Solved

Decipher SAML Response From ADFS Server using ColdFusion

Posted on 2014-09-18
8
1,363 Views
Last Modified: 2014-09-29
I'm developing a SSO solution for a client.  Never worked with this technology before so it's a bit of a challenge but I'm getting there.  So far I've been able to configure the ADFS server to respond to my apps message.  This is the ColdFusion code I've use to create the authentication request:

<CFSET MyDate = DateFormat(Now(), "yyyy-mm-dd") & 'T' & TimeFormat(Now(), "HH:nn:ss") & '.343Z'>
<CFSET MyID = 'kdls_testing_application' & RandRange(1, 100000)>

<CFOUTPUT><CFSAVECONTENT variable="TestXML1">
      <samlp:AuthnRequest IssueInstant="#MyDate#" ID="#MyID#" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/SDE</saml:Issuer>
      <samlp:NameIDPolicy AllowCreate="true"/>
      </samlp:AuthnRequest>
</CFSAVECONTENT></CFOUTPUT>

<!--- setup ColdFusion/Java bytearray variable --->
<CFSET emptyByteArray = createObject("java", "java.io.ByteArrayOutputStream").init().toByteArray()/>
<CFSET byteClass = emptyByteArray.getClass().getComponentType()/>
<CFSET output = createObject("java","java.lang.reflect.Array").newInstance(byteClass, 500)/>

<!--- perform Deflate, Base64 encode, and URL encode --->
<cfscript>
      saml_deflate = createObject("java", "java.util.zip.Deflater");
      saml_deflate.init(9,true);
      saml_deflate.setInput(TestXML1.getBytes("UTF-8"));
      saml_deflate.finish();
      compressedDataLength = saml_deflate.deflate(output);
      data64 = toBase64(output,"UTF-8");
      data64url = urlencodedformat(data64);
</cfscript>

<A HREF="https://adfsproxy2010.sde.idaho.gov/adfs/ls/?SAMLRequest=#data64url#&RelayState=123456">Click Here to login</A>

This code works.  I am able to send the encoded message on the URL to the ADFS server.  The server authenticates me and then send back a encoded SAML response using an HTTP-POST.  What I need to do is decipher that message so I can extract the data contained inside the message.  That is where I'm running into issues...


So far the code I've found on the web doesn't really work.  This is the snippet of code that seems to have the best chance of working:
<cfscript>
// Decode the query string from Base 64  
      Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
      SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);

// Create Byte Array used for the inflation, the CF way  
      ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
      ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);

// Create Byte Streams needed for inflation
      ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
      ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();

// Create Objects needed for inflation  
      Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
      InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);

// Complete the inflation  
      Count = InflaterStream.read(ByteArray);
      while (Count != -1) {
            ByteOut.write(ByteArray, 0, Count);
            Count = InflaterStream.read(ByteArray);
      }

// Finished with inflation  
      Inflater.end();
      InflaterStream.close();

// Convert SAML request back to a string  
      SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
</cfscript>  

When this code executes I get the following error message when the "Count = InflaterStream.read(ByteArray);" executes.  oversubscribed dynamic bit lengths tree

I have no idea what that means but I think it has something to do with the ByteArray contains a ton of 0's but that is all.  

Any suggestions on how to consuew a SAML respons would be appreciated!!!
0
Comment
Question by:Kurtis Leatham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 52

Expert Comment

by:_agx_
ID: 40331445
The creation of the arrays looks a little off, but .. it works for me under CF10, using input:

  Form.SAMLResponse = data64;


- What version of CF?
- What is the actual value of Form.SAMLResponse when you get the error?
0
 

Author Comment

by:Kurtis Leatham
ID: 40331476
I'm not sure I understand what yo mean by Form.SAMLResponse = base 64.  

Using CF 10 developers edition.

After I do a URLDecode my response string looks like this...

