Superpatterns

• Sun's new Access Manager is now OpenSSO Enterprise
  Felix Gaehtgens of Kuppinger Cole gives some in-depth info on OpenSSO Enterprise 8.0 (registration required).
  (tags: federation identity saml opensso accessmanager kuppingercole felixgaehtgens sun)

Interesting post from James on the possibilities of Windows desktop systems being SAML identity providers (IdPs). Currently, a similar mechanism exists for desktop single sign-on from Windows (via SPNEGO, using Kerberos tokens, which, by the way, OpenSSO and Access Manager support directly, no IIS 'bounce' required), but this is limited to a single enterprise's AD infrastructure and can be pretty tricky to deploy. It's easy to imagine IE submitting SAML assertions to service providers at Internet scale in the way James describes. Microsoft seem to be reconsidering the case for supporting SAML 2.0, so they may even be receptive to something like this.

Where James does get things twisted (to use one of his favorite expressions ) is in imagining that Sun and Oracle have much influence on our friends in Redmond. Microsoft's paying customers have MUCH more clout than their competitors/partners. I'd suggest, James, that you band together with your peers at enterprises such as GM and Boeing, who I know, from their participation in Concordia, have very similar desires. Heck, you could even roll up your sleeves and dive right in to Concordia - it's free, very enterprisey and Microsoft participate with open ears...

The inimitable Paul Madsen writes on the Fedlet today, wondering

Would the fedlet, once deployed by an SP, be reusable with other IDPs (than the one that created it initially) and thereby be considered a quick and easy way to SAML enable an SP? I bet not.

On the contrary, my dear Madsen, it could indeed be reused with other IdPs. The Fedlet is configured via SAML 2.0 metadata, saved to a directory on disk. The very first time you visit the Fedlet's deployment URI, it offers to save configuration to disk:

At this point, as explained on the screen, you can expand the Fedlet WAR manually and copy the files yourself, or let the Fedlet do it for you. In either case, you can edit the SAML 2.0 metadata to use any SAML 2.0 identity provider (or providers). OpenSSO even includes an 'unconfigured' Fedlet for doing this all completely manually.

So, yes, the Fedlet is a quick and easy way to SAML enable an SP!

UPDATE (5/22/08) - Paul. Says. It. Was. All. Down. To. Misplaced. Punctuation.

• Simplified Web Browser Single Sign-On and Sign-Out Profile for SAML 2.0 | Feide RnD
  Cool stuff - a sensible subset of SAML 2.0 making it easier to grok. Does Andreas ever sleep???
  (tags: andreassolberg feide saml)
• YouTube - Stupid Internal Microsoft Vista SP1 Video
  Even allowing for the fact that this MUST have been made in a knowing, ironic frame of mind, it's super-lame.
  (tags: microsoft sp1 video vista)

A somewhat bittersweet moment today as I sent this email to the OpenSSO lists:

Some time ago (October 2006), we released 'Lightbulb', a simple SAML 2.0 service provider/relying party implemented in PHP, as a proof-of-concept, to show that it was indeed possible to write a 'pure' (no custom modules required) SAML 2.0 implementation in PHP.

Later, Lightbulb became an OpenSSO Extension, and was used by Andreas Solberg at FEIDE as the inspiration for simpleSAMLphp - a much more complete SAML 2.0 implementation, again in PHP, but this time including identity provider functionality, Shibboleth 1.3 and more.

Andreas has done a great job, devoting considerable time and effort to simpleSAMLphp, to the great benefit of the wider SAML 2.0 community. Over the months, simpleSAMLphp has become widely deployed in the academic community, to the extent that there are now events such as simpleSAMLphp workshops.

Consequently, we have decided to mark the OpenSSO SAML2/PHP Extension as 'deprecated' in favor of simpleSAMLphp. The old code will be left in place in CVS, but there is now a prominent README directing people to simpleSAMLphp.

Long live simpleSAMLphp!

Kind of like seeing one of your kids moving out of the family home and starting their own life, I guess...

I just noticed that the video for my Javapolis '07 presentation on SAML 2.0 has gone online at Parleys.com, the BeJUG e-learning site.

Watch and enjoy, and count the number of times I say "um..."

UPDATE 1 (Feb 11 2008) - the link to the video at Parleys appears to be down. I've emailed the Parleys people.

UPDATE 2 (Feb 11 2008) - Stephan says that, somehow, the staging area became visible. Bookmark that link, though - it should be live tomorrow (Feb 12 2008).

