Solved

Decipher SAML Response From ADFS Server using ColdFusion

Posted on 2014-09-18
8
1,192 Views
Last Modified: 2014-09-29
I'm developing a SSO solution for a client.  Never worked with this technology before so it's a bit of a challenge but I'm getting there.  So far I've been able to configure the ADFS server to respond to my apps message.  This is the ColdFusion code I've use to create the authentication request:

<CFSET MyDate = DateFormat(Now(), "yyyy-mm-dd") & 'T' & TimeFormat(Now(), "HH:nn:ss") & '.343Z'>
<CFSET MyID = 'kdls_testing_application' & RandRange(1, 100000)>

<CFOUTPUT><CFSAVECONTENT variable="TestXML1">
      <samlp:AuthnRequest IssueInstant="#MyDate#" ID="#MyID#" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/SDE</saml:Issuer>
      <samlp:NameIDPolicy AllowCreate="true"/>
      </samlp:AuthnRequest>
</CFSAVECONTENT></CFOUTPUT>

<!--- setup ColdFusion/Java bytearray variable --->
<CFSET emptyByteArray = createObject("java", "java.io.ByteArrayOutputStream").init().toByteArray()/>
<CFSET byteClass = emptyByteArray.getClass().getComponentType()/>
<CFSET output = createObject("java","java.lang.reflect.Array").newInstance(byteClass, 500)/>

<!--- perform Deflate, Base64 encode, and URL encode --->
<cfscript>
      saml_deflate = createObject("java", "java.util.zip.Deflater");
      saml_deflate.init(9,true);
      saml_deflate.setInput(TestXML1.getBytes("UTF-8"));
      saml_deflate.finish();
      compressedDataLength = saml_deflate.deflate(output);
      data64 = toBase64(output,"UTF-8");
      data64url = urlencodedformat(data64);
</cfscript>

<A HREF="https://adfsproxy2010.sde.idaho.gov/adfs/ls/?SAMLRequest=#data64url#&RelayState=123456">Click Here to login</A>

This code works.  I am able to send the encoded message on the URL to the ADFS server.  The server authenticates me and then send back a encoded SAML response using an HTTP-POST.  What I need to do is decipher that message so I can extract the data contained inside the message.  That is where I'm running into issues...


So far the code I've found on the web doesn't really work.  This is the snippet of code that seems to have the best chance of working:
<cfscript>
// Decode the query string from Base 64  
      Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
      SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);

// Create Byte Array used for the inflation, the CF way  
      ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
      ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);

// Create Byte Streams needed for inflation
      ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
      ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();

// Create Objects needed for inflation  
      Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
      InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);

// Complete the inflation  
      Count = InflaterStream.read(ByteArray);
      while (Count != -1) {
            ByteOut.write(ByteArray, 0, Count);
            Count = InflaterStream.read(ByteArray);
      }

// Finished with inflation  
      Inflater.end();
      InflaterStream.close();

// Convert SAML request back to a string  
      SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
</cfscript>  

When this code executes I get the following error message when the "Count = InflaterStream.read(ByteArray);" executes.  oversubscribed dynamic bit lengths tree

I have no idea what that means but I think it has something to do with the ByteArray contains a ton of 0's but that is all.  

Any suggestions on how to consuew a SAML respons would be appreciated!!!
0
Comment
Question by:Kurtis Leatham
  • 4
  • 4
8 Comments
 
LVL 52

Expert Comment

by:_agx_
ID: 40331445
The creation of the arrays looks a little off, but .. it works for me under CF10, using input:

  Form.SAMLResponse = data64;


- What version of CF?
- What is the actual value of Form.SAMLResponse when you get the error?
0
 

Author Comment

by:Kurtis Leatham
ID: 40331476
I'm not sure I understand what yo mean by Form.SAMLResponse = base 64.  

Using CF 10 developers edition.

After I do a URLDecode my response string looks like this...

