0

Our system supports SAML2 and acts as service provider. Our customer uses ADFS as identity provider. Metadata has been exchanged and the connection works. Unfortunately our system complains about the SAML responses:

org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration

We confirmed that our customer has configured NameID as outgoing claim in their ADFS:

Customer ADFS config

To provide further assistance to our customer we want to look at the Assertion in the SAML response to take a look at the problem's cause. Unfortunately the application logs the SAML response containing the EncryptedAssertion and I am unable to decrypt it locally.

I was able to decrypt a SAML response from a development stack I ran locally via samltool.com but the page recommends not to upload production keys. I checked with IT and they told me to figure out how to decrypt the EncryptedAssertion using the private key via openssl or a custom Python script.

So far I tried openssl rsautl:

$ cat encrypted_assertion.txt 
6MFicPXJ3ycJtj3grCsaY4zxk2eEXQ3s2eCXGDCtJMMKN4PcgCCihA/jljs2jbfo/bC+xegsU74u
-- snip --
gX+ZooI5tUSkJLrpiQ==

$ cat key.pem
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCoLiGwr/Y1vKPq
-- snip --
ldEZugZ5D51b1d63LkM9UvCyGLFrQA==
-----END PRIVATE KEY-----

$ cat encrypted_assertion.txt | base64 -d > encrypted_assertion.bin
$ openssl rsautl -decrypt -in encrypted_assertion.bin -out plaintext -inkey key.pem 
RSA operation error
4499476076:error:04FFF06C:rsa routines:CRYPTO_internal:data greater than mod len:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/crypto/rsa/rsa_eay.c:503:

and openssl enc to no avail (the content of cdata.bin is binary):

$ dd if=encrypted_assertion.bin of=iv.bin bs=16 count=1
1+0 records in
1+0 records out
16 bytes transferred in 0.000436 secs (36692 bytes/sec)
$ ivhex=$(od -t x1 iv.bin | sed 's/^[0-9A-Fa-f]*//' | sed 's/ //g')
$ dd if=encrypted_assertion.bin of=edata.bin bs=16 skip=1
324+0 records in
324+0 records out
5184 bytes transferred in 0.002784 secs (1862219 bytes/sec)
$ openssl enc -aes-128-cbc -iv $ivhex -kfile key.pem -nosalt -in edata.bin -out cdata.bin

My efforts in Python were also unfruitful and lead to

ValueError: Ciphertext length must be equal to key size.

I'm going to skip over my efforts in Python unless someone explicitly asks for them but instead hope for a solution using openssl. I know the key is correct because of the successful decryption using samltool.com. How do I decrypt the SAML assertion locally?

oschlueter
  • 101
  • 3
  • SAML uses XML and in particular the [standard for XML encryption](https://www.w3.org/TR/xmlenc-core1/). EncryptedAssertion should not be a simple value, but a complex structure with a good deal of metadata and _two_ values: the data encrypted by one of several symmetric algorithms and a nonce key (and IV), and either (1) the nonce key encrypted using one of several RSA schemes or (2) data to derive the nonce key from one of several DH(E-S) schemes and one of several key derivation methods. The correct answer, if it even exists, depends on all of these. ... – dave_thompson_085 Aug 18 '20 at 09:09
  • ... Compare to https://stackoverflow.com/questions/28452780/decrypting-saml-2-assertion-using-net-4-5-system-identitymodel-wif https://stackoverflow.com/questions/9422545/decrypting-encrypted-assertion-using-saml-2-0-in-java-using-opensaml https://stackoverflow.com/questions/48674646/how-to-decrypt-encryptedassertion-manually although those are Java and C# so not directly applicable. SOAP is also XML, but #34589 which you didn't actually follow anyway is one of The Bear's few errors, as per my comment and the OP's own answer: for the particular schemes there ... – dave_thompson_085 Aug 18 '20 at 09:12
  • ... you (would) need to RSA-decrypt the wrapped key (DEK) and then `openssl enc` with `-d -K hexdecryptedkey -iv hexIV` -- or use my cheat and leave the IV prefixed to the data, specify a fake extra `-iv 00`, and then discard the first block of the result. See the updated version https://security.stackexchange.com/questions/76567/decrypt-a-soap-message-using-openssl . – dave_thompson_085 Aug 18 '20 at 09:20
  • Thank you for the comments. Based on the links you provided I was able to build a Java-based solution. – oschlueter Aug 18 '20 at 18:17
  • [OpenSAML](https://wiki.shibboleth.net/confluence/display/OS30/Home) is your friend. It does all of this "out of the box" in a sense of orchestrating relevant crypto calls via well-designed abstraction when decrypting assertion or response – identigral Aug 25 '20 at 23:09

0 Answers0