PHNhbWxwOlJlc3BvbnNlIElEPSJfOWQ1NzRlZTItYjVlMC00Yjk5LTkxYmMtN2Y0YzE4YWI1ZjI0IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wOS0xOFQxOTozMzoxNy4yMTBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Qvc2RlL2xvZ2luLmNmbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uNjg1MzAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzcHJveHkyMDEwLnNkZS5pZGFoby5nb3YvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfZDJlMDk1MjQtZTIwMy00YWU2LWFlYTMtYzMzNzk1YjJiMjQ4IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMThUMTk6MzM6MTcuMjEwWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI PElzc3Vlcj5odHRwOi8vYWRmc3Byb3h5MjAxMC5zZGUuaWRhaG8uZ292L2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI19kMmUwOTUyNC1lMjAzLTRhZTYtYWVhMy1jMzM3OTViMmIyNDgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT4vWTBEWFhiWGkzdDQ1OCsvN1R4dmlsYWlaSWZVamFIcVBlWEVZcXdDaE1vPTwvZHM6RGlnZXN0VmFsdWU PC9kczpSZWZlcmVuY2U PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT4yMk1uOWNkNElwT0pNdzNXWk4rRTA3ME9adjVRWmFPZVE3c0I0WmRSRlpYWFlXdVNUWVJSdi94Y2RBMVR0YkwrL0tpQ3RkdXJSaWVkSXkvd1JJZ2dmNUNKQ2NTZlY0amU2RUV1UE1Xa0kzbWhCWkJEaFRUM3RJbktnSVV2NHE5U2RjaTBTa2htUmhhNklMc0pTZkRWMTI4RUtjcit2a0QrVVVIaWZPbGRibVhJWTJUU0F2d1RvTTNuWjdaNXJiVmxDa1k4WkRzT2dOZk90YkdobE4zbjVua05URzZKcHVScFBYcnNPTkk2S2ZqV2l1aVI5U05zY2JYNkkzUFRiV0djbGFJekR3QXh1TGR4dXM3d3BKc3R5UnYwb0dMdlpNSjQzMDU2WVVoVTY3SWNVV2dzZDFhQnFPcENxdUtTU2FZa3NMcGkrQzdDY3diUU9pdzlYcnRUWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkakNDQW1LZ0F3SUJBZ0lRakp4N3kvNkZBNHRBbS8xelJMeW4yREFKQmdVckRnTUNIUVVBTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6QWVGdzB4TVRBNU1USXlNakF5TkRGYUZ3MHpPVEV5TXpFeU16VTVOVGxhTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9sS3BFWUY5Q3dkWDROeDEyNUFjcnZBWS9ERzVkbDYzUG5Cb0FDN0lKQmxwNlVkWnBaMjRMbzhOcHJZOTRUYnp2c3RSaENiOFM3NnFCNmtHSjliZVhOMS8vT2ExbDhrWEU1d3BBQVpkRFdTdXJZOThCT3U4TzZkOG5oYlNjM2NsYUc2L2xkZmhKMUVQVzJWY3BZQm9Ka1FyMU5rWnNoNWNjTWpTRWVqdVJDRGt5bk12ZE5hbEpVRnNCWU5GUkY3T2hNRWxLdE52anMwRlgxdmJ2c3RjUzJYc0l6VDh1R2JlZWc0TVZCV2k2TGVPYXhGeTBrdWh6NmV0em9JZVdERjNHTHA5UXZNNE1RSVBsOU54MXdiT1ZCY1pacm5NVHNqUW1WWHJrNGNobzVPSVQ0aVhWUXFvWlpoVmRnKyt1T3QrQXVwaWY5T3h4MmtvZGFGQlc3V1U5Y0NBd0VBQWFPQmd6Q0JnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRCcEJnTlZIUUVFWWpCZ2dCRGlqVkRGRGhNNm9DMVlpWlpOSmFBR29Ub3dPREUyTURRR0ExVUVBeE10UVVSR1V5QXlMakFnVTJsbmJtbHVaeUF0SUdGa1puTndjbTk0ZVRJd01UQXVjMlJsTG1sa1lXaHZMbWR2Z2hDTW5Idkwvb1VEaTBDYi9YTkV2S2ZZTUFrR0JTc09Bd0lkQlFBRGdnRUJBS1pkMHpyODgrQXRkeUVMWVJrSFNncEx5aUQybjlJbktDaTExTksxNXZ1TDJnTllWejNRWnJGNUdSQ05qU3NQTGF4Tk45VFkweGNadk9jOHZCUm0rY0I3WFFzWGlDZHoybWNMMG5IVWpsa1ZaYzJMa2l5RjBKY3VpQUc4bjhrT1ZySDA3UDFVUGY4R3Y0WUZLUDZ5bjJTVTlxaGpxdmFWcnN5d1ZxVHArOTA4anI2WVMzeFo2bXF2QXhRMit5SzQzZUxDWXVRdmZOTW1MQUJDRUdUTmtDZEgySnhhcklRVGROUXRQeHp5M21ucnpER1hlYmg5Ym8rbVNUOXlzdnR2RXRqbEdwbVN2NnlGT1paeXg4cUFXdFE3eEZGQWx0T3hzSVRYQ2xueGd1aDI3WWRjbzcrUVgyWkxHZ3VFMGZhL1B2c0VZT01LeHh6YzZZWC9ua3p1K0U0PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uNjg1MzAiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOFQxOTozODoxNy4yMTBaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0L3NkZS9sb2dpbi5jZm0iIC8 PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMThUMTk6MzM6MTcuMjEwWiIgTm90T25PckFmdGVyPSIyMDE0LTA5LTE4VDIwOjMzOjE3LjIxMFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdC9TREU8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI PEF0dHJpYnV0ZVZhbHVlPnN0YWZmPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSIgYTpPcmlnaW5hbElzc3Vlcj0iaHR0cHM6Ly9hcHBzLnNkZS5pZGFoby5nb3YvQWNjb3VudC90cnVzdCIgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwOS8wOS9pZGVudGl0eS9jbGFpbXMiPjxBdHRyaWJ1dGVWYWx1ZT5LdXJ0aXMgRC4gTGVhdGhhbTwvQXR0cmlidXRlVmFsdWU PC9BdHRyaWJ1dGU PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wOS0xOFQxOTozMzoxNy4zNjdaIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY PC9BdXRobkNvbnRleHQ PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==


