Monday Feb 25, 2008

LARES - Liberty-like AuthNResponse

LARES stands for  Liberty-like AuthNResponse.   This is the base64 encoded value of SAML assertion sent by the access manager to the agent when CDSSO is enabled.

The Access manager sends this as a hidden value in it's response message as shown below:

    <HTML>
    <BODY Onload="document.Response.submit()">
    <FORM NAME="Response" METHOD="POST" ACTION="http://hostname.singapore.sun.com:80/test.asp?sunwMethod=GET">
    <INPUT TYPE="HIDDEN" NAME="LARES" VALUE="PGxpYjpBdXRoblJlc3BvbnNlIHhtbG5zOmxpYj0iaHR0cDovL3Byb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2NvcmUvMjAwMi8xMiIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpwcm90b2NvbCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFJlc3BvbnNlSUQ9InM1MjU5NjZlNmUzODhlNDQ4Y2I4OGFiYjVkNzNjZDBmNmM5ZDg4YmFkIiAgSW5SZXNwb25zZVRvPSIyNzE0NSIgIE1ham9yVmVyc2lvbj0iMSIgIE1pbm9yVmVyc2lvbj0iMCIgIElzc3VlSW5zdGFudD0iMjAwOC0wMi0yNVQwMTozODoyNloiPjxzYW1scDpTdGF0dXM%2BCjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW1scDpTdWNjZXNzIj4KPC9zYW1scDpTdGF0dXNDb2RlPgo8L3NhbWxwOlN0YXR1cz4KPHNhbWw6QXNzZXJ0aW9uICB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6YXNzZXJ0aW9uIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAgeG1sbnM6bGliPSJodHRwOi8vcHJvamVjdGxpYmVydHkub3JnL3NjaGVtYXMvY29yZS8yMDAyLzEyIiAgaWQ9InMyOTBkODYyN2ZiYmQ4OGU4OGIyMGZjMjE2NmNjODhjODI3MDE2OWZkMDEiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIwIiBBc3NlcnRpb25JRD0iczI5MGQ4NjI3ZmJiZDg4ZTg4YjIwZmMyMTY2Y2M4OGM4MjcwMTY5ZmQwMSIgSXNzdWVyPSJodHRwOi8vdjEwMC1jLmF1cy5zdW4uY29tOjgwODAvYW1zZXJ2ZXIvY2Rjc2VydmxldCIgSXNzdWVJbnN0YW50PSIyMDA4LTAyLTI1VDAxOjM4OjI2WiIgSW5SZXNwb25zZVRvPSIyNzE0NSIgeHNpOnR5cGU9ImxpYjpBc3NlcnRpb25UeXBlIj4KPHNhbWw6Q29uZGl0aW9ucyAgTm90QmVmb3JlPSIyMDA4LTAyLTI1VDAxOjM4OjI2WiIgTm90T25PckFmdGVyPSIyMDA4LTAyLTI1VDAxOjM5OjI2WiIgPgo8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPgo8c2FtbDpBdWRpZW5jZT5odHRwOi8vdjR1LTIyMHJhLXNpbjA2LnNpbmdhcG9yZS5zdW4uY29tOjgwL2FtYWdlbnQ8L3NhbWw6QXVkaWVuY2U%2BCjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPgo8L3NhbWw6Q29uZGl0aW9ucz4KPHNhbWw6QXV0aGVudGljYXRpb25TdGF0ZW1lbnQgIEF1dGhlbnRpY2F0aW9uTWV0aG9kPSJMREFQIiBBdXRoZW50aWNhdGlvbkluc3RhbnQ9IjIwMDgtMDItMjVUMDE6Mzg6MjRaIiBSZWF1dGhlbnRpY2F0ZU9uT3JBZnRlcj0iMjAwOC0wMi0yNVQwMTozOToyNloiIHhzaTp0eXBlPSJsaWI6QXV0aGVudGljYXRpb25TdGF0ZW1lbnRUeXBlIj48c2FtbDpTdWJqZWN0ICAgeHNpOnR5cGU9ImxpYjpTdWJqZWN0VHlwZSI%2BPHNhbWw6TmFtZUlkZW50aWZpZXIgTmFtZVF1YWxpZmllcj0iaHR0cDovL3YxMDAtYy5hdXMuc3VuLmNvbTo4MDgwL2Ftc2VydmVyL