Add SAML AuthN request signing tests (#61582)

- Add a unit test for our signing code
- Change SAML IT to use signed authentication requests for Shibboleth to consume

Backport of #48444
This commit is contained in:
Ioannis Kakavas 2020-08-27 10:41:56 +03:00 committed by GitHub
parent 5df74cc888
commit 3640ff1ff2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 305 additions and 33 deletions

View File

@ -16,8 +16,6 @@ import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.greaterThan;
@ -38,17 +36,7 @@ public class SamlAuthnRequestBuilderTests extends SamlTestCase {
@Before
public void init() throws Exception {
SamlUtils.initialize(logger);
final SingleSignOnService sso = SamlUtils.buildObject(SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME);
sso.setLocation(IDP_URL);
sso.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
final IDPSSODescriptor idpRole = SamlUtils.buildObject(IDPSSODescriptor.class, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
idpRole.getSingleSignOnServices().add(sso);
idpDescriptor = SamlUtils.buildObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME);
idpDescriptor.setEntityID(IDP_ENTITY_ID);
idpDescriptor.getRoleDescriptors().add(idpRole);
idpDescriptor = buildIdPDescriptor(IDP_URL, IDP_ENTITY_ID);
}
public void testBuildRequestWithPersistentNameAndNoForceAuth() throws Exception {

View File

@ -7,9 +7,11 @@ package org.elasticsearch.xpack.security.authc.saml;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.x509.X509Credential;
import java.io.UnsupportedEncodingException;
@ -19,7 +21,9 @@ import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.time.Clock;
import java.util.Base64;
import java.util.Collections;
import static java.util.Collections.emptySet;
import static java.util.Collections.singleton;
@ -29,6 +33,9 @@ import static org.hamcrest.Matchers.startsWith;
public class SamlRedirectTests extends SamlTestCase {
private static final String IDP_ENTITY_ID = "https://idp.test/";
private static final String SP_ENTITY_ID = "https://sp.example.com/";
private static final String ACS_URL = "https://sp.example.com/saml/acs";
private static final String IDP_URL = "https://idp.test/saml/sso/redirect";
private static final String LOGOUT_URL = "https://idp.test/saml/logout";
private static final SigningConfiguration NO_SIGNING = new SigningConfiguration(emptySet(), null);
@ -87,16 +94,32 @@ public class SamlRedirectTests extends SamlTestCase {
final SamlRedirect redirect = new SamlRedirect(buildLogoutRequest(LOGOUT_URL + "?"), spConfig);
final String url = redirect.getRedirectUrl();
final String queryParam = url.split("\\?")[1].split("&Signature")[0];
final String params[] = url.split("\\?")[1].split("&");
assert (params.length == 3);
String sigAlg = parseAndUrlDecodeParameter(params[1]);
// We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
assertThat(sigAlg, equalTo("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
sigAlg = "SHA256withRSA";
final String signature = parseAndUrlDecodeParameter(params[2]);
assertThat(validateSignature(queryParam, sigAlg, signature, credential), equalTo(true));
assertThat(validateSignature(queryParam, sigAlg, signature, invalidCredential), equalTo(false));
assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), sigAlg, signature, credential), equalTo(false));
final String signature = validateUrlAndGetSignature(redirect.getRedirectUrl());
assertThat(validateSignature(queryParam, signature, credential), equalTo(true));
assertThat(validateSignature(queryParam, signature, invalidCredential), equalTo(false));
assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), signature, credential), equalTo(false));
}
public void testAuthnRequestSigning() throws Exception {
final X509Credential credential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
X509Credential invalidCredential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
while (invalidCredential.getEntityCertificate().getSerialNumber().equals(credential.getEntityCertificate().getSerialNumber())) {
invalidCredential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
}
final SigningConfiguration signingConfig = new SigningConfiguration(singleton("*"), credential);
SpConfiguration sp = new SpConfiguration(SP_ENTITY_ID, ACS_URL, LOGOUT_URL, signingConfig, null, Collections.emptyList());
EntityDescriptor idpDescriptor = buildIdPDescriptor(IDP_URL, IDP_ENTITY_ID);
final SamlRedirect redirect = new SamlRedirect(new SamlAuthnRequestBuilder(sp, SAMLConstants.SAML2_POST_BINDING_URI,
idpDescriptor, SAMLConstants.SAML2_REDIRECT_BINDING_URI, Clock.systemUTC()).build(), signingConfig);
final String url = redirect.getRedirectUrl();
final String queryParam = url.split("\\?")[1].split("&Signature")[0];
final String signature = validateUrlAndGetSignature(redirect.getRedirectUrl());
assertThat(validateSignature(queryParam, signature, credential), equalTo(true));
assertThat(validateSignature(queryParam, signature, invalidCredential), equalTo(false));
assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), signature, credential),
equalTo(false));
}
private String parseAndUrlDecodeParameter(String parameter) throws UnsupportedEncodingException {
@ -104,16 +127,25 @@ public class SamlRedirectTests extends SamlTestCase {
return URLDecoder.decode(value, "UTF-8");
}
private boolean validateSignature(String queryParam, String sigAlg, String signature, X509Credential credential) {
private String validateUrlAndGetSignature(String url) throws UnsupportedEncodingException {
final String params[] = url.split("\\?")[1].split("&");
assert (params.length == 3);
String sigAlg = parseAndUrlDecodeParameter(params[1]);
// We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
assertThat(sigAlg, equalTo("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
return parseAndUrlDecodeParameter(params[2]);
}
private boolean validateSignature(String queryParam, String signature, X509Credential credential) {
try {
Signature sig = Signature.getInstance(sigAlg);
// We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
Signature sig = Signature.getInstance("SHA256withRSA");
sig.initVerify(credential.getPublicKey());
sig.update(queryParam.getBytes(StandardCharsets.UTF_8));
return sig.verify(Base64.getDecoder().decode(signature));
} catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
return false;
}
}
private LogoutRequest buildLogoutRequest(String logoutUrl) {

