Deployment Task


In a SAML authentication transaction, the response must always be validated by the Service Provider ("SP", or Aqua in this case) for integrity and validity. This ensures that the document was not tampered with while in transit, and that the document, in its entirety, was produced by the trusted identity provider. It is always either digitally signed, the assertion encrypted, or both.  Aqua only supports digitally signed XML responses, and the location of this signature matters. 


Deployment Steps

The entire XML response received from the IdP is known as the SAML Response.  Here is a watered-down example of such a document.

Refer to the block of XML below for the following notes:

  1. On line 1, the document opens with this clause: saml2p:Response.
  2. On the first level within the document, we find saml2:Issuer, followed by ds:Signature.  Because these are only nested one level deep, they belong to saml2p:Response.  Therefore, because the ds:Signature object is nested at this level, we can definitively say that the "Response (message) is signed." 
  3. Some applications only require that the saml2:Assertion (Line 41) be signed.  In such a case, you would find the ds:Signature object nested within the saml2:Assertion clause.  Then we would say, "The assertion is signed."  This means that only the information inside the saml2:Assertion clause is digitally signed.   The information outside of this clause could potentially be tampered with, and there would be no way to detect it.  This is why Aqua requires the entire response to be signed (#2 above).  
<saml2p:Response Destination="https://aquarium.aquasec.com/api/v1/saml_auth"
    ID="_bdb404f3397c49d79f51c78c48f080a9" InResponseTo="_723b49c5-ff87-43d0-7090-2f034ad52958"
    IssueInstant="2018-06-29T22:42:37.100Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C00p5nzlt</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_bdb404f3397c49d79f51c78c48f080a9">
                <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>HGlsCKkHwHJsFPTBFKEa9YmLHNhV+6GRIY2BfehTQ50=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>QUXuRgGF6LDplNGdgXuuuBjklZ2eAVcOC6jhd/KhojisHzkKKb3Q5S5Qjxxi1nicOZZNthXeT9Js
            J0Fs5i6KFiD74fjCW9M93XqntWp6RHDUpnhFkuKZl0KnAipEF+X7Vcr1AA9VuDcmJu6fy1Xgk+KY
            jRfXLaRss2oaCz2oka2kJlaftI2LViKM7JpOkTImgVcoGwSqWFF299n/z/yP6bh/nbCBJgGjdUxn
            dYFWqza/ncj/WLcQbTXmRPss8bqUWVq53J7YQNJ8mGe5mlHbhWIdEc12vNMiMFsRfEtvgnWrWEIJ
            UTbkvUAuoYHIoH6kmWZ/kXnXCGJ24aBPW6ASjA==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
                <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAWRDE+jkMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
                    bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
                    b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTgwNjI3
                    MjEwODUzWhcNMjMwNjI2MjEwODUzWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
                    TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
                    CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
                    MIIBCgKCAQEAlr3BmMD2I2drQfkntzk2cpp9nECVmP+py3PvmEmodY7j+LgO4FIjTpxUDFdx6LYe
                    dMs/fO7bVokVQc5Z0caahD3BGPpq74dXj60l3yP2o5U1qcnFbcOUhPioIR4kdODHEvOfp3VcJH1y
                    MqCR07v7ArRT66CvSS3A6TSfpNR+8WyJpwWUl6igdsswFsFRM8oZewG7uq+hZTXQVU7VX9eYUIi3
                    MK/FUfPk1igPZU/z/slV9HNkmIeJRFGuYsPdktPWyYgRmKrVTUGg8lDAVOmj20hpATp0LGAN7AIK
                    eh8QpU/vFK6S4XXIfmMdOlmLgfmj9OjGMh6SpkcSFZuutLjeBwIDAQABMA0GCSqGSIb3DQEBCwUA
                    A4IBAQATaqh9BRFm9CYrWYy5tnnY+SdwwVKdlvF+cSHTSD2z48H+dFoojppcJefscDzpNJUg//gG
                    gE8BHCJimfnsV7ahr/C3Baoz6kHifE0VW0Pv3e5chrf6hFpfly/Y7BqTRiUmGn7MGynuxiciuk+Q
                    +GsVhDzUnQq+7/jj72hXus7xRyhzByBs+JHDGZCJJ/mcGTEyxpfWpG27C+9oIF0KrzAwP68pPOs1
                    KmvWLAeEh4btAxCsjc7u4Y5MXbBALP+LIANCYlDztPT10ZCcEuXir0apvulLxGYjiJWo3cEBkVuI
                    cw/t2nRdvzKT4wO2i+faObwizgS6R9hiuk8E2IoSnjVz</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
    <saml2:Assertion ID="_6946531aa5f25e1702225f42b4cf7c23" IssueInstant="2018-06-29T22:42:37.100Z"
        Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C00p5nzlt</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ken@kenmac.io</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_723b49c5-ff87-43d0-7090-2f034ad52958"
                NotOnOrAfter="2018-06-29T22:47:37.100Z"
                Recipient="https://aquarium.aquasec.com/api/v1/saml_auth"/></saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2018-06-29T22:37:37.100Z" NotOnOrAfter="2018-06-29T22:47:37.100Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>aquasec.com</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="http://schemas.xmlsoap.org/claims/Group">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">administrator</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="userPrincipalName">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">ken@kenmac.io</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2018-06-29T20:14:41.000Z"
            SessionIndex="_6946531aa5f25e1702225f42b4cf7c23">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>