As you might have just read, Liberty Alliance recently completed its first 'full matrix' SAML 2.0 interoperability test. Not only was Sun amongst the successful participants with its upcoming Federated Access Manager 8.0 product, we were the only participant to successfully test every conformance mode. Daniel, of course, beat me to the punch on this one, though I like to think my entry is laid out a little more neatly

I'll also take this opportunity to point out that, although Federated Access Manager 8.0 is scheduled for release next year, you can get the code and binaries right now via the OpenSSO project - in fact, we just released 'build 2' of OpenSSO v1, which includes the tested code.

OK - one more post in this jetlag-fuelled blogging frenzy...

Here are the slides from my JavaPolis 2007 sessions:

• SAML 2.0
• ID-WSF 2.0
• OpenSSO

Many thanks to the JavaPolis organizers, in particular Frank Cornelis, for inviting me to speak and making me so welcome at JavaPolis. It was a pleasure and a privilege.

Back in February, Marina Sum and I co-wrote an article on the OpenSSO SAML 2.0 PHP Extension, or Lightbulb, as it was then known. The sequel to that article - Single Logout: A Demo just went live at Sun Developer Network: Marina and I provide an update on Project Lightbulb's evolution into an OpenSSO Extension as well as a look at circles of trust and single logout in SAML 2.0. As before, we look at a simple example message flow, then delve down into the PHP code to see how it all works. Click here for the article.

You might be aware of the SAML 2.0 HTTP-SimpleSign binding from blog posts by Jeff Hodges (co-author of the spec, with Scott Cantor) and George Fletcher. Put simply, HTTP-SimpleSign offers a simpler way to sign SAML 2.0 data, by simply signing the XML and other text data to be sent to the service provider verbatim, without any canonicalization. It works quite neatly, since the XML is base64 encoded and sent from the identity provider to the service provider via browser POST, so there are no intermediaries who might benignly munge it about and cause signature verification to fail.

George's report of AOL's HTTP-SimpleSign implementation prompted me to go add it to OpenSSO's SAML 2.0/PHP Extension (formerly known as 'Lightbulb'). It took about an hour, all told, since the main difference from the traditional HTTP POST signature verification:

function checkXMLSignature($token) {
	$objXMLSecDSig = new XMLSecurityDSig();
	$objXMLSecDSig->idKeys[] = 'ID';
	$objDSig = $objXMLSecDSig->locateSignature($token);

	/* Must check certificate fingerprint now - validateReference removes it */        
	if ( ! validateCertFingerprint($token) )
	{
		throw new Exception("Fingerprint Validation Failed");
	}

	/* Canonicalize the signed info */
	$objXMLSecDSig->canonicalizeSignedInfo();

	$retVal = NULL;
	if ($objDSig) {
		$retVal = $objXMLSecDSig->validateReference();
	}
	if (! $retVal) {
		throw new Exception("SAML Validation Failed");
	}

	$key = NULL;
	$objKey = $objXMLSecDSig->locateKey();
	
	if ($objKey) {
		if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig)) {
			/* Handle any additional key processing such as encrypted keys here */
		}
	}
	
	if (empty($objKey)) {
		throw new Exception("Error loading key to handle Signature");
	}

	return ($objXMLSecDSig->verify($objKey)==1);
}

is to just verify the signature directly on the SAML XML text and other parameters:

function checkSimpleSignature($params,$cert) {
	$rawSignature = $params['Signature'];
	$relayState = $params['RelayState'];
	$sigAlg = $params['SigAlg'];

	$samlResponse = base64_decode( $params['SAMLResponse'] );
	$signature = base64_decode($rawSignature);

	if (strcmp($sigAlg,XMLSecurityKey::RSA_SHA1) != 0) {
		throw new Exception("Signature algorithm ".$sigAlg." is not supported");
	}

	if ( isset($params['RelayState'] ) ) {
		$signedData = "SAMLResponse=".$samlResponse."&RelayState=".$relayState."&SigAlg=".$sigAlg;
	} else {
		$signedData = "SAMLResponse=".$samlResponse."&SigAlg=".$sigAlg;
	}

	return (openssl_verify($signedData, $signature, $cert) == 1);
}

The difference in complexity may not look substantial, due to the excellent XML Signature support from Rob Richards' XML Security library, but it's a huge difference if you're implementing from scratch.

I've done some informal testing and everything seems to check out. If you are working with HTTP-SimpleSign on the IdP end, please do grab the SAML2.0/PHP code, check it against your implementation and report back.

