Wednesday, October 28, 2015

SAML Chrome Extension Published!

I have been working with SAML for a while now and I have always used Firefox for debugging instead of my favorite browser, Chrome. Why? you ask. Because there is a plugin called SAML tracer on firefox that is excellent for viewing the SAML messages going across the browser. There have been no such plugin for Chrome.

Finally I have decided to take things into my own hands and build one.

And now it's done! SAML DevTools extension

Feature summary

  • The extension adds a panel to the Developer Tools
  • Shows all network requests for the current window
  • SAML requests are highlighted in green for usability
  • Can filter out SAML requests
  • Show request and response details
  • Displays syntax highlighted SAML message
  • Custom syntax highlighting for SAML to allow for easier reading

Wednesday, July 15, 2015

Adding KeyInfo to a SAML message

When a message is signed with a private key, the receiving end will need to verify the message using the corresponding public key/certificate. But in order to do this, the receiving end must have the certificate.

The certificate is transported in encoded form in a KeyInfo element. Below is a example


There are many ways to give the receiving end the certificate. Two common methods is metadata and in the message.

When using the metadata method the KeyInfo object is embedded in the metadata inside the KeyDescriptor element. When attaching KeyInfo to the SAML message the element is embedded in the Signature object.

To create and add a KeyInfo object and add it to a SAML message signature, add this call to SecurityHelper before generating the signature.

SecurityHelper.prepareSignatureParams(signature, IDPCredentials.getCredential(),
                    Configuration.getGlobalSecurityConfiguration(), null);
This helper method does not only add a the key info but it also sets the

  • signature algorithm URI
  • canonicalization algorithm URI
  • and HMAC output length (if applicable and a value is configured)

Customising the KeyInfo

The above statement only uses the default configuration of for generating KeyInfo. To customise the KeyInfo you create your own instance of KeyInfoGeneratorFactory, set it up as preferred and use it in the statement. 
The example below shows how to use a X509KeyInfoGeneratorFactory to create a KeyInfo with properties from the X509 certificate used as credential.

X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();

Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().registerFactory("x509emitingKeyInfoGenerator", x509Factory);

SecurityHelper.prepareSignatureParams(signature, SPCredentials.getCredential(), null,  "x509emitingKeyInfoGenerator");

Thursday, July 2, 2015

What is a SAML Assertion?

If you are just starting out trying to understand SAML you will come across the term SAML Assertion quite quickly. In this post or tutorial, I will try to explain to you what a SAML Assertion is and give you some examples on how they could look. This post mainly looks at the SAML Assertion in the perspective of the SAML Web Browser Profile. If you don't know what that is, have a look on my post about exactly that

What is a SAML Assertion?

The SAML Assertion is the main piece in the SAML puzzle. This is the object that the rest of SAML is build to safely build, transport and use.

A SAML Assertion is basically a package with security information about a entity.(e.g. A user) issued from the Identity Provider(IdP) to the Service Provider(SP). When the user has authenticated with the IdP a SAML Assertion is sent to the SP with the IdPs information about that user.

What does a SAML Assertion contain?

The SAML Assertion contains some general information like, who sent it, what time it was sent and validity period of the assertion. The assertion also contains statements about a user. These come in three different types.


The authentication statement contains, not surprisingly, information about the authentication of the user. Mainly when and by what means the user was authenticated.



The attribute statement can contain application specific attributes connected to the user, for example. Address, telephone number social security number.



The authorization statement contains information about the users access rights to different resources. This statement can be used for basic authorization. For more advanced authorization cases I recommend taking a look at  the XACML standard


What does a SAML Assertion look like?

Here is an example on what a whole can look like.



If you have any questions please drop a comment in on this post and I will answer it as soon as possible.

Further reading

In my book, A Guide to OpenSAML, I describe the SAML Assertion and the rest of SAML in detail.

A Guide to OpenSAML

Tuesday, September 9, 2014

OpenSAML book release!

