Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Decipher SAML Response From ADFS Server using ColdFusion

Posted on 2014-09-18
8
Medium Priority
?
1,576 Views
Last Modified: 2014-09-29
I'm developing a SSO solution for a client.  Never worked with this technology before so it's a bit of a challenge but I'm getting there.  So far I've been able to configure the ADFS server to respond to my apps message.  This is the ColdFusion code I've use to create the authentication request:

<CFSET MyDate = DateFormat(Now(), "yyyy-mm-dd") & 'T' & TimeFormat(Now(), "HH:nn:ss") & '.343Z'>
<CFSET MyID = 'kdls_testing_application' & RandRange(1, 100000)>

<CFOUTPUT><CFSAVECONTENT variable="TestXML1">
      <samlp:AuthnRequest IssueInstant="#MyDate#" ID="#MyID#" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/SDE</saml:Issuer>
      <samlp:NameIDPolicy AllowCreate="true"/>
      </samlp:AuthnRequest>
</CFSAVECONTENT></CFOUTPUT>

<!--- setup ColdFusion/Java bytearray variable --->
<CFSET emptyByteArray = createObject("java", "java.io.ByteArrayOutputStream").init().toByteArray()/>
<CFSET byteClass = emptyByteArray.getClass().getComponentType()/>
<CFSET output = createObject("java","java.lang.reflect.Array").newInstance(byteClass, 500)/>

<!--- perform Deflate, Base64 encode, and URL encode --->
<cfscript>
      saml_deflate = createObject("java", "java.util.zip.Deflater");
      saml_deflate.init(9,true);
      saml_deflate.setInput(TestXML1.getBytes("UTF-8"));
      saml_deflate.finish();
      compressedDataLength = saml_deflate.deflate(output);
      data64 = toBase64(output,"UTF-8");
      data64url = urlencodedformat(data64);
</cfscript>

<A HREF="https://adfsproxy2010.sde.idaho.gov/adfs/ls/?SAMLRequest=#data64url#&RelayState=123456">Click Here to login</A>

This code works.  I am able to send the encoded message on the URL to the ADFS server.  The server authenticates me and then send back a encoded SAML response using an HTTP-POST.  What I need to do is decipher that message so I can extract the data contained inside the message.  That is where I'm running into issues...


So far the code I've found on the web doesn't really work.  This is the snippet of code that seems to have the best chance of working:
<cfscript>
// Decode the query string from Base 64  
      Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
      SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);

// Create Byte Array used for the inflation, the CF way  
      ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
      ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);

// Create Byte Streams needed for inflation
      ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
      ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();

// Create Objects needed for inflation  
      Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
      InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);

// Complete the inflation  
      Count = InflaterStream.read(ByteArray);
      while (Count != -1) {
            ByteOut.write(ByteArray, 0, Count);
            Count = InflaterStream.read(ByteArray);
      }

// Finished with inflation  
      Inflater.end();
      InflaterStream.close();

// Convert SAML request back to a string  
      SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
</cfscript>  

When this code executes I get the following error message when the "Count = InflaterStream.read(ByteArray);" executes.  oversubscribed dynamic bit lengths tree

I have no idea what that means but I think it has something to do with the ByteArray contains a ton of 0's but that is all.  

Any suggestions on how to consuew a SAML respons would be appreciated!!!
0
Comment
Question by:Kurtis Leatham
  • 4
  • 4
8 Comments
 
LVL 52

Expert Comment

by:_agx_
ID: 40331445
The creation of the arrays looks a little off, but .. it works for me under CF10, using input:

  Form.SAMLResponse = data64;


- What version of CF?
- What is the actual value of Form.SAMLResponse when you get the error?
0
 

Author Comment

by:Kurtis Leatham
ID: 40331476
I'm not sure I understand what yo mean by Form.SAMLResponse = base 64.  

Using CF 10 developers edition.

After I do a URLDecode my response string looks like this...