PHNhbWxwOlJlc3BvbnNlIElEPSJfOWQ1NzRlZTItYjVlMC00Yjk5LTkxYmMtN2Y0YzE4YWI1ZjI0IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wOS0xOFQxOTozMzoxNy4yMTBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Qvc2RlL2xvZ2luLmNmbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uNjg1MzAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzcHJveHkyMDEwLnNkZS5pZGFoby5nb3YvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfZDJlMDk1MjQtZTIwMy00YWU2LWFlYTMtYzMzNzk1YjJiMjQ4IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMThUMTk6MzM6MTcuMjEwWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI PElzc3Vlcj5odHRwOi8vYWRmc3Byb3h5MjAxMC5zZGUuaWRhaG8uZ292L2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI19kMmUwOTUyNC1lMjAzLTRhZTYtYWVhMy1jMzM3OTViMmIyNDgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT4vWTBEWFhiWGkzdDQ1OCsvN1R4dmlsYWlaSWZVamFIcVBlWEVZcXdDaE1vPTwvZHM6RGlnZXN0VmFsdWU PC9kczpSZWZlcmVuY2U PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT4yMk1uOWNkNElwT0pNdzNXWk4rRTA3ME9adjVRWmFPZVE3c0I0WmRSRlpYWFlXdVNUWVJSdi94Y2RBMVR0YkwrL0tpQ3RkdXJSaWVkSXkvd1JJZ2dmNUNKQ2NTZlY0amU2RUV1UE1Xa0kzbWhCWkJEaFRUM3RJbktnSVV2NHE5U2RjaTBTa2htUmhhNklMc0pTZkRWMTI4RUtjcit2a0QrVVVIaWZPbGRibVhJWTJUU0F2d1RvTTNuWjdaNXJiVmxDa1k4WkRzT2dOZk90YkdobE4zbjVua05URzZKcHVScFBYcnNPTkk2S2ZqV2l1aVI5U05zY2JYNkkzUFRiV0djbGFJekR3QXh1TGR4dXM3d3BKc3R5UnYwb0dMdlpNSjQzMDU2WVVoVTY3SWNVV2dzZDFhQnFPcENxdUtTU2FZa3NMcGkrQzdDY3diUU9pdzlYcnRUWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkakNDQW1LZ0F3SUJBZ0lRakp4N3kvNkZBNHRBbS8xelJMeW4yREFKQmdVckRnTUNIUVVBTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6QWVGdzB4TVRBNU1USXlNakF5TkRGYUZ3MHpPVEV5TXpFeU16VTVOVGxhTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9sS3BFWUY5Q3dkWDROeDEyNUFjcnZBWS9ERzVkbDYzUG5Cb0FDN0lKQmxwNlVkWnBaMjRMbzhOcHJZOTRUYnp2c3RSaENiOFM3NnFCNmtHSjliZVhOMS8vT2ExbDhrWEU1d3BBQVpkRFdTdXJZOThCT3U4TzZkOG5oYlNjM2NsYUc2L2xkZmhKMUVQVzJWY3BZQm9Ka1FyMU5rWnNoNWNjTWpTRWVqdVJDRGt5bk12ZE5hbEpVRnNCWU5GUkY3T2hNRWxLdE52anMwRlgxdmJ2c3RjUzJYc0l6VDh1R2JlZWc0TVZCV2k2TGVPYXhGeTBrdWh6NmV0em9JZVdERjNHTHA5UXZNNE1RSVBsOU54MXdiT1ZCY1pacm5NVHNqUW1WWHJrNGNobzVPSVQ0aVhWUXFvWlpoVmRnKyt1T3QrQXVwaWY5T3h4MmtvZGFGQlc3V1U5Y0NBd0VBQWFPQmd6Q0JnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRCcEJnTlZIUUVFWWpCZ2dCRGlqVkRGRGhNNm9DMVlpWlpOSmFBR29Ub3dPREUyTURRR0ExVUVBeE10UVVSR1V5QXlMakFnVTJsbmJtbHVaeUF0SUdGa1puTndjbTk0ZVRJd01UQXVjMlJsTG1sa1lXaHZMbWR2Z2hDTW5Idkwvb1VEaTBDYi9YTkV2S2ZZTUFrR0JTc09Bd0lkQlFBRGdnRUJBS1pkMHpyODgrQXRkeUVMWVJrSFNncEx5aUQybjlJbktDaTExTksxNXZ1TDJnTllWejNRWnJGNUdSQ05qU3NQTGF4Tk45VFkweGNadk9jOHZCUm0rY0I3WFFzWGlDZHoybWNMMG5IVWpsa1ZaYzJMa2l5RjBKY3VpQUc4bjhrT1ZySDA3UDFVUGY4R3Y0WUZLUDZ5bjJTVTlxaGpxdmFWcnN5d1ZxVHArOTA4anI2WVMzeFo2bXF2QXhRMit5SzQzZUxDWXVRdmZOTW1MQUJDRUdUTmtDZEgySnhhcklRVGROUXRQeHp5M21ucnpER1hlYmg5Ym8rbVNUOXlzdnR2RXRqbEdwbVN2NnlGT1paeXg4cUFXdFE3eEZGQWx0T3hzSVRYQ2xueGd1aDI3WWRjbzcrUVgyWkxHZ3VFMGZhL1B2c0VZT01LeHh6YzZZWC9ua3p1K0U0PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uNjg1MzAiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOFQxOTozODoxNy4yMTBaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0L3NkZS9sb2dpbi5jZm0iIC8 PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMThUMTk6MzM6MTcuMjEwWiIgTm90T25PckFmdGVyPSIyMDE0LTA5LTE4VDIwOjMzOjE3LjIxMFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdC9TREU8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI PEF0dHJpYnV0ZVZhbHVlPnN0YWZmPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSIgYTpPcmlnaW5hbElzc3Vlcj0iaHR0cHM6Ly9hcHBzLnNkZS5pZGFoby5nb3YvQWNjb3VudC90cnVzdCIgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwOS8wOS9pZGVudGl0eS9jbGFpbXMiPjxBdHRyaWJ1dGVWYWx1ZT5LdXJ0aXMgRC4gTGVhdGhhbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wOS0xOFQxOTozMzoxNy4zNjdaIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY PC9BdXRobkNvbnRleHQ PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==


