Discussions
Categories
- 197.1K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.7K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 555 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.3K SQL Developer
- 296.3K Development
- 17 Developer Projects
- 139 Programming Languages
- 293K Development Tools
- 109 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 158 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 204 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 466 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
APEX 21.2 SAML Authentication with Shibboleth IdP
Hi
Has anybody successfully configured saml authN with a Shibboleth IdP (or any Idp for that matter, no luck with WSO2 Identity Server because of bug #33670264)
The AuthnRequest POST request from APEX to the Shibboleth IdP does not contain a "Destintation" attribute in the <samlp:AuthnRequest .../> element and so fails with the message:
Looking at the logs for the Shibboleth IdP I see the messages:
shib-idp;idp-process.log;dev;nothing;2022-01-19 10:41:43,377 - 172.19.0.1 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:170] - Message Handler: SAML message intended destination endpoint URI required by binding was empty
shib-idp;idp-warn.log;dev;nothing;2022-01-19 10:41:43,377 - 172.19.0.1 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:170] - Message Handler: SAML message intended destination endpoint URI required by binding was empty
shib-idp;idp-warn.log;dev;nothing;2022-01-19 10:41:43,378 - 172.19.0.1 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:197] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
shib-idp;idp-warn.log;dev;nothing;org.opensaml.messaging.handler.MessageHandlerException: SAML message intended destination (required by binding) was not present
As you can see the "destintation" attribute is missing and is required by Shibboleth IdP.
I checked using a POST from a Shibboleth SP to a Shibboleth IdP and sure enough a Destinstaionn attribute is present in the AuthnRequest
Checking the Request from APEX to the Shibboleth IdP no destination attribute exists
Thanks
Stephen
Best Answer
-
Patch 21.2.5 contains the fix for this issue.
I've applied the patch and can confirm that I have successfully authenticated my user.
Answers
-
Hi
An update, it seems that Oracle's implementation of the SAML2 Specification is incorrect.
The Message Handler: SAML message intended destination endpoint URI required by binding was empty exception is raised ReceivedEndpointSecurityHandler.java at line 170:
if the authentication request does not contain a destination and the call to SAMLBindingSupport.isIntendedDestinationEndpointURIRequired
returns true.
That function can be found at line 267 of SAMLBindingSupport.java:
it in return calls a function of the same name at line 133 of
SAMLBindingContext.java
which simply returns the state of the object variable isIntendedDestinationEndpointURIRequired defined at line 47.
This variable is set in the implementation of the various supported SAML2 bindings (we are disregarding the deprecated SAML1 bindings).
For the SOAP bindings, you can see at line 103 and 104 respectively it is set to false:
whereas for the POST binding, the Redirect binding, and the Post simple sign binding at lines 151, 155, and 50 it is set to true if the authentication request is signed:
Basically the only way to get the idp to accept an authentication request without the destination is to either use a SOAP binding (likely not practical) or to not have the sp sign the assertion.
If you do not care about having the authentication request signed and you can disable it on the SP, that should avoid this failure.
On the other hand, if you do want it signed, or it is not feasible to disable signatures referring the SAML specification:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
while line 1477 does indicate that the Destination is optional in general, it also specifies "Some protocol bindings may require the use of this attribute".
In particular, if we look at the specification definition of the bindings:
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
we can see that the redirect binding (line 661) and the post binding (line 843) specify:
"If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message.
Referring to line 176 in the document:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULDNOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119].
Then looking at: https://www.ietf.org/rfc/rfc2119.txt
MUST This word, or the terms "REQUIRED" or "SHALL", mean that the
definition is an absolute requirement of the specification.
It is clear that Oracle's implementation is broken.
I logged a technical SR with Oracle but so far I'm hitting a brick wall. I'll continue to agitate.
Stephen
-
I see there is a mention of bug #33670264 in the latest patch_v2 release notes (as of yet unclear if this corrects the issue you identified).
https://updates.oracle.com/Orion/Services/download?type=readme&aru=24608754
# ----- NEW IN LATEST PATCH_VERSION: 2 -----
# 33670264 - SAML AUTH ERROR ON AZURE: ORA-30625: METHOD DISPATCH ON NULL SELF ARGUMENT IS DISALLOWED
-
@user4387372 Unfortunately not! The issue is in the AuthnRequest from APEX to the Shibboleth IdP
Currently the top of the AuthnRequest looks like this:
<samlp:AuthnRequest AssertionConsumerServiceIndex="0"
ID="X49YUXJAaED09p5J8Sof8mX9CTqOlm_JflMdVpzVPV3N7nfij8Qu_rcGFlB-7xSREL5cJMHqcYPKHXl2iD10wBA.8233112406605523"
IssueInstant="2022-01-27T13:20:42Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> .......
When it should look like this:
<samlp:AuthnRequest AssertionConsumerServiceIndex="0"
Destination="https://xxxxxxxxx/idp/profile/SAML2/POST/SSO"
ID="X49YUXJAaED09p5J8Sof8mX9CTqOlm_JflMdVpzVPV3N7nfij8Qu_rcGFlB-7xSREL5cJMHqcYPKHXl2iD10wBA.8233112406605523"
IssueInstant="2022-01-27T13:20:42Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> .........
Note the Destination attribute. The SAML bindings v2.0 standard requires the Destination attribute if the request is signed. See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf line 843
'If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received.'
The IdP is behaving according to the standard but Apex is signing the request and not including the attribute.
-
That is a bummer. I hope Oracle isn't considered the bug#33670264 actually resolved. :/
-
Well, in fairness to Oracle, this bug#33670264 is supposed to resolve the issue for Azure mentioned in this https://community.oracle.com/tech/developers/discussion/4491604/problems-with-saml-authentication-in-apex-21-2/p2 discussion. I'm hoping that it fixes my issue too because I need Apex to communicate with the various IdP's as our customers won't all be using the same IdP supplier!
-
An update
Oracle have "raised Bug:33845275 - SAML AUTH: AUTHNREQUEST SHOULD CONTAIN DESTINATION and Development is currently working on the case."
Hopefully it's in the next patch release and it resolves the issue.
Stephen
-
Patch 21.2.5 contains the fix for this issue.
I've applied the patch and can confirm that I have successfully authenticated my user.