"
                     Destination="https://idp.example.com/login"
                     ID="_65e266d6d04004388d4bb460535df5cc6ad6a0bc"
                     IssueInstant="2019-06-03T14:11:58.785Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://elk.example.com3/elk/</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="false"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         />
</saml2p:AuthnRequest>
  1. with signings
    Parameters:
GET
SAMLRequest: fZLLbtswEEV/heBeJPWMSlgO3BhBDaStEStZZFPQ1DghKpEqh1KTv4/iF9xFs525vHfmDGfXr11LRvBonK1ozAQlYLVrjH2u6EN9G5X0ej5D1bVJLxdDeLH38GcADGR6aFEeOhp1P/2OyXi3XrjX6jSza1v298aACVHSnWgRKbp3vVPj/NDGL9xXTRLu9VA4We9BmZ6ChfH7M/feTzd8B
SigAlg: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Signature: scfBb0MSpgOd4ftZiqMdPrXAXqz7Ka55Bx1X5oQ8cbAO0vjlZ/hMyHLnM6ioi7e+2VBJf0bVgCuhLycXq/qP8r16jEtse9feY4z9nZbJx0QvHIQR/Y99jfgeQ==

SAML Token is the same:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://elk.example.com/elk/api/security/v1/saml"
                     Destination="https://idp.example.com/login"
                     ID="_65e266d6d04004388d4bb460535df5cc6ad6a0bc"
                     IssueInstant="2019-06-03T14:11:58.785Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://elk.example.com3/elk/</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="false"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         />
</saml2p:AuthnRequest>

3 Expected saml token with enabled signature:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

So, did someone tested?
What if the IDP search for embedded SAML request with signature.
I have enabled the TRACE but not additional info.
Thank you for help

5

We support the HTTP-Redirect Binding for Authentication Requests. The HTTP-Redirect binding dictates how the signatures are generated and passed to the Identity provider as request parameters, in the way you see in 2 in your example. You can read the relevant SAML Specification for more details.

What you have shared as "3 Expected saml token with enabled signature:" is an example of an Authentication Request using the HTTP-POST Binding which would contain an embedded signature, but we do not support the HTTP-POST Binding for authentication requests.

All available interoperability profiles I'm aware of, recommend the use of HTTP-Redirect binding. As such I would be very surprised if your IDP will not support it. If it only supports the HTTP-POST binding for authentication requests then it won't be able to work with the Elastic Stack in general, not only because it won't be able to find an embedded signature in the the authentication request.

6

Thank you for very detail explanations.
I will check.
What i can tell you is that without signature enabled on the IDP is working.
Thank you,

7

One more thing,
I can see that my IDP support SAML1 HTTP/POST and SAML2 Web Browser SSO.
Is it the case that for the second type, still should be able to sign it the SMAL token? or still Redirect Bind is used?
Thank you,
Victor

8

SAML2 Web Browser SSO is a SAML SSO profile. The HTTP-Redirect and HTTP-POST are bindings.

Please clarify your question as I'm not really sure what you mean.

9

Hi,
So in fact also in the SAML2.0 they use the same POST binding.
This answer my question.
Thank you,
Victor

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.