Thanks for the help!!!  I'd pull my hair out over this but I don't have any!!!  :O
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40331685
EDIT:

>> I'm not sure I understand what yo mean by Form.SAMLResponse = base 64.  

I used the 1st part of your code to compress and base64 encode the string ie:

      data64 = toBase64(output,"UTF-8");

Then used the 2nd part to confirm the code could successfully inflate that value.  I was also able to inflate it with this online tool

https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

I tested several other xml samples which worked with both your code and the online tool.. .. which makes me wonder if there's something wrong with the base64 string you posted above. (When I searched for that error message a lot of threads suggested it means the string is bad/malformed).  FWIW, I tested string with the online tool and it didn't seem to work there either, which again supports the possibility that your code is correct - the input string is just malformed.
0
 

Author Comment

by:Kurtis Leatham
ID: 40333082
Can we take this from the top...   This is the string I get returned from the ADFS server without any URLDecoding...

PHNhbWxwOlJlc3BvbnNlIElEPSJfYjBmN2MwMjctYzY5OS00NWUxLWEyNGQtYWFiYzJmMTdlZWNmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wOS0xOVQxNjowMjo1MC4xMDhaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Qvc2RlL2xvZ2luLmNmbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uMjU2MTAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzcHJveHkyMDEwLnNkZS5pZGFoby5nb3YvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfYjRjMzAyMjgtMTNmMS00ZWM2LTkzODMtY2NlMzc2ZjdlOTk2IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMTlUMTY6MDI6NTAuMTA4WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmc3Byb3h5MjAxMC5zZGUuaWRhaG8uZ292L2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI19iNGMzMDIyOC0xM2YxLTRlYzYtOTM4My1jY2UzNzZmN2U5OTYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5iOTNIdWpCdGVuR2xhZGpZOXdtWFkwSEJJdkJ1eHVFbFl6SGY3dVdXZ3RnPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5vd0NQeWxCMWZzeTRGUzJoZ0hKQkd4RlFpSzdCZXVpTldHeWZMZStpME4xSmVZSHB0MHNxNnJnbURjeHVBYkE1eW1OeXpZd3o0RFhScW5iU005cDZPYnY0UWMvalJLSkliSFlLK1oxOFlpRUlwZjRLVUJnbzU4VkxkZnVqSHFIUlRaS0diWU03UTQ5TFFBcW5ldHRHSWRPT2VUWGQyUk5wQTd1S2tpVDVab0dxU2pnd2grbGhnM3NWbk5PbEUyUms4T1pYQmxRQnFmMDk2WGQwZG40cGFibEtOU2ZJL3RYK3pQdVJCbnRuTjRKMVEreWRYclZjY1NRbDNXMXcybDdWZU85S0RjTVZScEUrVk1nY1JzU3o4Q3p0V21qNTdBMU42S3FtTm9uZmZNblQ5T3h2WWFzQnpXUXFacHU0NU5QOGxDZk5xSW1xSGlkeEJKOGtodjkwVmc