SAML Bad Request Error

  • 1
  • Problem
  • Updated 5 months ago
Hi,

I am in the process of creating a custom SAML IdP, and would like to support ShareFile as a Service Provider. I have configured ShareFile to use SSO and gave it the details of my IdP in Admin Settings -> Security -> Login & Security Policy.

I have tested receiving an AuthnRequest from ShareFile by accessing the link https://mydomain.sharefile.com/saml/login and have consumed the request in my application. I composed a response and sent it back in a POST to https://mydomain.sharefile.com/saml/acs.

However, ShareFile keeps responding with a blank page containing just the following JSON object:

{
    "StatusCode": 400,
    "Message": "Bad Request Error",
    "Details": null
}

As you can see, this is not very informative and does not help me identify what the issue is. Below is a sample response I am sending (of course, in my implementation this is deflated and base-64 encoded). I have omitted the certificate, digest and signature.

Any help would be appreciated.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="_1ab13bca-add4-47fa-81b0-0c6db0b7c203" InResponseTo="_9257b6e3b0724882958684d1b684f55a" IssueInstant="2018-04-13T14:25:27.102Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IDP_ENTITY_ID</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_50f9b8b4-f5fd-43d6-9b3b-e9250a53b95f" IssueInstant="2018-04-13T14:25:27.044Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema">;
<saml2:Issuer>IDP_ENTITY_ID</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">;
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>;
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>;
<ds:Reference URI="#_50f9b8b4-f5fd-43d6-9b3b-e9250a53b95f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>;
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">;
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>;
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>;
<ds:DigestValue>DIGEST</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATURE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@mydomain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotBefore="2018-04-13T14:25:26.770Z" NotOnOrAfter="2019-04-13T14:25:26.770Z" Recipient="https://mydomain.sharefile.com/saml/acs"/>;
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-04-13T14:25:26.770Z" NotOnOrAfter="2019-04-13T14:25:26.770Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://mydomain.sharefile.com/saml/info</saml2:Audience>;
</saml2:AudienceRestriction>
<saml2:ProxyRestriction Count="0"/>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-04-13T14:25:26.794Z" SessionIndex="106">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">1</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"/>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Photo of Alan Ellul Pirotta

Alan Ellul Pirotta

  • 4 Posts
  • 2 Reply Likes

Posted 5 months ago

  • 1
Photo of Ross Bender

Ross Bender

  • 60 Posts
  • 10 Reply Likes
I compared your SAML response with a working one for our Sharefile integration and have a few thoughts:
  1. I see you're sending a few extra attributes (uid and mail). I would hope this wouldn't be the cause of the error, but as far as I know, Sharefile only supports name ID.
  2. The user is already created in Sharefile with the same ID as the name ID, correct?
  3. Ensure the certificate you are sending in the SAML response is the same as the certificate you uploaded in the Sharefile admin GUI. This would be the IdP certificate.
  4. I see you have some extra semicolons at the ends of some of your lines--not sure if that is just an output thing or copy/paste error, but if those are being sent in the actual response I'm guessing it would be treated as invalid XML.
  5. It looks like you are using the same URL for the audience as what Sharefile names the entity/issuer ID. You are using https://mydomain.sharefile.com/saml/info. We use just https://mydomain.sharefile.com.
Here's a full SAML response from our IdP, hopefully it will help in comparing to what you have.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://mycompany.sharefile.com/saml/acs" ID="_867963d14b71a91ad077731c566513da" InResponseTo="_219743f54aec4f88ac04fc1b6150ad14" IssueInstant="2018-04-13T16:08:51Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://auth.mycompany.org</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f7b8b8527ea51f28eff33882d8933e7" IssueInstant="2018-04-13T16:08:51Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://auth.mycompany.org</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_f7b8b8527ea51f28eff33882d8933e7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DIGEST</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATURE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">myuser@mycompany.org</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_219743f54aec4f88ac04fc1b6150ad14" NotOnOrAfter="2018-04-13T16:13:51Z" Recipient="https://mycompany.sharefile.com/saml/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2018-04-13T16:03:51Z" NotOnOrAfter="2018-04-13T16:13:51Z">
<saml:AudienceRestriction>
<saml:Audience>https://mycompany.sharefile.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2018-04-13T16:08:51Z" SessionIndex="NSC_TMAA170bfba2a737e6dda6c2abe07e0c1c36">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
(Edited)
Photo of Alan Ellul Pirotta

Alan Ellul Pirotta

  • 4 Posts
  • 2 Reply Likes
Thank you very much for your detailed reply :)

1. Tried with and without, same problem.
2. I tried this, same issue. However, doesn't this defeat the idea of SSO?
3. The certificate is identical, except of course in the response I do not have the START and END tags.
4. The XML should be valid. I checked against multiple online validators.
5. I wasn't sure of this but I already tried both versions. Same problem.

I should add that I am using a trial version. I don't know if maybe this limits the use of SAML.
Photo of Ross Bender

Ross Bender

  • 60 Posts
  • 10 Reply Likes
Regarding #2, Sharefile has a separate tool that can be used to sync and automatically provision users (Sharefile User Management Tool).

I agree with you, though. Other SAML integrations we use have built-in user-provisioning through SSO. As of now I have not heard that this is an option in Sharefile; rather, use UMT.
Photo of Alan Ellul Pirotta

Alan Ellul Pirotta

  • 4 Posts
  • 2 Reply Likes
Hi Ross,

Thanks again for the useful info. I have revised my response and made it such that it is identical in structure to your sample response. Still, I get the Bad Request error.

The only thing I cannot get rid of is the XML declaration tag in the beginning. Do you think this might cause an issue?
Photo of Alan Ellul Pirotta

Alan Ellul Pirotta

  • 4 Posts
  • 2 Reply Likes
Hi again,

Just to say that I have fixed this problem. It was a rookie mistake; I was deflating and base64 encoding the SAML response when I should have just base-64 encoded it.

Thanks
Alan