2NkY3NlcnZsZXQiPkFRSUM1d00yTFk0U2Zjd2tDTmFQJTJCemVMbWpwTVBmUUZ0czkxNzlBcGZrOHM5VlklM0QlNDBBQUpUU1FBQ01ERSUzRCUyMzwvc2FtbDpOYW1lSWRlbnRpZmllcj4KPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4KPHNhbWw6Q29uZmlybWF0aW9uTWV0aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPgo8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4KPGxpYjpJRFBQcm92aWRlZE5hbWVJZGVudGlmaWVyICBOYW1lUXVhbGlmaWVyPSJodHRwOi8vdjEwMC1jLmF1cy5zdW4uY29tOjgwODAvYW1zZXJ2ZXIvY2Rjc2VydmxldCIgPkFRSUM1d00yTFk0U2Zjd2tDTmFQJTJCemVMbWpwTVBmUUZ0czkxNzlBcGZrOHM5VlklM0QlNDBBQUpUU1FBQ01ERSUzRCUyMzwvbGliOklEUFByb3ZpZGVkTmFtZUlkZW50aWZpZXI%2BCjwvc2FtbDpTdWJqZWN0PjxzYW1sOlN1YmplY3RMb2NhbGl0eSAgSVBBZGRyZXNzPSIxMC4xNS4zLjE0NiIgRE5TQWRkcmVzcz0idjEwMC1jLmF1cy5zdW4uY29tIiAvPjxsaWI6QXV0aG5Db250ZXh0PjxsaWI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BaHR0cDovL3d3dy5wcm9qZWN0bGliZXJ0eS5vcmcvc2NoZW1hcy9hdXRoY3R4L2NsYXNzZXMvUGFzc3dvcmQ8L2xpYjpBdXRobkNvbnRleHRDbGFzc1JlZj48bGliOkF1dGhuQ29udGV4dFN0YXRlbWVudFJlZj5odHRwOi8vd3d3LnByb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2F1dGhjdHgvY2xhc3Nlcy9QYXNzd29yZDwvbGliOkF1dGhuQ29udGV4dFN0YXRlbWVudFJlZj48L2xpYjpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24%2BCjxsaWI6UHJvdmlkZXJJRD5odHRwOi8vdjEwMC1jLmF1cy5zdW4uY29tOjgwODAvYW1zZXJ2ZXIvY2Rjc2VydmxldDwvbGliOlByb3ZpZGVySUQ%2BPC9saWI6QXV0aG5SZXNwb25zZT4K
    </FORM>
    </BODY>
</HTML>

 

 

 

If you stick the value in the LARES param to a base64 decoder, it should decode to the actual SAML assertion sent by the Access Manager.
 

<lib:AuthnResponse xmlns:lib="http://projectliberty.org/schemas/core/2002/12" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ResponseID="s525966e6e388e448cb88abb5d73cd0f6c9d88bad"  InResponseTo="27145"  MajorVersion="1"  MinorVersion="0"  IssueInstant="2008-02-25T01:38:26Z"><samlp:Status?
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="LDAP" AuthenticationInstant="2008-02-25T01:38:24Z" ReauthenticateOnOrAfter="2008-02-25T01:39:26Z" xsi:type="lib:AuthenticationStatementType"><saml:Subject xsi:type="lib:SubjectType"?
</saml:Subject><saml:SubjectLocality IPAddress="10.15.3.146" DNSAddress="v100-c.aus.sun.com" /><lib:AuthnContext><lib:AuthnContextClassRef?�</saml:AuthenticationStatement></saml:Assertion?
�</lib:AuthnResponse>


 

 Here is the snapshot of the actual packet as seen in ethereal. Choose View image and then zoom in to view the image correctly.


 


 About

Hema

Search

Categories
Archives
« July 2016
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today