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkakNDQW1LZ0F3SUJBZ0lRakp4N3kvNkZBNHRBbS8xelJMeW4yREFKQmdVckRnTUNIUVVBTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6QWVGdzB4TVRBNU1USXlNakF5TkRGYUZ3MHpPVEV5TXpFeU16VTVOVGxhTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9sS3BFWUY5Q3dkWDROeDEyNUFjcnZBWS9ERzVkbDYzUG5Cb0FDN0lKQmxwNlVkWnBaMjRMbzhOcHJZOTRUYnp2c3RSaENiOFM3NnFCNmtHSjliZVhOMS8vT2ExbDhrWEU1d3BBQVpkRFdTdXJZOThCT3U4TzZkOG5oYlNjM2NsYUc2L2xkZmhKMUVQVzJWY3BZQm9Ka1FyMU5rWnNoNWNjTWpTRWVqdVJDRGt5bk12ZE5hbEpVRnNCWU5GUkY3T2hNRWxLdE52anMwRlgxdmJ2c3RjUzJYc0l6VDh1R2JlZWc0TVZCV2k2TGVPYXhGeTBrdWh6NmV0em9JZVdERjNHTHA5UXZNNE1RSVBsOU54MXdiT1ZCY1pacm5NVHNqUW1WWHJrNGNobzVPSVQ0aVhWUXFvWlpoVmRnKyt1T3QrQXVwaWY5T3h4MmtvZGFGQlc3V1U5Y0NBd0VBQWFPQmd6Q0JnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRCcEJnTlZIUUVFWWpCZ2dCRGlqVkRGRGhNNm9DMVlpWlpOSmFBR29Ub3dPREUyTURRR0ExVUVBeE10UVVSR1V5QXlMakFnVTJsbmJtbHVaeUF0SUdGa1puTndjbTk0ZVRJd01UQXVjMlJsTG1sa1lXaHZMbWR2Z2hDTW5Idkwvb1VEaTBDYi9YTkV2S2ZZTUFrR0JTc09Bd0lkQlFBRGdnRUJBS1pkMHpyODgrQXRkeUVMWVJrSFNncEx5aUQybjlJbktDaTExTksxNXZ1TDJnTllWejNRWnJGNUdSQ05qU3NQTGF4Tk45VFkweGNadk9jOHZCUm0rY0I3WFFzWGlDZHoybWNMMG5IVWpsa1ZaYzJMa2l5RjBKY3VpQUc4bjhrT1ZySDA3UDFVUGY4R3Y0WUZLUDZ5bjJTVTlxaGpxdmFWcnN5d1ZxVHArOTA4anI2WVMzeFo2bXF2QXhRMit5SzQzZUxDWXVRdmZOTW1MQUJDRUdUTmtDZEgySnhhcklRVGROUXRQeHp5M21ucnpER1hlYmg5Ym8rbVNUOXlzdnR2RXRqbEdwbVN2NnlGT1paeXg4cUFXdFE3eEZGQWx0T3hzSVRYQ2xueGd1aDI3WWRjbzcrUVgyWkxHZ3VFMGZhL1B2c0VZT01LeHh6YzZZWC9ua3p1K0U0PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uMjU2MTAiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOVQxNjowNzo1MC4xMDhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0L3NkZS9sb2dpbi5jZm0iIC8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMTlUMTY6MDI6NTAuMDkyWiIgTm90T25PckFmdGVyPSIyMDE0LTA5LTE5VDE3OjAyOjUwLjA5MloiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdC9TREU8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI+PEF0dHJpYnV0ZVZhbHVlPnN0YWZmPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU+a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU+a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSIgYTpPcmlnaW5hbElzc3Vlcj0iaHR0cHM6Ly9hcHBzLnNkZS5pZGFoby5nb3YvQWNjb3VudC90cnVzdCIgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwOS8wOS9pZGVudGl0eS9jbGFpbXMiPjxBdHRyaWJ1dGVWYWx1ZT5LdXJ0aXMgRC4gTGVhdGhhbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wOS0xOVQxNjowMjo0OS42MTBaIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9BdXRobkNvbnRleHQ+PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