Thanks for the help!!!  I'd pull my hair out over this but I don't have any!!!  :O
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40331685
EDIT:

>> I'm not sure I understand what yo mean by Form.SAMLResponse = base 64.  

I used the 1st part of your code to compress and base64 encode the string ie:

      data64 = toBase64(output,"UTF-8");

Then used the 2nd part to confirm the code could successfully inflate that value.  I was also able to inflate it with this online tool

https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

I tested several other xml samples which worked with both your code and the online tool.. .. which makes me wonder if there's something wrong with the base64 string you posted above. (When I searched for that error message a lot of threads suggested it means the string is bad/malformed).  FWIW, I tested string with the online tool and it didn't seem to work there either, which again supports the possibility that your code is correct - the input string is just malformed.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:Kurtis Leatham
ID: 40333082
Can we take this from the top...   This is the string I get returned from the ADFS server without any URLDecoding...

PHNhbWxwOlJlc3BvbnNlIElEPSJfYjBmN2MwMjctYzY5OS00NWUxLWEyNGQtYWFiYzJmMTdlZWNmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wOS0xOVQxNjowMjo1MC4xMDhaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Qvc2RlL2xvZ2luLmNmbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uMjU2MTAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzcHJveHkyMDEwLnNkZS5pZGFoby5nb3YvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfYjRjMzAyMjgtMTNmMS00ZWM2LTkzODMtY2NlMzc2ZjdlOTk2IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMTlUMTY6MDI6NTAuMTA4WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmc3Byb3h5MjAxMC5zZGUuaWRhaG8uZ292L2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI19iNGMzMDIyOC0xM2YxLTRlYzYtOTM4My1jY2UzNzZmN2U5OTYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5iOTNIdWpCdGVuR2xhZGpZOXdtWFkwSEJJdkJ1eHVFbFl6SGY3dVdXZ3RnPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5vd0NQeWxCMWZzeTRGUzJoZ0hKQkd4RlFpSzdCZXVpTldHeWZMZStpME4xSmVZSHB0MHNxNnJnbURjeHVBYkE1eW1OeXpZd3o0RFhScW5iU005cDZPYnY0UWMvalJLSkliSFlLK1oxOFlpRUlwZjRLVUJnbzU4VkxkZnVqSHFIUlRaS0diWU03UTQ5TFFBcW5ldHRHSWRPT2VUWGQyUk5wQTd1S2tpVDVab0dxU2pnd2grbGhnM3NWbk5PbEUyUms4T1pYQmxRQnFmMDk2WGQwZG40cGFibEtOU2ZJL3RYK3pQdVJCbnRuTjRKMVEreWRYclZjY1NRbDNXMXcybDdWZU85S0RjTVZScEUrVk1nY1JzU3o4Q3p0V21qNTdBMU42S3FtTm9uZmZNblQ5T3h2WWFzQnpXUXFacHU0NU5QOGxDZk5xSW1xSGlkeEJKOGtodjkwVmc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkakNDQW1LZ0F3SUJBZ0lRakp4N3kvNkZBNHRBbS8xelJMeW4yREFKQmdVckRnTUNIUVVBTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