SAML 1.1 help
Kevin Brown
kevinbrownbdc at gmail.com
Mon Dec 31 18:41:07 MST 2012
Thank you. This module is what I was needing. Just needs some love to
make it work with the XML that I'm going to be handed as it is expecting
an id named ID to tell it where to start from in the Xpath.
> SAML 1.1 doesn't have good library support (you're correct that most libraries are 2.0).
> I was really just referencing the XMLDSIG part, which is the hardest part to handle "correctly"
> Looks like CPAN has a good module for just that : http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm
> That should get you past the signature verification so you can focus on the SAML assertion and associated protocol.
>
>
> On 12/28/2012 07:56 PM, Kevin Brown wrote:
>> The heart of the site that I'm maintaining and adding to is a mod_perl based system, so any perl modules are possible. I tried to find some on CPAN, but the few I read through were either not well documented or were meant for SAML 2.0 which seems to store stuff in different ways (still XML, but not the same structure). The client documentation says this is a SAML 1.1 implementation, not a SAML 2.0.
>>> Sounds like you're trying to do the XMLDSIG[1] verification part of the SAML[2] authentication protocol.
>>> Most languages and platforms have a library mechanism to do this as it's not as simple as computing the hash (the content is hashed in a particular form for consistency, and there are a few specific transformations required).
>>>
>>> What language and/or platform are you using?
>>>
>>> [1] XMLDSIG : http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
>>> [2] SAML 2.0 : https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
>>>
>>> On 12/28/2012 02:48 PM, Kevin Brown wrote:
>>>> So, new job... I've been tasked with implementing SSO using SAML 1.1. The
>>>> client provided a document that gives an example of the Response object
>>>> that will be forwarded into our site when a user goes to login. I'm trying
>>>> to figure out how to validate the XML that I'm given so that I don't
>>>> blindly trust that the document hasn't been modified in some way or just
>>>> faked.
>>>> I have the keys (DigestValue and SignatureValue), but when I try to do a
>>>> sha1 of the xml (minus all the parts in the<Signature></Signature>
>>>> section, the hash doesn't match.
>>>> Does anyone have any experience with this that they might be able to point
>>>> me in the right direction?
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list