SAML2/Shibboleth SSO - Artemis Requests not signed, even though X509 Cert and Key are configured

[solen0id]

Hi Team,

We are currently testing Artemis at HU-Berlin using the docker-compose stack and we're having trouble setting up the SSO via SAML2/Shibboleth. The Artemis Requests appears not to be signed, even though we've configured an X509 certificate and key. Our Shibboleth Admin has configured the Artemis Instance, the config is available for inspection in the HU Berin IdP Metadata XML (https://shib-idp.cms.hu-berlin.de/shibboleth/HU-metadata-g2.xml).

On the Artemis/SP side, we've enabled the saml2 profile according to the documentation. Both the X509 Cert and Key are available in the artemis-app docker container at the provided path (I've checked from within the running container) and should have the proper permissions. Here is our saml2 config:

saml2:
    username-pattern: '{urn:oasis:names:tc:SAML:attribute:pairwise-id}'
    first-name-pattern: '{urn:oid:2.5.4.42}'
    last-name-pattern: '{urn:oid:2.5.4.4}'
    email-pattern: '{urn:oid:0.9.2342.19200300.100.1.3}'
    registration-number-pattern: '{urn:oasis:names:tc:SAML:attribute:pairwise-id}'
    lang-key-pattern: 'de'
    value-extraction-patterns:
    identity-providers:
        - metadata: https://shib-idp.cms.hu-berlin.de/shibboleth/HU-metadata-g2.xml
          registration-id: huberlin
          entity-id: https://artemis-gdp.app.informatik.hu-berlin.de/shibboleth
          cert-file: /opt/artemis/data/certs/artemis_cert.crt 
          key-file: /opt/artemis/data/certs/artemis_key.pem 

info.saml2:
    identity-provider-name: HU-Berlin
    button-label: 'HU-Berlin SSO Login'
    password-login-disabled: false
    enable-password: false

The cert and key file location and permissions are as follows:

artemis@f0723c7e6e94:/opt/artemis$ ls -la /opt/artemis/data/certs/
total 16
drwxr-xr-x 2 artemis artemis 4096 Oct 22 09:06 .
drwxr-xr-x 8 artemis artemis 4096 Oct 22 09:06 ..
-rw-r--r-- 1 artemis artemis 2423 Oct 22 09:06 artemis_cert.crt
-rw------- 1 artemis artemis 3272 Oct 22 09:06 artemis_key.pem

When performing a test SSO Login, our Shibboleth admin observes that the requests from Artemis are not signed:
ERROR [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:77] - SPSSODescriptor for entity ID 'https://artemis-gdp.app.informatik.hu-berlin.de/shibboleth' indicates AuthnRequests must be signed, but inbound message was not signed

Is there a configuration setting we are missing, or anything else we're doing incorrectly?

Thanks for your assistance!
Max

[dfuchss]

The configuration seems to be fine. Do you see anything in the log? We use a very similar configuration. What is the format for the certificates; I remember that only one format worked. Also: Which version of artemis are you using? We are currently using 7.5.6

[solen0id]

Just to confirm, with the registrationID set to huberlin in the saml2 config yaml, our AssertionConsumerService on the IdP side should look like this, correct?

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://artemis-gdp.app.informatik.hu-berlin.de/login/saml2/sso/huberlin" index="0"/>

[solen0id]

The full configuration on the IdP side is as follows (I've replaced the Cert Data for readability).
Could one of AuthnRequestsSigned="true" or WantAssertionsSigned="true" be a problem? I think they should both be true from a security perspective, but in the artemis docs example they are both set to false.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://artemis-gdp.app.informatik.hu-berlin.de/shibboleth">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdui:UIInfo>
<mdui:DisplayName xml:lang="de">Artemis - Grundlagen der Programmierung</mdui:DisplayName>
<mdui:DisplayName xml:lang="en">Artemis - Foundations of Programming</mdui:DisplayName>
<mdui:Description xml:lang="de">Interaktive Lernplattform für Programmierübungen</mdui:Description>
<mdui:Description xml:lang="en">Interactive Learning Platform for Programming Exercises</mdui:Description>
<mdui:Logo height="100" width="116">https://artemis-gdp.app.informatik.hu-berlin.de/public/images/logo.png</mdui:Logo>
</mdui:UIInfo>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERT DATA</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERT DATA</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://artemis-gdp.app.informatik.hu-berlin.de/login/saml2/sso/huberlin" index="0"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Artemis - Foundations of Programming</md:ServiceName>
<md:ServiceName xml:lang="de">Artemis - Grundlagen der Programmierung</md:ServiceName>
<md:ServiceDescription xml:lang="en">Interactive Learning Platform for Programming Exercises</md:ServiceDescription>
<md:ServiceDescription xml:lang="de">Interaktive Lernplattform für Programmierübungen</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute FriendlyName="surname" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute FriendlyName="samlPairwiseID" Name="urn:oasis:names:tc:SAML:attribute:pairwise-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="de">HU Berlin</md:OrganizationName>
<md:OrganizationName xml:lang="en">HU Berlin</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="de">Humboldt-Universität zu Berlin</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="en">Humboldt-University Berlin</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="de">http://www.hu-berlin.de/</md:OrganizationURL>
<md:OrganizationURL xml:lang="en">http://www.hu-berlin.de/</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="administrative">
<md:GivenName>Heinrich</md:GivenName>
<md:SurName>Mellmann</md:SurName>
<md:EmailAddress>mailto:[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="technical">
<md:GivenName>Heinrich</md:GivenName>
<md:SurName>Mellmann</md:SurName>
<md:EmailAddress>mailto:[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>

[dfuchss]

The example is basically taken from our configuration 😂 but tbh. I had not much influence on it. It's probably part of the SAML2 implementation of spring boot. Your configuration looks good. Maybe the SAML2 component of spring security has to be updated.

You could test with something like this: https://github.com/kit-sdq/newslist ; here, we are using a newer implementation from spring boot (as far as I remember)

[dfuchss]

Also feel free to join the Slack group of artemis. This could ease communication :)

[solen0id]

For now, we'll be going with the self signup via email, in the long run it would be great to get the SSO working though!
I'll email Stephan Krusche for Slack access, thanks!