SAML 1.1 help
Kevin Brown
kevinbrownbdc at gmail.com
Mon Dec 31 18:57:17 MST 2012
I understand the limitation from the Apache 1.0 stand, but since the
entire site depends on mod_perl, I can use any standard perl modules
that interface with perl 5.10 or 5.12. I can't use Tomcat or Java stuff
as that won't work well for handing off the session to the rest of the
entire system that has been built out for all the clients that we do have.
The long term plan is to move to Apache 2.0, but apparently something is
causing Apache to segfault when the codebase that runs this system is
brought up under Apache 2. I'm guessing a module is being copied over
that is using compiled code that depends on Apache 1 libraries, but I'm
not the server or data center admin, just a code monkey trying to make
my cogs fit the rest of the system.
> There is a reason the libraries don't exist. There is a reason why
> SSO tools and solutions don't exist to integrate with Apache 1.0.
> No-one would write limited outdated SSO code for a program running on
> Apache 1.0. It's so trivial to update to Apache2 where perl modules
> and other perl based SSO code modules include all the specifications
> inherent in the standards.
>
> I also would recommend something like Jasig's CAS:
> https://github.com/Jasig/cas/blob/master/INSTALL.txt
>
> But then I am a Systems Integrator/Systems Engineer/Security Analyst,
> supporting developers, so I often strip out limited "management
> directed (as opposed to technology directed) code".
>
> You said this was a NEW ROLE with a NEW COMPANY? I submit that this
> might also be a TEST? </joke>
> What will you recommend and how will you do it?
>
> A) A perl coding solution (read "hack")
> B) A SSO solution using open source project code with prerequisite
> for upgrade to Apache 2 (which I can do in 2 hours on a lab server
> [implemented with automation and package management "custom RPMBUILD"
> for multiple servers during roll-out = 5 minutes]) like Jasig SAML 2.0
> CAS server and plugins across all systems (but most importantly future
> systems).
> CAS also has a PHP client (which is in no way Apache2 perl module
> dependent) so you would not necessarily require updating Apache 1.
>
> But this example SAML 1.1 XML ticket request response validation
> attempt should let you know what the standard expects to see:
> https://wiki.jasig.org/display/CASUM/SAML+1.1
>
>
>
> On Sat, Dec 29, 2012 at 4:15 PM, Joseph Sinclair
> <plug-discussion at stcaz.net <mailto:plug-discussion at stcaz.net>> wrote:
>
> SAML 1.1 doesn't have good library support (you're correct that
> most libraries are 2.0).
> I was really just referencing the XMLDSIG part, which is the
> hardest part to handle "correctly"
> Looks like CPAN has a good module for just that :
> http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm
> <http://search.cpan.org/%7Ebyrne/XML-Sig-0.22/lib/XML/Sig.pm>
> That should get you past the signature verification so you can
> focus on the SAML assertion and associated protocol.
>
>
> On 12/28/2012 07:56 PM, Kevin Brown wrote:
> > The heart of the site that I'm maintaining and adding to is a
> mod_perl based system, so any perl modules are possible. I tried
> to find some on CPAN, but the few I read through were either not
> well documented or were meant for SAML 2.0 which seems to store
> stuff in different ways (still XML, but not the same structure).
> The client documentation says this is a SAML 1.1 implementation,
> not a SAML 2.0.
> >> Sounds like you're trying to do the XMLDSIG[1] verification
> part of the SAML[2] authentication protocol.
> >> Most languages and platforms have a library mechanism to do
> this as it's not as simple as computing the hash (the content is
> hashed in a particular form for consistency, and there are a few
> specific transformations required).
> >>
> >> What language and/or platform are you using?
> >>
> >> [1] XMLDSIG : http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
> >> [2] SAML 2.0 :
> https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
> >>
> >> On 12/28/2012 02:48 PM, Kevin Brown wrote:
> >>> So, new job... I've been tasked with implementing SSO using
> SAML 1.1. The
> >>> client provided a document that gives an example of the
> Response object
> >>> that will be forwarded into our site when a user goes to
> login. I'm trying
> >>> to figure out how to validate the XML that I'm given so that I
> don't
> >>> blindly trust that the document hasn't been modified in some
> way or just
> >>> faked.
> >>> I have the keys (DigestValue and SignatureValue), but when I
> try to do a
> >>> sha1 of the xml (minus all the parts in the<Signature></Signature>
> >>> section, the hash doesn't match.
> >>> Does anyone have any experience with this that they might be
> able to point
> >>> me in the right direction?
> >>>
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> <mailto:PLUG-discuss at lists.phxlinux.org>
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> <mailto:PLUG-discuss at lists.phxlinux.org>
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> <mailto:PLUG-discuss at lists.phxlinux.org>
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> <mailto:PLUG-discuss at lists.phxlinux.org>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
>
> --
>
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> it-clowns.com <http://it-clowns.com>
> Chief Clown
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list