View File

@ -16,6 +16,10 @@ import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
import org.elasticsearch.xpack.core.ssl.PemUtils;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.impl.X509KeyManagerX509CredentialAdapter;
@ -135,4 +139,18 @@ public abstract class SamlTestCase extends ESTestCase {
assertThat("Exception " + exception + " should be a SAML exception", SamlUtils.isSamlException(exception), is(true));
return exception;
}
protected EntityDescriptor buildIdPDescriptor(String idpUrl, String idpEntityId) {
final SingleSignOnService sso = SamlUtils.buildObject(SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME);
sso.setLocation(idpUrl);
sso.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
final IDPSSODescriptor idpRole = SamlUtils.buildObject(IDPSSODescriptor.class, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
idpRole.getSingleSignOnServices().add(sso);
EntityDescriptor idpDescriptor = SamlUtils.buildObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME);
idpDescriptor.setEntityID(idpEntityId);
idpDescriptor.getRoleDescriptors().add(idpRole);
return idpDescriptor;
}
}

View File

@ -14,7 +14,8 @@ testFixtures.useFixture ":x-pack:test:idp-fixture"
String outputDir = "${project.buildDir}/generated-resources/${project.name}"
def copyIdpFiles = tasks.register("copyIdpFiles", Copy) {
from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml');
from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml',
'idp/shibboleth-idp/credentials/sp-signing.key', 'idp/shibboleth-idp/credentials/sp-signing.crt');
into outputDir
}
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpFiles)
@ -58,6 +59,8 @@ testClusters.integTest {
setting 'xpack.security.authc.realms.saml.shibboleth.sp.acs', 'http://localhost:54321/saml/acs1'
setting 'xpack.security.authc.realms.saml.shibboleth.attributes.principal', 'uid'
setting 'xpack.security.authc.realms.saml.shibboleth.attributes.name', 'urn:oid:2.5.4.3'
setting 'xpack.security.authc.realms.saml.shibboleth.signing.key', 'sp-signing.key'
setting 'xpack.security.authc.realms.saml.shibboleth.signing.certificate', 'sp-signing.crt'
// SAML realm 2 (uses authorization_realms)
setting 'xpack.security.authc.realms.saml.shibboleth_native.order', '2'
setting 'xpack.security.authc.realms.saml.shibboleth_native.idp.entity_id', 'https://test.shibboleth.elastic.local/'
@ -66,6 +69,8 @@ testClusters.integTest {
setting 'xpack.security.authc.realms.saml.shibboleth_native.sp.acs', 'http://localhost:54321/saml/acs2'
setting 'xpack.security.authc.realms.saml.shibboleth_native.attributes.principal', 'uid'
setting 'xpack.security.authc.realms.saml.shibboleth_native.authorization_realms', 'native'
setting 'xpack.security.authc.realms.saml.shibboleth_native.signing.key', 'sp-signing.key'
setting 'xpack.security.authc.realms.saml.shibboleth_native.signing.certificate', 'sp-signing.crt'
// SAML realm 3 (used for negative tests with multiple realms)
setting 'xpack.security.authc.realms.saml.shibboleth_negative.order', '3'
setting 'xpack.security.authc.realms.saml.shibboleth_negative.idp.entity_id', 'https://test.shibboleth.elastic.local/'
@ -74,12 +79,16 @@ testClusters.integTest {
setting 'xpack.security.authc.realms.saml.shibboleth_negative.sp.acs', 'http://localhost:54321/saml/acs3'
setting 'xpack.security.authc.realms.saml.shibboleth_negative.attributes.principal', 'uid'
setting 'xpack.security.authc.realms.saml.shibboleth_negative.authorization_realms', 'native'
setting 'xpack.security.authc.realms.saml.shibboleth_negative.signing.key', 'sp-signing.key'
setting 'xpack.security.authc.realms.saml.shibboleth_negative.signing.certificate', 'sp-signing.crt'
setting 'xpack.security.authc.realms.native.native.order', '4'
setting 'xpack.ml.enabled', 'false'
setting 'logger.org.elasticsearch.xpack.security', 'TRACE'
extraConfigFile 'idp-metadata.xml', file(outputDir + "/idp-metadata.xml")
extraConfigFile 'sp-signing.key', file(outputDir + "/sp-signing.key")
extraConfigFile 'sp-signing.crt', file(outputDir + "/sp-signing.crt")
user username: "test_admin", password: 'x-pack-test-password'
}

View File

@ -156,7 +156,6 @@ public class SamlAuthenticationIT extends ESRestTestCase {
* <li>Uses that token to verify the user details</li>
* </ol>
*/
public void testLoginUserWithSamlRoleMapping() throws Exception {
// this realm name comes from the config in build.gradle
final Tuple<String, String> authTokens = loginViaSaml("shibboleth");

View File

@ -37,6 +37,7 @@ services:
volumes:
- ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
- ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
- ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
- ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini
oidc-provider:

View File

@ -57,6 +57,7 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
# Sets the bean ID to use as a default security configuration set
#idp.security.config = shibboleth.DefaultSecurityConfiguration
@ -72,13 +73,13 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
# To pick only one set to one of:
# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
#idp.trust.certificates = shibboleth.ExplicitKeyX509TrustEngine
# To pick only one set to one of:
# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
#idp.encryption.optional = false
idp.encryption.optional = true
# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M

View File

@ -59,9 +59,11 @@
responsibility to ensure that the contents on disk are trustworthy.
-->
<!--
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-->
<!-- One metadada file per realm that we use in our elasticsearch/x-pack/qa/saml-idp-tests/build.gradle -->
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata.xml"/>
<MetadataProvider id="LocalMetadata2" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata2.xml"/>
<MetadataProvider id="LocalMetadata3" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata3.xml"/>
<!--

