Home Contact

PD Versus-inspired Logophilduba.com

Adventures in Web Application Develompent by Phil Duba

Recent Entries

Popular Entries

Top Commenters

  • Nathan Mische (11)
  • Peter Bell (4)
  • Terrence Ryan (3)
  • Scott (2)
  • Jim Priest (2)
  • David (2)
  • Scott Stroz (2)
  • Scott P (2)
  • Justin Alpino (2)
  • Ravneet (2)

Slideshows

Pool Surprises...

Sponsored Links

Text Link Ads

SAML and ColdFusion - Part 1

Posted On December 29, 2006 4:52 PM By Phil in SAML,ColdFusion

Over the summer, I began to work on a project that wnated to utilize SAML(all information in this post and follow on ones are retrieved from the OASIS site), or Security Assertion Markup Language. At the time, I wasn't given much information about SAML, except for the link to the site and asked: "Can we implement this?". Well, luckily, that customer decided to go in a different direction as if one looks through the SAML documentation, there are numerous Use Cases and Implementations. Although the project was dead, I thought about how to implement something like this within our company's suite of applications which are ColdFusion based. Now for some background on SAML. For those that may be unaware, SAML is an XML-based way of doing federated authentication, providing a level of single sign-on previously done through either adding a filter or executable to one's web server or custom-built exchange mechanisms/URL parameters . SAML's documentation talks to a number of ways to utilize what it calls Authentication Assertions, but, within a web-based environment, there are essentially 3 parties involved: Browser, Identity Provider or Source Site and a Service Provider or Destination Site. Essentially, the typical Use Case for web-based applications is as follows:

  • User browses to the Source Site
  • User attempts to access protected content on the Source Site
  • User is prompted for authentication credentials within the Source Site
  • Source Site validates authentication of the User's credentials
  • User continues to utilize Source Site resources
  • At some point, the User is redirected to a Third-party/Partner site due to their credentials, status or permissions

At this point, the user has been authenticated by some resource on the Source Site, thus the Source Site is referred to as an Identity Provider (IdP).The Destination Site for which the user is trying to access from the IdP is considered the Service Provider (SP), because it is usually an extension of the main site, providing specific services that may be more specialized than that of the main site. This is commonly referred to as the IdP-initiated SSO Use Case. Another common SSO request is ones where the SP initiates the authentication process, possibly through a bookmark or advertisement going to that resource. In my case, our site, which is the SP, has its own authentication mechanism besides the SSO one and the users do have their own credentials within our system, so this type of Use Case doesn't really apply. Now, there is a base agreement between the IdP and the SP on a unique identifier which will represent/identify that user in both systems. This is usually done either through some type of data load, service call from the IdP to the SP, or manual data entry when creating a user in the SP. So how do we get from the IdP to the SP? We do this through what SAML calls a binding which is nothing more than how the information is exchange, for example either through HTTP Post or SOAP. In our case, the appropriate binding to use is the HTTP Post binding defined in version 2.0 or the Browser/POST binding in version 1.1. Essentially, this is executed using a Form on the IdP site and it must adhere to the following restrictions:

  • "action" attribute is the SP SSO gateway (also called the Assertion consumer)
  • "method" attribute is "POST"
  • The control containing the Assertion must be hidden and named SAMLRequest
  • The value of the SAMLResponse control must be Base-64 encoded
  • The transport mechanism must be by SSL 3.0
So from an IdP perspective, the code for the form could be:
<form method="post" action="https://thirdparty.services.com/samlConsumer" name="samlSSO">
   <input type="hidden" name="SAMLResponse" value="#ToBase64(samlResponse)#"/>
</form>
</script language="JavaScript">
   function submitSSO(){
      document.samlSSO.submit();
   }
   setTimeout("submitSSO()",100);
</script>
The variable samlResponse can then be converted on the SP side using:
<cfset samlAssert = ToString(ToBinary(Form.samlResponse)) />
Now, what makes up an SAML assertion, I'll get into that in my next post.

Related Blog Entries

Comments

James Holmes's Gravatar Good stuff - we are looking at SAML at the moment so I'll be keeping an eye on this series as you go.
# By James Holmes | 12/31/06 11:48 PM
Phil Duba's Gravatar Thanks James. The hardest part we've found in dealing with SAML is trying to figure out what of the 7 different methods/bindings is best to use.
# By Phil Duba | 1/1/07 10:41 AM
Justin Alpino's Gravatar Hi Phil, its nice to see someone blogging about SSO and Coldfusion. I'm nearing the end of a 9 month long project which included SSO to partner in the UK to provide seamless 'login' into their application. Learning about SAML, the various profiles and digital signatures was definitely a challenge and even more so in relation to CF. I also had the pleasure of having to develop a prototype solution in PHP for our partners to handle the verification of our response tokens, that was fun =).

