SAML 1.1 help
Joseph Sinclair
plug-discussion at stcaz.net
Sat Dec 29 16:15:44 MST 2012
SAML 1.1 doesn't have good library support (you're correct that most libraries are 2.0).
I was really just referencing the XMLDSIG part, which is the hardest part to handle "correctly"
Looks like CPAN has a good module for just that : http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm
That should get you past the signature verification so you can focus on the SAML assertion and associated protocol.
On 12/28/2012 07:56 PM, Kevin Brown wrote:
> The heart of the site that I'm maintaining and adding to is a mod_perl based system, so any perl modules are possible. I tried to find some on CPAN, but the few I read through were either not well documented or were meant for SAML 2.0 which seems to store stuff in different ways (still XML, but not the same structure). The client documentation says this is a SAML 1.1 implementation, not a SAML 2.0.
>> Sounds like you're trying to do the XMLDSIG[1] verification part of the SAML[2] authentication protocol.
>> Most languages and platforms have a library mechanism to do this as it's not as simple as computing the hash (the content is hashed in a particular form for consistency, and there are a few specific transformations required).
>>
>> What language and/or platform are you using?
>>
>> [1] XMLDSIG : http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
>> [2] SAML 2.0 : https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
>>
>> On 12/28/2012 02:48 PM, Kevin Brown wrote:
>>> So, new job... I've been tasked with implementing SSO using SAML 1.1. The
>>> client provided a document that gives an example of the Response object
>>> that will be forwarded into our site when a user goes to login. I'm trying
>>> to figure out how to validate the XML that I'm given so that I don't
>>> blindly trust that the document hasn't been modified in some way or just
>>> faked.
>>> I have the keys (DigestValue and SignatureValue), but when I try to do a
>>> sha1 of the xml (minus all the parts in the<Signature></Signature>
>>> section, the hash doesn't match.
>>> Does anyone have any experience with this that they might be able to point
>>> me in the right direction?
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20121229/a296e1f0/attachment.pgp>
More information about the PLUG-discuss
mailing list