Monday, 26 February 2024

saml IDP send to sp acs, base 64 encode response, python base64 utf-8(each letter is 1-4 bytes), python idp

 saml IDP send to sp acs 

by respond 200 http status code after user login in IDP page, and return an html with javascript that posts to sp'acs on browser with base 64 encoded saml response

https://security.stackexchange.com/questions/264406/can-someone-please-clarify-about-how-the-saml-response-is-sent-back-from-idp-to

"

  1. The IdP returns a 200 HTTP response to the browser. The content is an HTML form with the SAML response encoded as a hidden form variable. Typically there's also some JavaScript to automatically submit the form so the user doesn't have to click a button etc. The result is an HTTP Post of the SAML response and other post data to the SP. In other words, the IdP doesn't send the SAML response directly to the SP. It's sent via the browser.

  2. HTTP-Redirect and HTTP-Post are the most commonly used SAML bindings (ie transports). Both see messages between the IdP and SP being sent via the browser. There is no direct IdP - SP communication with these bindings.

  3. The SAML authn request sent to the IdP can be sent using with the HTTP-Redirect or HTTP-Post binding. If the HTTP-Post binding is used, it's exactly the same mechanism used by the IdP when it sends the SAML response.

For a more detailed explanation, refer to the "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0" specification."



sample HTML 

"<html>

  <body Onload="document.forms[0].submit()">
    <form method="POST" action="<%= request.getAttribute("wbsso_endpoint") %>">
      <input type="hidden" name="SAMLRequest" value="<%= request.getAttribute("SAMLRequest") %>">
      <% if (request.getAttribute("RelayState") != null) { %>
        <input type="hidden" name="RelayState" value="<%= request.getAttribute("RelayState") %>">
      <% } %>
    </form>
  </body>
</html>"

https://stackoverflow.com/questions/48700273/saml2-submitting-xml-samlrequest-value-in-a-form


return HttpResponse(content='<html><body Onload="document.forms[0].submit()"><form method="POST>...", content_type="text/html)


Base64
SAML protocol uses the base64 encoding algorithm when exchanging SAML messages. If you intercept a SAML Message, you will turn it in plain-text through base64 decoding.
https://developers.onelogin.com/saml/online-tools/code-decode/base64#:~:text=SAML%20protocol%20uses%20the%20base64,plain%2Dtext%20through%20base64%20decoding.








python base64 eoncde takes binary only


for string need to conver to binary(utf-8, encoding pirncipal convert letter to numbe, using 8 bits unit)


https://www.ibm.com/docs/en/db2-for-zos/12?topic=unicode-utfs


UTF-8 is based on 8-bit code units. Each character is encoded as 1 to 4 bytes. The first 128 Unicode code points are encoded as 1 byte in UTF-8.


import base64


string_data = 'Hello, World!'

byte_data = string_data.encode('utf-8')

encoded_data = base64.b64encode(byte_data)

print(encoded_data)


# Output:

# b'SGVsbG8sIFdvcmxkIQ=='




Python idp server:


https://github.com/EmilJunker/python-saml-idp/blob/main/idp.py#L222


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)