Andreas over at Feide has just published a bunch of presentations he, um, presented the other day in Oslo. Great stuff - and I really like the sparse, clean look. I HATE slides with 15 bullets in 10 point text. The presentations cover the basics of SSO, SAML 2.0, OpenID and a look at Nordic/European collaboration in the education sector. Check them out.

Many thanks to Andreas Åkre Solberg of the FEIDE project for this latest iteration of the SAML 2.0 PHP service provider (SP) OpenSSO Extension (you might remember it as 'Lightbulb'). I spent Thursday afternoon running through some tests with the PHP SP and OpenSSO as the identity provider - apart from one very minor bug (already fixed , it all works great!

Changes since the initial implementation:

• Code restructured with SPIs for session handling and name mapping
• Single logout listener
• Support for transient identifiers
• A new, simpler, sample
• Documentation!
• Several bugfixes

Grab the code via CVS from opensso.dev.java.net (it's in opensso/extensions/saml2php/). Instructions for getting the code via CVS.

I'm in Brussels this week for the Liberty Alliance Plenary Meeting and IOS Brussels, but, back at the ranch in California, the Sun Developer Network folks have released another technical article on Access Manager: Achieving SSO With Sun Java System Access Manager and SAML, a look at how to integrate Access Manager with a third party application - in this case SAP NetWeaver Enterprise Portal 2004s - via SAML.

Looks like Hu's been busy - not only has he deployed a sample SAML 2.0 service provider based on the SAML 2.0/PHP OpenSSO Extension (formerly known as Lightbulb), he's also rolled out Paul's OpenID code (another OpenSSO Extension). So, now you can go register at SSOCircle and use either SAML 2.0 or OpenID to authenticate to relying parties/service providers, all through the magic of OpenSSO. Cool!

UPDATE 21 March 2007 - I missed a couple of steps, including, ironically, installing the SAML 2.0 Ruby code. All should be well now.

Hot on the heels of our launch of OpenSSO Extensions comes the latest extension, contributed by Todd Saxton from New Zealand: a SAML 2.0 relying party implementation in Ruby (already noticed by the sharp-eyed Tatsuo Kudo, here). Todd used the existing SAML 2.0 PHP relying party (formerly known as Lightbulb) as a starting point and ported it to Ruby, using Roland Schmitt's WSS4R to handle the XML Security chores. Note that both the Ruby and PHP SAML 2.0 relying party implementations are very much 'proofs of concept'. They successfully complete SAML 2.0 single sign-on and single logout, but are not to be considered production quality. In particular, Andreas Solberg has identified some bugs and shortcomings in the PHP implementation and kindly offered to contribute his fixes (nudge!).

I just downloaded the Ruby SAML 2.0 code and... it works! I made one minor fix to account for differences in my environment, but everything else was just configuration. Here is a checklist of what you'll need (I used this very useful HOWTO on Rails installation as a base):

• Install Ruby - I have version 1.8.4, installed into Ubuntu via apt-get.
• Install RubyGems - I have version 0.9.2.
• Install Rails - I have version 1.2.3, installed via gem.
• (Optional) Install Mongrel - I have version 1.0.1, installed via gem.
• Install WSS4R - I downloaded the tarball and ran ruby setup.rb.
• Install LOG4R (needed by WSS4R) - I used gem install log4r.
• Checkout the SAML 2.0 Ruby source from opensso.dev.java.net (it's in opensso/extensions/saml2ruby/source). Instructions for getting the code via CVS.
• Patch the WSS4R library's xmlcanonicalizer.rb according to the instructions in saml2ruby's INSTALL file.
• Edit saml2ruby/source/examples/rails/SimpleSAMLRP/config/environment.rb and change RAILS_GEM_VERSION to match what you have. There may be cleaner ways of doing this, but this is what worked for me.
• Edit saml2ruby/source/examples/rails/SimpleSAMLRP/app/controllers/account_controller.rb and change the SP and IdP settings to match your environment.
• Run the server - from saml2ruby/source/examples/rails/SimpleSAMLRP do mongrel_rails start or ruby script/server.
• Now browse to http://myserver.mydomain.com/3000/account/login and you should be redirected to authenticate at the IdP. On successful authentication you should be sent back to the Ruby SP example app which will report a successful login.

So - if you're a Ruby-ist (Ruby-ite? Rubier?) and you need SAML 2.0, go grab saml2ruby!

@ 01:54 PM PDT Comments [2]