Forums

Hi,

I'm new to ComponentSpace and the mostly to Saml.  I've evaluating the component for use to support a client who has very specific security requirements.  They want us to certify that our SSO solution for them conforms to these standards:

We "process" the following attributes of the Saml assertion:  
InResponseTo (to ensure the Response was intended for them and is still fresh)
Destination (to ensure the Response was intended for them)
SubjectConfirmationData (to ensure the Assertions was intended for them)
NotOnOrAfter (to ensure the Assertion is still fresh)
AudienceRestrictions (to ensure the assertion was intended for them)
AuthnContext (to ensure class of Authentication)

In practical terms, I'm not sure what some of these would mean.  I think (but can't really find documentation for) that the ReceiveSSO in the high-level API likely does all or most of this automatically.  There is also this SAMLValidator class in the component which seems like it might have facilities for some of these as well, but again, no documentation that I've been able to find.  If I need to do any manual "processing" of these tags, I'm not sure how to get access to internals of the Saml assertion at the time of the ReceiveSSO call, and I'm wondering if that means I need to switch to the low-level API instead.  

Any help or guidance would be much appreciated.

The SAMLServiceProvider.ReceiveSSO will perform all the checks listed apart from the AuthnContext. However, that is something we can add.
The SAMLValidator class is used to validate the SAML message against the SAML XML schema. It doesn't perform the checks you've listed.
Please email [email protected] to discuss adding support for checking the AuthnContext. This is something we could add to the next release but provide you a pre-release for your testing.

Regards
ComponentSpace Development

Thanks for the reply.  Is there any way to access this AuthnContext object through a manual code-check?  It is unclear from the original security requirement what the appropriate type, so I guess the solution would be to just expose that, maybe as an additional OUT parameter on the ReceiveSSO method, something like that?  I will email support.

Thanks for your help.

Also, is there documentation that details the validations that are taking place in that high-level api call?  Even in the low-level api sample code I didn't find any references to this.  While I'm very impressed with the component and all that it does to make a complicated subject much more manageable, it does seem to be doing quite a bit of magic, without the supporting documentation to demystify the process.

Thanks again.

I agree this could be better documented. I'll see this is added to out list of improvements. Thanks for the suggestion.

Regards
ComponentSpace Development

in which version "ReceiveSSO will perform all the checks listed apart" was added?
i can see, that it doesn't happen in v 2.6.0.13. As Additional info. Signing/decoding was turned off for these tests.
But my goal was to check:
1. InResponseTo
2. Audience Element and Recipient Attribute
3. Issuer

And ReceiveSSO method let assertion be parsed and proceed. Even if parameters above were wrong.

The ReceiveSSO method is part of the SAML high-level API which was introduced in v2.5.0.

There have been various updates where we've tightened up some of the checks we make. However, the checks you're referring to are included in the product version you have.

Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Also include your saml.config with any passwords removed.

Thanks.

Regards
ComponentSpace Development