PHNhbWxwOlJlc3BvbnNlIElEPSJfOWQ1NzRlZTItYjVlMC00Yjk5LTkxYmMtN2Y0YzE4YWI1ZjI0IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wOS0xOFQxOTozMzoxNy4yMTBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Qvc2RlL2xvZ2luLmNmbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uNjg1MzAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzcHJveHkyMDEwLnNkZS5pZGFoby5nb3YvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfZDJlMDk1MjQtZTIwMy00YWU2LWFlYTMtYzMzNzk1YjJiMjQ4IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMThUMTk6MzM6MTcuMjEwWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI PElzc3Vlcj5odHRwOi8vYWRmc3Byb3h5MjAxMC5zZGUuaWRhaG8uZ292L2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI19kMmUwOTUyNC1lMjAzLTRhZTYtYWVhMy1jMzM3OTViMmIyNDgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT4vWTBEWFhiWGkzdDQ1OCsvN1R4dmlsYWlaSWZVamFIcVBlWEVZcXdDaE1vPTwvZHM6RGlnZXN0VmFsdWU PC9kczpSZWZlcmVuY2U PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT4yMk1uOWNkNElwT0pNdzNXWk4rRTA3ME9adjVRWmFPZVE3c0I0WmRSRlpYWFlXdVNUWVJSdi94Y2RBMVR0YkwrL0tpQ3RkdXJSaWVkSXkvd1JJZ2dmNUNKQ2NTZlY0amU2RUV1UE1Xa0kzbWhCWkJEaFRUM3RJbktnSVV2NHE5U2RjaTBTa2htUmhhNklMc0pTZkRWMTI4RUtjcit2a0QrVVVIaWZPbGRibVhJWTJUU0F2d1RvTTNuWjdaNXJiVmxDa1k4WkRzT2dOZk90YkdobE4zbjVua05URzZKcHVScFBYcnNPTkk2S2ZqV2l1aVI5U05zY2JYNkkzUFRiV0djbGFJekR3QXh1TGR4dXM3d3BKc3R5UnYwb0dMdlpNSjQzMDU2WVVoVTY3SWNVV2dzZDFhQnFPcENxdUtTU2FZa3NMcGkrQzdDY3diUU9pdzlYcnRUWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkakNDQW1LZ0F3SUJBZ0lRakp4N3kvNkZBNHRBbS8xelJMeW4yREFKQmdVckRnTUNIUVVBTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6QWVGdzB4TVRBNU1USXlNakF5TkRGYUZ3MHpPVEV5TXpFeU16VTVOVGxhTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9sS3BFWUY5Q3dkWDROeDEyNUFjcnZBWS9ERzVkbDYzUG5Cb0FDN0lKQmxwNlVkWnBaMjRMbzhOcHJZOTRUYnp2c3RSaENiOFM3NnFCNmtHSjliZVhOMS8vT2ExbDhrWEU1d3BBQVpkRFdTdXJZOThCT3U4TzZkOG5oYlNjM2NsYUc2L2xkZmhKMUVQVzJWY3BZQm9Ka1FyMU5rWnNoNWNjTWpTRWVqdVJDRGt5bk12ZE5hbEpVRnNCWU5GUkY3T2hNRWxLdE52anMwRlgxdmJ2c3RjUzJYc0l6VDh1R2JlZWc0TVZCV2k2TGVPYXhGeTBrdWh6NmV0em9JZVdERjNHTHA5UXZNNE1RSVBsOU54MXdiT1ZCY1pacm5NVHNqUW1WWHJrNGNobzVPSVQ0aVhWUXFvWlpoVmRnKyt1T3QrQXVwaWY5T3h4MmtvZGFGQlc3V1U5Y0NBd0VBQWFPQmd6Q0JnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRCcEJnTlZIUUVFWWpCZ2dCRGlqVkRGRGhNNm9DMVlpWlpOSmFBR29Ub3dPREUyTURRR0ExVUVBeE10UVVSR1V5QXlMakFnVTJsbmJtbHVaeUF0SUdGa1puTndjbTk0ZVRJd01UQXVjMlJsTG1sa1lXaHZMbWR2Z2hDTW5Idkwvb1VEaTBDYi9YTkV2S2ZZTUFrR0JTc09Bd0lkQlFBRGdnRUJBS1pkMHpyODgrQXRkeUVMWVJrSFNncEx5aUQybjlJbktDaTExTksxNXZ1TDJnTllWejNRWnJGNUdSQ05qU3NQTGF4Tk45VFkweGNadk9jOHZCUm0rY0I3WFFzWGlDZHoybWNMMG5IVWpsa1ZaYzJMa2l5RjBKY3VpQUc4bjhrT1ZySDA3UDFVUGY4R3Y0WUZLUDZ5bjJTVTlxaGpxdmFWcnN5d1ZxVHArOTA4anI2WVMzeFo2bXF2QXhRMit5SzQzZUxDWXVRdmZOTW1MQUJDRUdUTmtDZEgySnhhcklRVGROUXRQeHp5M21ucnpER1hlYmg5Ym8rbVNUOXlzdnR2RXRqbEdwbVN2NnlGT1paeXg4cUFXdFE3eEZGQWx0T3hzSVRYQ2xueGd1aDI3WWRjbzcrUVgyWkxHZ3VFMGZhL1B2c0VZT01LeHh6YzZZWC9ua3p1K0U0PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uNjg1MzAiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOFQxOTozODoxNy4yMTBaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0L3NkZS9sb2dpbi5jZm0iIC8 PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMThUMTk6MzM6MTcuMjEwWiIgTm90T25PckFmdGVyPSIyMDE0LTA5LTE4VDIwOjMzOjE3LjIxMFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdC9TREU8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI PEF0dHJpYnV0ZVZhbHVlPnN0YWZmPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSIgYTpPcmlnaW5hbElzc3Vlcj0iaHR0cHM6Ly9hcHBzLnNkZS5pZGFoby5nb3YvQWNjb3VudC90cnVzdCIgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwOS8wOS9pZGVudGl0eS9jbGFpbXMiPjxBdHRyaWJ1dGVWYWx1ZT5LdXJ0aXMgRC4gTGVhdGhhbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wOS0xOFQxOTozMzoxNy4zNjdaIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY PC9BdXRobkNvbnRleHQ PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==


