NetSnoopy
Apr 11, 2017Cirrus
Saml token convert to jwt
Hello,
I create a iRule for convert saml token to JWT (json web token). It works well but I get a signatur error. I try many option and formats. But nothing works. I'm shure you can help me easily.
I have creat a working access Profile with saml. Bigip is SP and an external IdP. Here my iRule.
when ACCESS_ACL_ALLOWED {
set hamacsha256 secret
set secret_key "secret"
get data from saml Session (APM->Manage Sessions-> Variables -> View)
set user [ACCESS::session data get session.saml.last.nameIDValue]
set sub [ACCESS::session data get session.saml.last.attr.name./EmployeeID]
set nbf [ACCESS::session data get session.saml.last.validityNotBefore]
set exp [ACCESS::session data get session.saml.last.validityNotOnOrAfter]
set email [ACCESS::session data get session.saml.last.attr.name./identity/claims/emailaddress]
set surname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/surname]
set givenname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/givenname]
set aud [ACCESS::session data get session.saml.last.assertionIssuer]
set gpid [ACCESS::session data get session.saml.last.attr.name./GPID]
Name of the cookie
set cookie_name "xyz-JWT"
set cookie header
set cookie_header "[b64encode "{\r\n \"alg\": \"HS256\", \r\n \"typ\": \"JWT\"\r\n}"]"
set cookie payload
set cookie_payload "[b64encode "{\r\n \"user\": \"$user\",\r\n \"sub\": \"$sub\",\r\n \"nbf\": \"$nbf\",\r\n \"exp\": \"$exp\",\r\n \"email\": \"$email\",\r\n \"surname\": \"$surname\",\r\n \"givenname\": \"$givenname\",\r\n \"aud\": \"$aud\",\r\n \"gpid\": \"$gpid\"\r\n}"]"
set cookie data for signatur
set cookie_data [concat "[b64encode [URI::encode $cookie_header]].[b64encode [URI::encode $cookie_payload]]"]
test some other version
set cookie_data "[URI::encode [b64encode $cookie_header]]\".\"[URI::encode [b64encode $cookie_payload]]"
set cookie_data "[URI::encode $cookie_header]\".\"[URI::encode $cookie_payload]]"
set cookie_data $cookie_header"."$cookie_payload
log local0. "cookie_data $cookie_data"
create signatur
set cookie_sig "[CRYPTO::sign -alg hmac-sha256 -key $secret_key $cookie_data]"
convert signatur in some version
set cookie_sig_b64 "[b64encode $cookie_sig]"
set cookie_sig_b64_url "[URI::encode $cookie_sig_b64]"
set cookie_sig_url_b64 "[b64encode $cookie_sig_url]"
log local0. "sig_b64= $cookie_sig_b64"
log local0. "sig_b64_url= $cookie_sig_b64_url"
log local0. "sig_url_b64= $cookie_sig_url_b64"
verify signatur
if { [CRYPTO::verify -alg hmac-sha256 -key $secret_key -signature $cookie_sig $cookie_data] } {
log local0. "Data verified"
}
create full JWT
set cookie "$cookie_header.$cookie_payload.$cookie_sig_url_b64"
HTTP::cookie insert name $cookie_name value $cookie
log local0. "$cookie_name $cookie"
}
send to client
when HTTP_RESPONSE {
HTTP::cookie insert name $cookie_name value $cookie
}
If I verify the cookie with jwt.io (webseite). I get alway a signatur error. All other works. The json notation for signatur is
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
) secret base64 encoded
I think I have a mistake in format for cookie_data. In the version you can see some of my tests. How can help me?
Cheers, NetSnoopy