CODEWITHSUNDEEP
phpsecuritysamlfederated
Topher
Topher

Reputation: 11

How can I decrypt SAML with PHP?

I have an application that I'm trying to integrate with Federated Security -- specifically, Siteminder. I'm using the PHP-SAML toolkit found here: https://github.com/onelogin/php-saml

I have the x509 cert included in the application, and all works well, until encryption is turned on in the Siteminder environment. Once that was turned on, I was no longer able to log in -- I received this message: Invalid SAML response: Cannot locate Signature Node

I've been able to determine that the SAML assertion being sent to the application, from Siteminder, is encrypted. I'm able to see the assertion (sample included below). Unfortunately, I can't figure out how to decrypt that message, so that I can then parse and use in my application.

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
      Destination="{VALUE HERE}"
      ID="_076e8f69ec4adb3b72f0cc76570527222e37"
      IssueInstant="2013-01-15T18:18:48Z"
      Version="2.0"
      >
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
            >{VALUE HERE}</ns1:Issuer>
<Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</Status>
<ns2:EncryptedAssertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Type="http://www.w3.org/2001/04/xmlenc#Element"
                        >
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                <xenc:CipherData>
                    <xenc:CipherValue>{VALUE HERE}</xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedKey>
            <ds:X509Data>
                <ds:X509Certificate>
{CERTIFICATE HERE}
</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>{VALUE HERE}</xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
</ns2:EncryptedAssertion>
</Response>

If anyone can help, that would be amazing.

Upvotes: 1

Views: 6231

Answers (3)

Milos Tomic
Milos Tomic

Reputation: 361

I would suggest using lightsaml/lightsaml library. In it's cookbook there's an entry on decrypting SAML Assertion http://www.lightsaml.com/LightSAML-Core/Cookbook/How-to-decrypt-Assertion/

It's done by deserializing XML into a Response data model object, loading your key pair credential, and calling a decrypt method on the EncryptedAssertion which returns the plain Assertion.

Upvotes: 1

smartin
smartin

Reputation: 3037

To decrypt a SAML message you can extract some code of the simplesamlphp libraries.

The function _decryptElement of the lib/SAML2/Utils.php, decrypts an message element:

The header of the function:

function _decryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey, array &$blacklist)

(Use an empty array for the $blacklist)

Check at:

http://code.google.com/p/simplesamlphp/source/browse/trunk/lib/SAML2/Utils.php#356

To build the DOMElement you can use this functions of the lib/SimpleSAML/Utilities.php:

formatXMLString and formatDOMElement

http://code.google.com/p/simplesamlphp/source/browse/trunk/lib/SimpleSAML/Utilities.php#1577

Upvotes: 1

rbrayb
rbrayb

Reputation: 46700

I suspect this is an issue with the Onelogin PHP code - a similar issue has been logged and there is an identical one for the Ruby implementation.

Update:

If you are trying to get around this, you need to decrypt this with your certificate i.e. the one that's in the sp.xml metadata that you sent to the IP.

Never used Onlelogin but there would be examples in the SimpleSAMLphp code.

Upvotes: 0

Related Questions