SAML 1.1 help

Lisa Kachold lisakachold at obnosis.com
Sat Dec 29 18:22:58 MST 2012


There is a reason the libraries don't exist.  There is a reason why SSO
tools and solutions don't exist to integrate with Apache 1.0.  No-one would
write limited outdated SSO code for a program running on Apache 1.0.   It's
so trivial to update to Apache2 where perl modules and other perl based SSO
code modules include all the specifications inherent in the standards.

I also would recommend something like Jasig's CAS:
https://github.com/Jasig/cas/blob/master/INSTALL.txt

But then I am a Systems Integrator/Systems Engineer/Security Analyst,
supporting developers, so I often strip out limited "management directed
(as opposed to technology directed) code".

You said this was a NEW ROLE with a NEW COMPANY?  I submit that this might
also be a TEST? </joke>
What will you recommend and how will you do it?

A)  A perl coding solution (read "hack")
B)  A SSO solution using open source project code with prerequisite for
upgrade to Apache 2 (which I can do in 2 hours on a lab server [implemented
with automation and package management "custom RPMBUILD" for multiple
servers during roll-out = 5 minutes]) like Jasig SAML 2.0 CAS server and
plugins across all systems (but most importantly future systems).
CAS also has a PHP client (which is in no way Apache2 perl module
dependent) so you would not necessarily require updating Apache 1.

But this example SAML 1.1 XML ticket request response validation attempt
should let you know what the standard expects to see:
https://wiki.jasig.org/display/CASUM/SAML+1.1



On Sat, Dec 29, 2012 at 4:15 PM, Joseph Sinclair
<plug-discussion at stcaz.net>wrote:

> SAML 1.1 doesn't have good library support (you're correct that most
> libraries are 2.0).
> I was really just referencing the XMLDSIG part, which is the hardest part
> to handle "correctly"
> Looks like CPAN has a good module for just that :
> http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm
> That should get you past the signature verification so you can focus on
> the SAML assertion and associated protocol.
>
>
> On 12/28/2012 07:56 PM, Kevin Brown wrote:
> >  The heart of the site that I'm maintaining and adding to is a mod_perl
> based system, so any perl modules are possible. I tried to find some on
> CPAN, but the few I read through were either not well documented or were
> meant for SAML 2.0 which seems to store stuff in different ways (still XML,
> but not the same structure). The client documentation says this is a SAML
> 1.1 implementation, not a SAML 2.0.
> >> Sounds like you're trying to do the XMLDSIG[1] verification part of the
> SAML[2] authentication protocol.
> >> Most languages and platforms have a library mechanism to do this as
> it's not as simple as computing the hash (the content is hashed in a
> particular form for consistency, and there are a few specific
> transformations required).
> >>
> >> What language and/or platform are you using?
> >>
> >> [1] XMLDSIG : http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
> >> [2] SAML 2.0 :
> https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
> >>
> >> On 12/28/2012 02:48 PM, Kevin Brown wrote:
> >>> So, new job... I've been tasked with implementing SSO using SAML 1.1.
> The
> >>> client provided a document that gives an example of the Response object
> >>> that will be forwarded into our site when a user goes to login. I'm
> trying
> >>> to figure out how to validate the XML that I'm given so that I don't
> >>> blindly trust that the document hasn't been modified in some way or
> just
> >>> faked.
> >>> I have the keys (DigestValue and SignatureValue), but when I try to do
> a
> >>> sha1 of the xml (minus all the parts in the<Signature></Signature>
> >>> section, the hash doesn't match.
> >>> Does anyone have any experience with this that they might be able to
> point
> >>> me in the right direction?
> >>>
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20121229/689282d0/attachment.html>


More information about the PLUG-discuss mailing list