vADC Docs

SteelApp TrafficManager SAML 2.0 Protocol Validation with TrafficScript

by jluksch_1 on ‎09-04-2014 11:57 AM - edited on ‎06-01-2015 07:12 AM by PaulWallace (1,224 Views)

SAML is the Security Assertion Markup Language, used for example in Web Single Sign on scenarios. The current version 2.0 is specified at OASIS Open: SAML Specifications | SAML XML.org

 

SAML uses XML documents to transfer information, defined in assertion documents, protocol definitions and bindings how the protocol is transferred. The assertions and protocol is defined as XML Schema.

 

The protocol can be validated in SteelApp TrafficManager with the XML Schema validation as additional security measure for example to protect SAML Identity Providers (IdP).

 

This article explains a use case of validating SAML 2.0 for the HTTP POST binding, where the protocol is transferred as HTTP body, Base64 encoded. The rule checks an endpoint URL, where SAML validation should be performed and if the HTTP method is "POST".

 

Base64-encoded SAML request can be encoded and decoded for example with this online tool or with the offline tools "base64" on Linux systems. https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

 

To test the SAML validation, "curl" can be used to post the encoded data:

 

curl -X POST -H "Content-Type: text/plain" --data-binary "@SAML-example.txt" 
http://192.168.42.21/auth/test.php

 

Result of the validation can be observed in the STM event log.

 

xml.validate.xsd() returns the following test result:

 

  • 1, then the validation is successful, the transfer is a well-formed and valid SAML protocol document
  • 0, the document is not valid, containing illegal attributes but the document is well formed XML
  • -1, the document is not well-formed (XML document errors)

 

# Validate HTTP POST body against the SAML Protocol schema  
# (c) Riverbed Technology GmbH, Juergen Luksch,  
  
# only run rule, if path is SAML endpoint  
$path = http.getPath();  
if(!string.startsWithI($path, "/auth/"))  
  break;   
  
# only POST binding supported in example  
if(http.getMethod() != "POST")  
  break;    
  
#standard base64 encoded saml message decode:  
$samlAuth = string.base64decode(http.getBody(0));  
$samlProtocolSchema = resource.get("saml-schema-protocol-2.0.xsd");  
  
$result = xml.validate.xsd($samlAuth, $samlProtocolSchema);  
  
#log.info ("XML Validation: " . $result);  
if( $result != 1 ) {  
   log.warn("XML Validation failed!");  
   # connection.discard();  
   # response with HTTP  
   http.sendResponse("500 Server error", "text/plain", "XML Validation failed", "");  
}  

 

To be able to validate a SAML document, the XML schema definition (XSD) needs to be present on the STM in the extra files catalog. For the SAML protocol, there’s two schemas needed: saml-schema-protocol and saml-schema-assertion. These additionally import the XML signatures schema and XML encryption schema.

 

The schema documents can be downloaded from OASIS Open (Index of /security/saml/v2.0/) and the W3 consortium (http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd, http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd). As the imports refer to external resources in the original documents, the „schemaLocation=“ needs to be changed to the local file before uploading to STM.

 

When the document is checked and recognized as invalid, a HTTP error code could be returned or the connection discarded.

 

So, with downloading schemas, creating a XML validation rule and adding this rule to the virtual server, SAML protocol requests can be validated and actioned on.

Contributors