View File

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTEx
MTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym42c5
E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+
uyVbpKDGjtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FU
vaxxd36mjwbsZCXIjkOsi+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOU
HSH/pnBFiXciU6bVHcZA3IRYnxzaTT2EQZEXyryfQuk3TWe9YvVusXs6kd9uW4x+
Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yOkGXqReesodPZYBC4OOaG
rZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1gewF6jlhBw
HEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a
9CTjq+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ
18iOCpmd0n/E6ZPyugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUN
KYyRhoxwkPRa9dzuogdDo41lz95xwikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbS
PQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl5KW1vL44+m0LnMAwHwYDVR0j
BBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99l
QJpPuJ8eFM/B2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVx
CHBC66K+oYydbuUgzR+WGrEhIkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmM
zSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8bQRaYnm6aV3kCb1Qv/Wadqk/7oeie
J16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28bM+uH/UOp6CTgODp
OYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik3z7T
M4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVu
C9pRcZXpVgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz
4wgyJjVe88Cld/4VhPj2JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnK
BOe4cVwR3qN0Hi7WqK8loakPVNnnpu7kGUvBKOeiKrXCBMgslffMbTw2ViTtEJo=
-----END CERTIFICATE-----

View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCeNmv5oV+QsORg
lGd62oSAklrevH8sbiMW6wym42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtL
Usjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDGjtrXZowGnUXPz7hsM2yofRiDUIjT
sujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOsi+jW/bM9RWQd3KF3
8Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2EQZEX
yryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94m
rLDtG+yOkGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/U
cAVsANJqQUfFqe7pr1gewF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+M
QpckffdmvF4WHwGAJvRf4AXW+G3a9CTjq+E5I29+dWSvuMIIY/howKxQ9Q+IQhZY
GhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPyugCSlVZzSjSP+i/xz3c9
rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95xwikxDunT
SUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABAoICADdxLsldyZV0x7MojlK4/LHp
