There is a reason the libraries don't exist. There is a reason why SSO tools and solutions don't exist to integrate with Apache 1.0. No-one would write limited outdated SSO code for a program running on Apache 1.0. It's so trivial to update to Apache2 where perl modules and other perl based SSO code modules include all the specifications inherent in the standards. <div>
<br></div><div>I also would recommend something like Jasig's CAS: <a href="https://github.com/Jasig/cas/blob/master/INSTALL.txt">https://github.com/Jasig/cas/blob/master/INSTALL.txt</a></div><div><br></div><div>But then I am a Systems Integrator/Systems Engineer/Security Analyst, supporting developers, so I often strip out limited "management directed (as opposed to technology directed) code". </div>
<div><br></div><div>You said this was a NEW ROLE with a NEW COMPANY? I submit that this might also be a TEST? </joke> </div><div>What will you recommend and how will you do it?</div><div><br></div><div>A) A perl coding solution (read "hack") </div>
<div>B) A SSO solution using open source project code with prerequisite for upgrade to Apache 2 (which I can do in 2 hours on a lab server [implemented with automation and package management "custom RPMBUILD" for multiple servers during roll-out = 5 minutes]) like Jasig SAML 2.0 CAS server and plugins across all systems (but most importantly future systems).</div>
<div>CAS also has a PHP client (which is in no way Apache2 perl module dependent) so you would not necessarily require updating Apache 1.<br></div><div><br></div><div>But this example SAML 1.1 XML ticket request response validation attempt should let you know what the standard expects to see:</div>
<div><a href="https://wiki.jasig.org/display/CASUM/SAML+1.1">https://wiki.jasig.org/display/CASUM/SAML+1.1</a><br></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Dec 29, 2012 at 4:15 PM, Joseph Sinclair <span dir="ltr"><<a href="mailto:plug-discussion@stcaz.net" target="_blank">plug-discussion@stcaz.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">SAML 1.1 doesn't have good library support (you're correct that most libraries are 2.0).<br>
I was really just referencing the XMLDSIG part, which is the hardest part to handle "correctly"<br>
Looks like CPAN has a good module for just that : <a href="http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm" target="_blank">http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm</a><br>
That should get you past the signature verification so you can focus on the SAML assertion and associated protocol.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On 12/28/2012 07:56 PM, Kevin Brown wrote:<br>
> The heart of the site that I'm maintaining and adding to is a mod_perl based system, so any perl modules are possible. I tried to find some on CPAN, but the few I read through were either not well documented or were meant for SAML 2.0 which seems to store stuff in different ways (still XML, but not the same structure). The client documentation says this is a SAML 1.1 implementation, not a SAML 2.0.<br>
>> Sounds like you're trying to do the XMLDSIG[1] verification part of the SAML[2] authentication protocol.<br>
>> Most languages and platforms have a library mechanism to do this as it's not as simple as computing the hash (the content is hashed in a particular form for consistency, and there are a few specific transformations required).<br>
>><br>
>> What language and/or platform are you using?<br>
>><br>
>> [1] XMLDSIG : <a href="http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/" target="_blank">http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/</a><br>
>> [2] SAML 2.0 : <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security" target="_blank">https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security</a><br>
>><br>
>> On 12/28/2012 02:48 PM, Kevin Brown wrote:<br>
>>> So, new job... I've been tasked with implementing SSO using SAML 1.1. The<br>
>>> client provided a document that gives an example of the Response object<br>
>>> that will be forwarded into our site when a user goes to login. I'm trying<br>
>>> to figure out how to validate the XML that I'm given so that I don't<br>
>>> blindly trust that the document hasn't been modified in some way or just<br>
>>> faked.<br>
>>> I have the keys (DigestValue and SignatureValue), but when I try to do a<br>
>>> sha1 of the xml (minus all the parts in the<Signature></Signature><br>
>>> section, the hash doesn't match.<br>
>>> Does anyone have any experience with this that they might be able to point<br>
>>> me in the right direction?<br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> ---------------------------------------------------<br>
>>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>>> To subscribe, unsubscribe, or to change your mail settings:<br>
>>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>><br>
>><br>
>> ---------------------------------------------------<br>
>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>> To subscribe, unsubscribe, or to change your mail settings:<br>
>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
><br>
> ---------------------------------------------------<br>
> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
> To subscribe, unsubscribe, or to change your mail settings:<br>
> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
><br>
<br>
</div></div><br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>
(503) 754-4452 Android<br>(623) 239-3392 Skype<br>(623) 688-3392 Google Voice<br>**<br><a href="http://it-clowns.com" target="_blank">it-clowns.com</a> <br>Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div>