After many late nights and tedious editing, I have finished my book on OpenSAML,  based on my experiences working with the OpenSAML library. A Guide to OpenSAML is a short book that introduces SAML, the SAML Web Browser Profile and the use of OpenSAML.

The book has three parts, the first of which introduces SAML, SAML Web Browser Profile and OpenSAML. The next part goes deeper into explaining the Web Browser Profile more in detail and shows an example on how to implement it using OpenSAML. The last part explains and shows examples on how to use some of the security functions in OpenSAML, like signatures and encryption.

The SAML Web Browser Profile is flexible and can be used in many different ways. The book shows the SAML Web Browser Profile with the following configurations:

  • SP initiated Single Sign-On
  • Authentication request using HTTP Redirect Binding
  • Assertion transported using HTTP Artifact Binding
  • SAML Artifact transported using HTTP Redirect Binding
  • Artifact resolution using SOAP Binding

The book explains the interaction from the Service Provider’s point of view. The implementation of the Identity Provider is not covered in this book.

The package contains the book in PDF format, three different e-reader formats(EPUB, MOBI, AZW3) and a sample project showing OpenSAML in action.

Wednesday, May 14, 2014

Exception: "Apache xmlsec IdResolver could not resolve the Element for id reference" while decrypting

org.opensaml.xml.validation.ValidationException: Apache xmlsec IdResolver could not resolve the Element for id reference:

This is an example of a common exception that can be thrown when verifying a signature after decryption an object.

To avoid this, it is often enough to configure your Decryptor using the following setting before decrypting.


Monday, May 5, 2014

Nullpointer exception in OpenSAML

This is a common exception to beginners in using OpenSAML. A common mistake when starting to use the OpenSAML library is to not initialise the library.
OpenSAML needs a couple of configuration files in order to work. The library is provided with a default set of these files that is sufficient for mot uses. Before starting the use the library the configurations must be loaded. This is done using the bootstrap function.

try {
} catch (ConfigurationException e) {
   throw new RuntimeException("Bootstrapping failed");

If you do not do this before you start using the library, you might run into exceptions like.

Exception in thread "main" java.lang.NullPointerException
 at no.steras.opensaml.Main.main(
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
 at java.lang.reflect.Method.invoke(
 at com.intellij.rt.execution.application.AppMain.main(

Monday, November 12, 2012

Verifying signatures with OpenSAML

As the post about signing SAML messages discussed, it is very important to properly sign and verify messages in a SAML federation.

When verifying a signature of a message it is recommended to first validate the message with a SAML profile validator. This to ensure that the signature follows the standard for XML signatures. Afterwords the cryptography validation of the signatureis done by a SignatureValidator.

PS. This validation only performs a cryptographic validation of the signature. This means that it validates that the message has not been changed since it was signed. It does however not check that the certificate used for signing is trusted. To confirm the trust of the certificate in OpenSAML, a trust engine must be used in the validation.

The most common method to confirm the trust of a key is to compare it to the key recieved in SAML Metadata. This is generally done as a configuration step when setting up a SAML federation. This post gives more information on SAML Metadata

Here is a full example of the crytographic validation.

SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();


SignatureValidator sigValidator = new SignatureValidator(cred);

SignatureValidator is instansiated with a credenial. in this case the credential basically contains the public key for the private key that was used to sign the message.
The credetial object can be obtained in a number of different ways. This post shows some methods in OpenSAML.
If the public key was sent in the message, it is very important to validate that you trust the key.

Further reading

My book, A Guide to OpenSAML, explains in detail how to use the security features of SAML.

A Guide to OpenSAML

This is not a book specifically on OpenSAML but I do recommend it as i does have some chapters on how XML signatures work. This is the same standard as the one used by SAML and OpenSAML.

This is a very good book for those that want get an introduction to cryptography. Helped me alot in understanding public key cryptography.