l7pyJ8a0GcvQNrDNA8E2pddNlblwShsuoNGA5UNkNxfeSYx+GNR6SdKNgil0kSaF
vMuJrm+TeRTyw8rYv/67Kk5BFK5AJWRSZUN0HaDDVAdmxe8NV2e88xXsnj7t1HCz
lOU/39intwODYKFPGgiuJx3kGBfaCz0Po0XyxLhUlxWv9f3EsV7dkB/tmIlG/qLD
d0Q0Z/eI4nzDL/y1spgW1XE3LCTSFVOMKOyJ8I2OOTqtF3lQk/wi1euWeh79Xaip
kW8GnKdbvqk5sSiFIGifrvuuwfa782vssOUrEvYNiKsoSaSJ9N82XSUEY0PUA0Mt
HzMbJHS1kGHBsDJ2u4s6CUYXkztaiLg1TCsXn13KVdhWF8flAddVWp7KPgWQqWkf
ymivfAMNtDmSUTjMbsAYyRm228JVMemNLsxh98lUnyxK9pjbzylygSTArm0yGA8S
RtPT4bAlmPHiNUeSL7GSXAXS71q9sfza3NRAwgUY2t9Y3dpwHn76ptxijBary/vj
CCjn8YBBCgdZ4TNUkzpHHzSmyXOGCdImsYpvHvOR0rlgnEPCti+JZhOjWJgOVD33
U8r6CMM+YoO5W5ukUr4g3sBasyoPFj3GV0Cp9J9i9QVK3Ruk2kbSa0yhTZzjprBx
GElDj1Qj74TycxwIQEupAoIBAQDRuIOt4Th3Ni0r8QdsT0h4Yj2MTq9cOIwYHiGT
ivFz6zaupxUbQSTPNeF97UtO+Jv0VHgjnfPQ8B52bruGnvHd5uEi5GPNTfEhPSCr
WCHM8YzIXoIF/tC6QscLwLcfwJsD6Di1wdaIXAnjt/hP4NxwxQgx7jJte9y9lCEq
eV30kASJgyZ+pk0ehLy1fyzVUiF31rfHVnhpKMeIjlubWv6IXjVOqEjJXaqVH2jr
A4hhyuXmkTgYxVwTd/IjLNwLZdrWZtgDZIWYHwplp1byAtqH+vdMFafEhIQ9puQ+
MWu4ByKc1smvlWILJ5NrG/MUajNWji7oCG13dx3m/uxSvFcTAoIBAQDBIB9LXJOU
B//fHjH7RiN1v3PqU9NBZt4hIPg72+kZrdfKHaTcVidaII65rovagP1ZdmKdpm3Q
DpxoDBiCN4urco22tb7wGGraPk3iQMHFoJrusqzqWDSYxFW5iH1HruyZpsbAsMJD
HH/c4RQO3YWuGAv/1TkVRZ9NAiukh7EofdBGzDVXnOVW6coxuhZmE0NERne66ifl
vFDC3Ubky137pBcUM+udJjPq4AbNerPTkSJ5toMHzpHnipj98+i8l5GYMgNom/O7
Y9Lh4AXDY2FAeCbMDEz0HdUboU6pmcTXWBEg8fV/3NMWMcYXl/GEKF3LRQVpKP+E
eKKXyEuI+8tvAoIBAQCn3hO42LAD7B+YLqQMdCHECo7NgiYnoTOyElw551uBt+Lb
Re5FFI3MNoq563j+S00582r+x23j7m/TyKreBNgBEM9gyIOCUEMUogNGY5MaorZX
pB5bgi29Cbqdk7KA/gCWzgimo/N+zn00A4wFFC4fLfdzUACZVi3IqYsqnl8wZR7c
m1fyxFayePk8JgHS9pzHed089+AF/JhKm/iDkABxU0dEILuyQwFJwAyRIRDHhksj
lVXbrg4Xn0j4Eu5HSU4zk7qQbKPqsd32pE2aBeK6OY49HpBdYt0fJDlJ9vEMKtnv
xJVHsED8QL9lWsflrWROghzVqflFSNlsjtzHFO51AoIBAQCubAqXj9ch3U+0/Zp6
rNAd6noQawDjkrqQBSztMyKGNMIuIzPgZFdKSRlejkx1XgZzJD7Qz51iSa/tMO95
vB0DDYT8PY1jX0oyLg89hur7SKBlcS5GwL9QMhKSbLlpYo0CAOSE55+r6TN6FDZ/
bobrw4Ai4TqbAbRsYsdz47GXNnpDVu/eXy+qnaAl5UGRk1gvc81zHURHcxslw5/h
x+LsATlu362u0vAU85xxPJ7pN62Ba9tP07tm+YBP7FiI7ANtB86YTjGFTxUJN8E8
xKbzCRFRPNLLr53nRHq9JsnnC/z8Wks13gUviGi2ql5Q0/xSN9Y5MfQEeseuehHu
eCs1AoIBAB7xSu5160Nf2Bc7bgPZC9HuJC6kzjmfb9MDLJkAHCyWxyu6s9T2Bgfg
k1CYpUxbDeegGHVuLE3uPgPhrJSQcwNxRGYepzHU+S785ROoSheaaQutvmUifmNB
30uNtw+cBHxCfpX86XC4tdBgRbgzdhfvdyX9wWxkO8drl11jI/aKmsrwg2+Zcf3t
ydwALh51eOyiCGDl957I0oHEMDxc/dmBQk2KhZkbxYCwSb0N2Q42eQi44o5FZRWA
bdl9qzMWmbWx6DwnznFjeOBJp7flh9c1xFn8q6ryzBDilUP0R+l1g7BiXrCfmaGB
RrUiXgUEGJ6fmJUv9GjuMOY0CRq07GA=
-----END PRIVATE KEY-----

