SP not signing ECP AuthnRequests

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

In /etc/shibboleth/shibboleth2.xml I've got:

and I'm seeing signed AuthnRequests for Web Browser SSO but not for ECP. I'll include examples below.

Here's what we think is causing this issue:

In shibsp/handler/impl/AbstractHandler.cpp, in sendMessage(), near line 520, is the code that uses the signing credential:

pair<bool,const char*> flag = signIfPossible ? make_pair(true,(const char*)"true") :
relyingParty->getString("signing");
if (role && flag.first &&
(!strcmp(flag.second, "true") ||
(encoder.isUserAgentPresent() && !strcmp(flag.second, "front")) ||
(!encoder.isUserAgentPresent() && !strcmp(flag.second, "back")))) {
....
}

"role" needs to be non-null for this code block to work. "role" is passed in to sendMessage() by handler/impl/SAML2SessionInitiator.cpp in doRequest(), near line 720.

long ret = sendMessage(
*encoder, req.get(), relayState.c_str(), dest.get(), role, app, httpResponse,
role ? role->WantAuthnRequestsSigned() : false
);

"role" is set near line 596:

role = dynamic_cast<const IDPSSODescriptor*>(entity.second);

"entity" is set near line 574:

pair<const EntityDescriptor*,const RoleDescriptor*> entity =
pair<const EntityDescriptor*,const RoleDescriptor*>(nullptr,nullptr);
...
// Use metadata to locate the IdP's SSO service.
MetadataProviderCriteria mc(app, entityID, &IDPSSODescriptor::ELEMENT_QNAME,
samlconstants::SAML20P_NS);
entity=m->getEntityDescriptor(mc);

In the case of ECP, "entityID" is empty, so "entity" is also empty. Thus, the first set of code above ("if (role && flag.first...)") never gets executed because "role" is empty.

===== BEGIN Web Browser SSO Authn Request ====

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://test.cilogon.org/Shibboleth.sso/SAML2/POST"
Destination="https://idp.protectnetwork.org/protectnetwork-idp/profile/SAML2/POST/SSO"
ID="_299f3f63c1b23ebf7ccedb2e69052c16"
IssueInstant="2012-04-23T12:57:10Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cilogon.org/shibboleth</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_299f3f63c1b23ebf7ccedb2e69052c16">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>hjuxf14EdV3N69oH4cxKjaxhxW4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>RRMfRtisWq0MjxHPCH4DcGWoSDV20x/AgOhLdq0gMr9oBI11w9jU5oP+rb1XX747
gKzTPpx02comEekFX51zP/QjqdlPbbZvMsf3XbI7zTTC4q1B/3OAxEWk9FweSFtL
GjXauvRNbvyTADHP5ecjyDerSNoWocGThDD+8aSSmfH9Qzfn/ayf/eocUzFarWnZ
bPfhGuUCW8MaNUOjL6XkKPA7euWupPyJ7Az/day6iCOjSHOOY9tsDteMk3w6VuAr
wjjDs7rd8uRa0vleJ4qIJ0DTTz5LTBtdXAC3ckk5EW4fiG6y08mdE/f7EteLuhbB
0sNLZucOxpjeJ5deck5L6w==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>cilogon.org</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=cilogon.org</ds:X509SubjectName>
<ds:X509Certificate>MIIDVDCCAjygAwIBAgIJAI4ktgTnvdBvMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
BAMTC2NpbG9nb24ub3JnMB4XDTEwMDEyODE3MzYwNFoXDTEzMDEyNzE3MzYwNFow
FjEUMBIGA1UEAxMLY2lsb2dvbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCU2+Mqs1OhxQRdrJ+W19BUgquVG/3rxd9EDzwGOWBkO+awCXtRe50p
LGVXYF/ylNXeAdF2LHICKHB35i/ZNnXj9Y+llarHiTyrrSmYa3OA0Q2YEzSsv6o6
rk4+SysmnFPLggVbFnqmtCRn7bwAodonhWWfVqwBj+GkO3RoedfCYhfsiKJOTioN
Bc1VXlNlxBeAVYuJuhDzCQnSn+IhLnqKWXpnq2exZfeOG+yfUQB31BONSnCWadFW
ODgybq5q+D4IDFeW+2LmQGNVCjUnB7RTGwRWgj2AHusySohpwDCha1eIqXb+FNGA
ifI2PEgCS69NgBJNMaAvAAjcEUugK0bfAgMBAAGjgaQwgaEwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAJBgNVHRMEAjAAMB0G
A1UdDgQWBBS6KexHniS9+CMFdNlM/DILrMQ3AjBGBgNVHSMEPzA9gBS6KexHniS9
+CMFdNlM/DILrMQ3AqEapBgwFjEUMBIGA1UEAxMLY2lsb2dvbi5vcmeCCQCOJLYE
573QbzANBgkqhkiG9w0BAQUFAAOCAQEAS4U3vwFFyjsezayUJcVm6PW40HIJW3iV
qaNv/8dwPFKtX03C3XEMnexFegnZ4cYSTAc5fdpAxaEZjnhTsKsA5aFKHlF1uUYn
5beFDAbLDn5AlJamBoYn3s8ZOa0x9A1FdrDLSLTUqc1BH1Hz8MRFR/NsD/LdI1I5
5tIY6A/0lAlOgq/+iRyAzc/NZloHRJriiysJzRLWq1oF2VlW0fgkF7v1tf7oBZjq
SPTVAuw69SbXBXnaHQXN2DnsdUhepjQTumKi+S1sZhAMW9nVNFXVBkehfr5NUFR+
8QVxZNy6yZE12GjQMJc6YbNQ8kiC2gzqTimid0/2DzSakuhgAMacNg==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>

==== END Web Browser SSO AuthnRequest ====

==== BEGIN ECP AuthnRequest ====

<S:Envelope
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Header><paos:Request
xmlns:paos="urn:liberty:paos:2003-08"
S:actor="http://schemas.xmlsoap.org/soap/actor/next"
S:mustUnderstand="1"
responseConsumerURL="https://test.cilogon.org/Shibboleth.sso/SAML2/ECP"
service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0"
S:actor="http://schemas.xmlsoap.org/soap/actor/next"
S:mustUnderstand="1"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cilogon.org/shibboleth</saml:Issuer></ecp:Request><ecp:RelayState
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
S:actor="http://schemas.xmlsoap.org/soap/actor/next"
S:mustUnderstand="1">cookie:daa0c2d2</ecp:RelayState></S:Header><S:Body><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://test.cilogon.org/Shibboleth.sso/SAML2/ECP"
ID="_3a6a60e741eea911fc84511958e4eb80"
IssueInstant="2012-04-23T12:49:18Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cilogon.org/shibboleth</saml:Issuer><samlp:NameIDPolicy
AllowCreate="1"/></samlp:AuthnRequest></S:Body></S:Envelope>