Thanks for the help!!!  I'd pull my hair out over this but I don't have any!!!  :O
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40331685
EDIT:

>> I'm not sure I understand what yo mean by Form.SAMLResponse = base 64.  

I used the 1st part of your code to compress and base64 encode the string ie:

      data64 = toBase64(output,"UTF-8");

Then used the 2nd part to confirm the code could successfully inflate that value.  I was also able to inflate it with this online tool

https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

I tested several other xml samples which worked with both your code and the online tool.. .. which makes me wonder if there's something wrong with the base64 string you posted above. (When I searched for that error message a lot of threads suggested it means the string is bad/malformed).  FWIW, I tested string with the online tool and it didn't seem to work there either, which again supports the possibility that your code is correct - the input string is just malformed.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Kurtis Leatham
ID: 40333082
Can we take this from the top...   This is the string I get returned from the ADFS server without any URLDecoding...

PHNhbWxwOlJlc3BvbnNlIElEPSJfYjBmN2MwMjctYzY5OS00NWUxLWEyNGQtYWFiYzJmMTdlZWNmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wOS0xOVQxNjowMjo1MC4xMDhaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Qvc2RlL2xvZ2luLmNmbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uMjU2MTAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzcHJveHkyMDEwLnNkZS5pZGFoby5nb3YvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfYjRjMzAyMjgtMTNmMS00ZWM2LTkzODMtY2NlMzc2ZjdlOTk2IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMTlUMTY6MDI6NTAuMTA4WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmc3Byb3h5MjAxMC5zZGUuaWRhaG8uZ292L2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI19iNGMzMDIyOC0xM2YxLTRlYzYtOTM4My1jY2UzNzZmN2U5OTYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5iOTNIdWpCdGVuR2xhZGpZOXdtWFkwSEJJdkJ1eHVFbFl6SGY3dVdXZ3RnPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5vd0NQeWxCMWZzeTRGUzJoZ0hKQkd4RlFpSzdCZXVpTldHeWZMZStpME4xSmVZSHB0MHNxNnJnbURjeHVBYkE1eW1OeXpZd3o0RFhScW5iU005cDZPYnY0UWMvalJLSkliSFlLK1oxOFlpRUlwZjRLVUJnbzU4VkxkZnVqSHFIUlRaS0diWU03UTQ5TFFBcW5ldHRHSWRPT2VUWGQyUk5wQTd1S2tpVDVab0dxU2pnd2grbGhnM3NWbk5PbEUyUms4T1pYQmxRQnFmMDk2WGQwZG40cGFibEtOU2ZJL3RYK3pQdVJCbnRuTjRKMVEreWRYclZjY1NRbDNXMXcybDdWZU85S0RjTVZScEUrVk1nY1JzU3o4Q3p0V21qNTdBMU42S3FtTm9uZmZNblQ5T3h2WWFzQnpXUXFacHU0NU5QOGxDZk5xSW1xSGlkeEJKOGtodjkwVmc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkakNDQW1LZ0F3SUJBZ0lRakp4N3kvNkZBNHRBbS8xelJMeW4yREFKQmdVckRnTUNIUVVBTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6QWVGdzB4TVRBNU1USXlNakF5TkRGYUZ3MHpPVEV5TXpFeU16VTVOVGxhTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9sS3BFWUY5Q3dkWDROeDEyNUFjcnZBWS9ERzVkbDYzUG5Cb0FDN0lKQmxwNlVkWnBaMjRMbzhOcHJZOTRUYnp2c3RSaENiOFM3NnFCNmtHSjliZVhOMS8vT2ExbDhrWEU1d3BBQVpkRFdTdXJZOThCT3U4TzZkOG5oYlNjM2NsYUc2L2xkZmhKMUVQVzJWY3BZQm9Ka1FyMU5rWnNoNWNjTWpTRWVqdVJDRGt5bk12ZE5hbEpVRnNCWU5GUkY3T2hNRWxLdE52anMwRlgxdmJ2c3RjUzJYc0l6VDh1R2JlZWc0TVZCV2k2TGVPYXhGeTBrdWh6NmV0em9JZVdERjNHTHA5UXZNNE1RSVBsOU54MXdiT1ZCY1pacm5NVHNqUW1WWHJrNGNobzVPSVQ0aVhWUXFvWlpoVmRnKyt1T3QrQXVwaWY5T3h4MmtvZGFGQlc3V1U5Y0NBd0VBQWFPQmd6Q0JnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRCcEJnTlZIUUVFWWpCZ2dCRGlqVkRGRGhNNm9DMVlpWlpOSmFBR29Ub3dPREUyTURRR0ExVUVBeE10UVVSR1V5QXlMakFnVTJsbmJtbHVaeUF0SUdGa1puTndjbTk0ZVRJd01UQXVjMlJsTG1sa1lXaHZMbWR2Z2hDTW5Idkwvb1VEaTBDYi9YTkV2S2ZZTUFrR0JTc09Bd0lkQlFBRGdnRUJBS1pkMHpyODgrQXRkeUVMWVJrSFNncEx5aUQybjlJbktDaTExTksxNXZ1TDJnTllWejNRWnJGNUdSQ05qU3NQTGF4Tk45VFkweGNadk9jOHZCUm0rY0I3WFFzWGlDZHoybWNMMG5IVWpsa1ZaYzJMa2l5RjBKY3VpQUc4bjhrT1ZySDA3UDFVUGY4R3Y0WUZLUDZ5bjJTVTlxaGpxdmFWcnN5d1ZxVHArOTA4anI2WVMzeFo2bXF2QXhRMit5SzQzZUxDWXVRdmZOTW1MQUJDRUdUTmtDZEgySnhhcklRVGROUXRQeHp5M21ucnpER1hlYmg5Ym8rbVNUOXlzdnR2RXRqbEdwbVN2NnlGT1paeXg4cUFXdFE3eEZGQWx0T3hzSVRYQ2xueGd1aDI3WWRjbzcrUVgyWkxHZ3VFMGZhL1B2c0VZT01LeHh6YzZZWC9ua3p1K0U0PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uMjU2MTAiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOVQxNjowNzo1MC4xMDhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0L3NkZS9sb2dpbi5jZm0iIC8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMTlUMTY6MDI6NTAuMDkyWiIgTm90T25PckFmdGVyPSIyMDE0LTA5LTE5VDE3OjAyOjUwLjA5MloiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdC9TREU8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI+PEF0dHJpYnV0ZVZhbHVlPnN0YWZmPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU+a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU+a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSIgYTpPcmlnaW5hbElzc3Vlcj0iaHR0cHM6Ly9hcHBzLnNkZS5pZGFoby5nb3YvQWNjb3VudC90cnVzdCIgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwOS8wOS9pZGVudGl0eS9jbGFpbXMiPjxBdHRyaWJ1dGVWYWx1ZT5LdXJ0aXMgRC4gTGVhdGhhbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wOS0xOVQxNjowMjo0OS42MTBaIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9BdXRobkNvbnRleHQ+PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