6QWVGdzB4TVRBNU1USXlNakF5TkRGYUZ3MHpPVEV5TXpFeU16VTVOVGxhTURneE5qQTBCZ05WQkFNVExVRkVSbE1nTWk0d0lGTnBaMjVwYm1jZ0xTQmhaR1p6Y0hKdmVIa3lNREV3TG5Oa1pTNXBaR0ZvYnk1bmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9sS3BFWUY5Q3dkWDROeDEyNUFjcnZBWS9ERzVkbDYzUG5Cb0FDN0lKQmxwNlVkWnBaMjRMbzhOcHJZOTRUYnp2c3RSaENiOFM3NnFCNmtHSjliZVhOMS8vT2ExbDhrWEU1d3BBQVpkRFdTdXJZOThCT3U4TzZkOG5oYlNjM2NsYUc2L2xkZmhKMUVQVzJWY3BZQm9Ka1FyMU5rWnNoNWNjTWpTRWVqdVJDRGt5bk12ZE5hbEpVRnNCWU5GUkY3T2hNRWxLdE52anMwRlgxdmJ2c3RjUzJYc0l6VDh1R2JlZWc0TVZCV2k2TGVPYXhGeTBrdWh6NmV0em9JZVdERjNHTHA5UXZNNE1RSVBsOU54MXdiT1ZCY1pacm5NVHNqUW1WWHJrNGNobzVPSVQ0aVhWUXFvWlpoVmRnKyt1T3QrQXVwaWY5T3h4MmtvZGFGQlc3V1U5Y0NBd0VBQWFPQmd6Q0JnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRCcEJnTlZIUUVFWWpCZ2dCRGlqVkRGRGhNNm9DMVlpWlpOSmFBR29Ub3dPREUyTURRR0ExVUVBeE10UVVSR1V5QXlMakFnVTJsbmJtbHVaeUF0SUdGa1puTndjbTk0ZVRJd01UQXVjMlJsTG1sa1lXaHZMbWR2Z2hDTW5Idkwvb1VEaTBDYi9YTkV2S2ZZTUFrR0JTc09Bd0lkQlFBRGdnRUJBS1pkMHpyODgrQXRkeUVMWVJrSFNncEx5aUQybjlJbktDaTExTksxNXZ1TDJnTllWejNRWnJGNUdSQ05qU3NQTGF4Tk45VFkweGNadk9jOHZCUm0rY0I3WFFzWGlDZHoybWNMMG5IVWpsa1ZaYzJMa2l5RjBKY3VpQUc4bjhrT1ZySDA3UDFVUGY4R3Y0WUZLUDZ5bjJTVTlxaGpxdmFWcnN5d1ZxVHArOTA4anI2WVMzeFo2bXF2QXhRMit5SzQzZUxDWXVRdmZOTW1MQUJDRUdUTmtDZEgySnhhcklRVGROUXRQeHp5M21ucnpER1hlYmg5Ym8rbVNUOXlzdnR2RXRqbEdwbVN2NnlGT1paeXg4cUFXdFE3eEZGQWx0T3hzSVRYQ2xueGd1aDI3WWRjbzcrUVgyWkxHZ3VFMGZhL1B2c0VZT01LeHh6YzZZWC9ua3p1K0U0PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ia2Rsc190ZXN0aW5nX2FwcGxpY2F0aW9uMjU2MTAiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOVQxNjowNzo1MC4xMDhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0L3NkZS9sb2dpbi5jZm0iIC8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMTlUMTY6MDI6NTAuMDkyWiIgTm90T25PckFmdGVyPSIyMDE0LTA5LTE5VDE3OjAyOjUwLjA5MloiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdC9TREU8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI+PEF0dHJpYnV0ZVZhbHVlPnN0YWZmPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU+a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiIGE6T3JpZ2luYWxJc3N1ZXI9Imh0dHBzOi8vYXBwcy5zZGUuaWRhaG8uZ292L0FjY291bnQvdHJ1c3QiIHhtbG5zOmE9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDkvMDkvaWRlbnRpdHkvY2xhaW1zIj48QXR0cmlidXRlVmFsdWU+a2RsQGtvbXB1dGVybWFuLmNvbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSIgYTpPcmlnaW5hbElzc3Vlcj0iaHR0cHM6Ly9hcHBzLnNkZS5pZGFoby5nb3YvQWNjb3VudC90cnVzdCIgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwOS8wOS9pZGVudGl0eS9jbGFpbXMiPjxBdHRyaWJ1dGVWYWx1ZT5LdXJ0aXMgRC4gTGVhdGhhbTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wOS0xOVQxNjowMjo0OS42MTBaIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9BdXRobkNvbnRleHQ+PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