This is the code I'm trying to get to work:

<cfscript>
// Decode the query string from Base 64  
      Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
      SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);

// Create Byte Array used for the inflation, the CF way  
      ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
      ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);

// Create Byte Streams needed for inflation
      ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
      ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();

// Create Objects needed for inflation  
      Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
      InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);

// Complete the inflation  
      Count = InflaterStream.read(ByteArray);
      while (Count != -1) {
            ByteOut.write(ByteArray, 0, Count);
            Count = InflaterStream.read(ByteArray);
      }

// Finished with inflation  
      Inflater.end();
      InflaterStream.close();

// Convert SAML request back to a string  
      SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
</cfscript>  


Are you saying this code works on your machine without modification to decode the string to this:

<samlp:Response ID="_b0f7c027-c699-45e1-a24d-aabc2f17eecf" Version="2.0" IssueInstant="2014-09-19T16:02:50.108Z" Destination="https://localhost/sde/login.cfm"
  Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="kdls_testing_application25610" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfsproxy2010.sde.idaho.gov/adfs/services/trust</Issuer>
      <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>
      <Assertion ID="_b4c30228-13f1-4ec6-9383-cce376f7e996" IssueInstant="2014-09-19T16:02:50.108Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <Issuer>http://adfsproxy2010.sde.idaho.gov/adfs/services/trust</Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                        <ds:Reference URI="#_b4c30228-13f1-4ec6-9383-cce376f7e996">
                              <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                              <ds:DigestValue>b93HujBtenGladjY9wmXY0HBIvBuxuElYzHf7uWWgtg=</ds:DigestValue>
                        </ds:Reference>
                  </ds:SignedInfo>
                  <ds:SignatureValue>owCPylB ETC...</ds:SignatureValue>
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                              <ds:X509Certificate>MIIDdjCCA ETC...</ds:X509Certificate>
                        </ds:X509Data>
                  </KeyInfo>
            </ds:Signature>
            <Subject>
                  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <SubjectConfirmationData InResponseTo="kdls_testing_application25610" NotOnOrAfter="2014-09-19T16:07:50.108Z" Recipient="https://localhost/sde/login.cfm" />
                  </SubjectConfirmation>
            </Subject>
            <Conditions NotBefore="2014-09-19T16:02:50.092Z" NotOnOrAfter="2014-09-19T17:02:50.092Z">
                  <AudienceRestriction><Audience>https://localhost/SDE</Audience></AudienceRestriction>
            </Conditions>
            <AttributeStatement>
                  <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>staff</AttributeValue></Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust"
                    xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>kdl@komputerman.com</AttributeValue>
                  </Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>kdl@komputerman.com</AttributeValue>
                  </Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>Kurtis D. Leatham</AttributeValue>
                  </Attribute>
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2014-09-19T16:02:49.610Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement>
      </Assertion>
</samlp:Response>


This is the string as decrypted by the https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php site.  Been using that site for days now... Love it!!!

Anyway if the code works on your server without modification then there has to be a library issue... I think...  Thanks again for the help!
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 52

Expert Comment

by:_agx_
ID: 40341877
> This is the string I get returned from the ADFS server without any URLDecoding...
> PHNhbWxwOlJlc3BvbnNlIElEPSJfYjBmN2MwMj .....

Sorry, I think we were on different wavelengths. I meant the general code worked with several sample xml strings. You hadn't posted the actual string from the ADFS server yet. Now that I've tested that string, I'm getting the same error you did.

>> So far the code I've found on the web doesn't really work

I've tried a bunch of things, but no luck. IF that code actually *did* work at some point in time - something must have changed .. I'm just not sure what.  Sorry I couldn't be of more help.
0
 

Accepted Solution

by:
Kurtis Leatham earned 0 total points
ID: 40342131
Actually it was much easier than I thought...  I didn't need all of that happy java coding.  All I needed was these two CF statements:

<CFSET MyStr = ToString(ToBinary(Form.SAMLResponse))>
<CFSET MyXml = XMLParse(MyStr)>

The part I was missing was the XMLParse statement.  Turned out to be to EZ!!!
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40342219
Great! Glad you were able to work it out - and thanks for posting the answer for the next guy.
0
 

Author Closing Comment

by:Kurtis Leatham
ID: 40349532
Because it is exactly what I needed.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This video teaches viewers about errors in exception handling.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now