This is the code I'm trying to get to work:

<cfscript>
// Decode the query string from Base 64  
      Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
      SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);

// Create Byte Array used for the inflation, the CF way  
      ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
      ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);

// Create Byte Streams needed for inflation
      ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
      ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();

// Create Objects needed for inflation  
      Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
      InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);

// Complete the inflation  
      Count = InflaterStream.read(ByteArray);
      while (Count != -1) {
            ByteOut.write(ByteArray, 0, Count);
            Count = InflaterStream.read(ByteArray);
      }

// Finished with inflation  
      Inflater.end();
      InflaterStream.close();

// Convert SAML request back to a string  
      SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
</cfscript>  


Are you saying this code works on your machine without modification to decode the string to this:

<samlp:Response ID="_b0f7c027-c699-45e1-a24d-aabc2f17eecf" Version="2.0" IssueInstant="2014-09-19T16:02:50.108Z" Destination="https://localhost/sde/login.cfm"
  Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="kdls_testing_application25610" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfsproxy2010.sde.idaho.gov/adfs/services/trust</Issuer>
      <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>
      <Assertion ID="_b4c30228-13f1-4ec6-9383-cce376f7e996" IssueInstant="2014-09-19T16:02:50.108Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <Issuer>http://adfsproxy2010.sde.idaho.gov/adfs/services/trust</Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                        <ds:Reference URI="#_b4c30228-13f1-4ec6-9383-cce376f7e996">
                              <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                              <ds:DigestValue>b93HujBtenGladjY9wmXY0HBIvBuxuElYzHf7uWWgtg=</ds:DigestValue>
                        </ds:Reference>
                  </ds:SignedInfo>
                  <ds:SignatureValue>owCPylB ETC...</ds:SignatureValue>
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                              <ds:X509Certificate>MIIDdjCCA ETC...</ds:X509Certificate>
                        </ds:X509Data>
                  </KeyInfo>
            </ds:Signature>
            <Subject>
                  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <SubjectConfirmationData InResponseTo="kdls_testing_application25610" NotOnOrAfter="2014-09-19T16:07:50.108Z" Recipient="https://localhost/sde/login.cfm" />
                  </SubjectConfirmation>
            </Subject>
            <Conditions NotBefore="2014-09-19T16:02:50.092Z" NotOnOrAfter="2014-09-19T17:02:50.092Z">
                  <AudienceRestriction><Audience>https://localhost/SDE</Audience></AudienceRestriction>
            </Conditions>
            <AttributeStatement>
                  <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>staff</AttributeValue></Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust"
                    xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>kdl@komputerman.com</AttributeValue>
                  </Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>kdl@komputerman.com</AttributeValue>
                  </Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>Kurtis D. Leatham</AttributeValue>
                  </Attribute>
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2014-09-19T16:02:49.610Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement>
      </Assertion>
</samlp:Response>


This is the string as decrypted by the https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php site.  Been using that site for days now... Love it!!!

Anyway if the code works on your server without modification then there has to be a library issue... I think...  Thanks again for the help!
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40341877
> This is the string I get returned from the ADFS server without any URLDecoding...
> PHNhbWxwOlJlc3BvbnNlIElEPSJfYjBmN2MwMj .....

Sorry, I think we were on different wavelengths. I meant the general code worked with several sample xml strings. You hadn't posted the actual string from the ADFS server yet. Now that I've tested that string, I'm getting the same error you did.

>> So far the code I've found on the web doesn't really work

I've tried a bunch of things, but no luck. IF that code actually *did* work at some point in time - something must have changed .. I'm just not sure what.  Sorry I couldn't be of more help.
0
 

Accepted Solution

by:
Kurtis Leatham earned 0 total points
ID: 40342131
Actually it was much easier than I thought...  I didn't need all of that happy java coding.  All I needed was these two CF statements:

<CFSET MyStr = ToString(ToBinary(Form.SAMLResponse))>
<CFSET MyXml = XMLParse(MyStr)>

The part I was missing was the XMLParse statement.  Turned out to be to EZ!!!
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40342219
Great! Glad you were able to work it out - and thanks for posting the answer for the next guy.
0
 

Author Closing Comment

by:Kurtis Leatham
ID: 40349532
Because it is exactly what I needed.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
This video teaches viewers about errors in exception handling.
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question