View File

@ -0,0 +1,14 @@
Metadata for the SPs can be generated by using the saml realm configurations in
`elasticsearch/x-pack/qa/saml-idp-tests/build.gradle` in a
local elasticsearch installation and running:
[source, sh]
--------------------
bin/elasticsearch-saml-metadata -realm <thenameoftherealm>
--------------------
The XML file then needs to be copied to /idp/shibboleth-idp/metadata and referenced in the configuration ( `metadata-providers.xml`) as
```
<MetadataProvider id="someidhere" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/<thefilename>.xml"/>
```

View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://mock1.http.elastic.local/">
<md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTExMTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMw
EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym
42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDG
jtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOs
i+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2E
QZEXyryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yO
kGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1ge
wF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a9CTj
q+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPy
ugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95x
wikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl
5KW1vL44+m0LnMAwHwYDVR0jBBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUw
AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99lQJpPuJ8eFM/B
2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVxCHBC66K+oYydbuUgzR+WGrEh
IkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmMzSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8b
QRaYnm6aV3kCb1Qv/Wadqk/7oeieJ16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28
bM+uH/UOp6CTgODpOYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik
3z7TM4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVuC9pRcZXp
VgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz4wgyJjVe88Cld/4VhPj2
JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnKBOe4cVwR3qN0Hi7WqK8loakPVNnnpu7k
GUvBKOeiKrXCBMgslffMbTw2ViTtEJo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:54321/saml/acs1" index="1" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en-US">elasticsearch</md:ServiceName>
<md:RequestedAttribute FriendlyName="name" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute FriendlyName="uid" Name="0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>

View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="somethingwronghere">
<md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTExMTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMw
EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym
42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDG
jtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOs
i+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2E
QZEXyryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yO
kGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1ge
wF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a9CTj
q+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPy
ugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95x
wikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl
5KW1vL44+m0LnMAwHwYDVR0jBBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUw
AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99lQJpPuJ8eFM/B
2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVxCHBC66K+oYydbuUgzR+WGrEh
IkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmMzSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8b
QRaYnm6aV3kCb1Qv/Wadqk/7oeieJ16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28
bM+uH/UOp6CTgODpOYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik
3z7TM4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVuC9pRcZXp
VgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz4wgyJjVe88Cld/4VhPj2
JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnKBOe4cVwR3qN0Hi7WqK8loakPVNnnpu7k
GUvBKOeiKrXCBMgslffMbTw2ViTtEJo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:54321/saml/acs3" index="1" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en-US">elasticsearch</md:ServiceName>
<md:RequestedAttribute FriendlyName="uid" Name="0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>

View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://mock2.http.elastic.local/">
<md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTExMTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMw
EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym
42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDG
jtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOs
i+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2E
QZEXyryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yO
kGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1ge
wF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a9CTj
q+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPy
ugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95x
wikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl
5KW1vL44+m0LnMAwHwYDVR0jBBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUw
AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99lQJpPuJ8eFM/B
2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVxCHBC66K+oYydbuUgzR+WGrEh
IkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmMzSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8b
QRaYnm6aV3kCb1Qv/Wadqk/7oeieJ16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28
bM+uH/UOp6CTgODpOYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik
3z7TM4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVuC9pRcZXp
VgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz4wgyJjVe88Cld/4VhPj2
JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnKBOe4cVwR3qN0Hi7WqK8loakPVNnnpu7k
GUvBKOeiKrXCBMgslffMbTw2ViTtEJo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:54321/saml/acs2" index="1" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en-US">elasticsearch</md:ServiceName>
<md:RequestedAttribute FriendlyName="uid" Name="0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>