This is the code I'm trying to get to work:

<cfscript>
// Decode the query string from Base 64  
      Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
      SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);

// Create Byte Array used for the inflation, the CF way  
      ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
      ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);

// Create Byte Streams needed for inflation
      ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
      ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();

// Create Objects needed for inflation  
      Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
      InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);

// Complete the inflation  
      Count = InflaterStream.read(ByteArray);
      while (Count != -1) {
            ByteOut.write(ByteArray, 0, Count);
            Count = InflaterStream.read(ByteArray);
      }

// Finished with inflation  
      Inflater.end();
      InflaterStream.close();

// Convert SAML request back to a string  
      SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
</cfscript>  


Are you saying this code works on your machine without modification to decode the string to this:

<samlp:Response ID="_b0f7c027-c699-45e1-a24d-aabc2f17eecf" Version="2.0" IssueInstant="2014-09-19T16:02:50.108Z" Destination="https://localhost/sde/login.cfm"
  Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="kdls_testing_application25610" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfsproxy2010.sde.idaho.gov/adfs/services/trust</Issuer>
      <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>
      <Assertion ID="_b4c30228-13f1-4ec6-9383-cce376f7e996" IssueInstant="2014-09-19T16:02:50.108Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <Issuer>http://adfsproxy2010.sde.idaho.gov/adfs/services/trust</Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                        <ds:Reference URI="#_b4c30228-13f1-4ec6-9383-cce376f7e996">
                              <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                              <ds:DigestValue>b93HujBtenGladjY9wmXY0HBIvBuxuElYzHf7uWWgtg=</ds:DigestValue>
                        </ds:Reference>
                  </ds:SignedInfo>
                  <ds:SignatureValue>owCPylB ETC...</ds:SignatureValue>
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                              <ds:X509Certificate>MIIDdjCCA ETC...</ds:X509Certificate>
                        </ds:X509Data>
                  </KeyInfo>
            </ds:Signature>
            <Subject>
                  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <SubjectConfirmationData InResponseTo="kdls_testing_application25610" NotOnOrAfter="2014-09-19T16:07:50.108Z" Recipient="https://localhost/sde/login.cfm" />
                  </SubjectConfirmation>
            </Subject>
            <Conditions NotBefore="2014-09-19T16:02:50.092Z" NotOnOrAfter="2014-09-19T17:02:50.092Z">
                  <AudienceRestriction><Audience>https://localhost/SDE</Audience></AudienceRestriction>
            </Conditions>
            <AttributeStatement>
                  <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>staff</AttributeValue></Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust"
                    xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>kdl@komputerman.com</AttributeValue>
                  </Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>kdl@komputerman.com</AttributeValue>
                  </Attribute>
                  <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" a:OriginalIssuer="https://apps.sde.idaho.gov/Account/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                        <AttributeValue>Kurtis D. Leatham</AttributeValue>
                  </Attribute>
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2014-09-19T16:02:49.610Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement>
      </Assertion>
</samlp:Response>


This is the string as decrypted by the https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php site.  Been using that site for days now... Love it!!!

Anyway if the code works on your server without modification then there has to be a library issue... I think...  Thanks again for the help!
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40341877
> This is the string I get returned from the ADFS server without any URLDecoding...
> PHNhbWxwOlJlc3BvbnNlIElEPSJfYjBmN2MwMj .....

Sorry, I think we were on different wavelengths. I meant the general code worked with several sample xml strings. You hadn't posted the actual string from the ADFS server yet. Now that I've tested that string, I'm getting the same error you did.

>> So far the code I've found on the web doesn't really work

I've tried a bunch of things, but no luck. IF that code actually *did* work at some point in time - something must have changed .. I'm just not sure what.  Sorry I couldn't be of more help.
0
 

Accepted Solution

by:
Kurtis Leatham earned 0 total points
ID: 40342131
Actually it was much easier than I thought...  I didn't need all of that happy java coding.  All I needed was these two CF statements:

<CFSET MyStr = ToString(ToBinary(Form.SAMLResponse))>
<CFSET MyXml = XMLParse(MyStr)>

The part I was missing was the XMLParse statement.  Turned out to be to EZ!!!
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40342219
Great! Glad you were able to work it out - and thanks for posting the answer for the next guy.
0
 

Author Closing Comment

by:Kurtis Leatham
ID: 40349532
Because it is exactly what I needed.
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help on choosing VPN for personal use and if possible free 7 106
Java import explained 4 50
Web Site Administration Tool - Security Questions 2 39
junit initializtion error 2 22
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question