I'm interested to find out what tool kit (if any) you were looking at for implementing the SAML2.0 spec, all of the apps/apis/ect that I found were extremely costly or not mature enough for a production release.
# By Justin Alpino | 2/9/07 12:05 PM
Phil Duba's Gravatar @Justin,

I'd love to hear more about your experience. I'm working on my 3rd "implementation" right now. I put it in quotes because I did research on the first, and then it was cancelled, then did full blow design and definition meetings, then it was put on hold. The one I'm on know is going to pass both of those and be a full implementation. Per your question, I found these projects: Lightbulb - https://lightbulb.dev.java.net/, SAML 1.1 Java Toolkit - http://www.sourceid.org/projects/saml_1_1_toolkit (I think this one is more for use with the PingIdentity server), and OpenSAML - http://www.opensaml.org/
# By Phil Duba | 2/9/07 12:34 PM
Justin Alpino's Gravatar @phil

OpenSAML is the toolkit that we chose to implement, we went with the 1.1 version instead of the 2.0 release for the reasons that I mentioned above (primarily project immaturity). We looked at the SourceId toolkit also but discounted it b/c the system requirements stated that it ran on JBoss and since we run Websphere for app servers it didn't make sense to investigate further. As far Lightbulb goes, we looked at that also, but our partner didn't feel comfortable using the Java bridge (which from my understanding is still somewhat experimental) or setting up an application server to host a web service written in Java. Ideally it would have been nice to have handed over what we had written for token verification using the same toolkit, but they were looking for a pure php solution. They also have a smaller development group than us, so I can understand why they wanted to stay with what they are comfortable with and had the capacity to support.

As far as my experience went with implementing openSAML, we ran into some interesting challenges, mostly related to the requirement is has of the JRE having to support Level 3 DOM parsing. The toolkit uses the standard Java2 interfaces for document building and parsing, which meant that we couldn't load the necessary versions of xerces after start up of the JRE (we are running on jdk1.4). We knew that JDK1.5 has built in support for DOM 3 parsing, but I don't think Adobe officially supports MX on that version and b/c of that management didn't want to upgrade and be out of support with them. So we were left having to make use of the Endorsed Standards Override Mechanism of jdk1.4 to get proper xml parsing in place, which 'broke' MX. *As a side note we found that you could remove the instances of xereces, xalan, ect.. from within the Coldfusion.war, but again that would have voided our support with Adobe. We pretty much ran out of options and decided to physically separate it from our CF servers which led us to the web service.
# By Justin Alpino | 2/9/07 4:31 PM
Jeff Hodges's Gravatar W.R.T. learning SAML, see my brief, nascent, document "How to Study and Learn SAML" here:

http://identitymeme.org/archives/2006/09/08/how-to...

WRT SAML opensource implementations, see also the LASSO project, which has recently completed a certified-interoperable SAMLv2 implementation:

http://lasso.entrouvert.org/
# By Jeff Hodges | 2/9/07 4:41 PM
Phil's Gravatar Thanks for your feedback Justin. I had the same feeling about SourceId. I figured it would most likely be OpenSAML. That's pretty much my assignment for next week, figure out how best to do this without going too crazy. Thanks again!
# By Phil | 2/9/07 4:43 PM
Phil Duba's Gravatar @Jeff - Thanks for the links. I'll check them out, especially the LASSO project.
# By Phil Duba | 2/9/07 4:50 PM
Jeff Hodges's Gravatar @Justin--

I think you actually are referring to http://opensso.dev.java.net/ rather than Lightbulb, which is a subproject of the overall opensso project. Lightbulb is simply a pure PHP "service provider" (SP) aka "relying party" (RP) SAMLv2 implementation. E.g. if you have a site you want to quickly SAML-enable, and it supports PHP scripting, you can just drop lightbulb in and tweak a couple things and you're set. Conversely, opensso is a full java-based identity provider implementation (and of course includes java-based SP implemntation).
# By Jeff Hodges | 2/9/07 5:06 PM
Phil Duba's Gravatar @Jeff - thanks for clearing that up. I thought that was what Lightbulg was which is why it has peaked my interest. The project I'm working on right now, and what I think is most appropriate for the CF community in general, is the Service Provider aspect within a SAML implementation. I only think that there are some PHP libraries one needs to get (I'm not a PHP developer by any means, that was just the gist I got from reading posts on the project) in order to implement it fully.
# By Phil Duba | 2/9/07 5:15 PM
CFdevfusion's Gravatar I want to implement SAML using CF 7 and we use IIS 6. Any suggestions as to which API or lib will suit us. We dont want to get into crazy stuff. We need something that is stable and doesnt need changes in CF environment or IIS or any architecture changes.

Thanks,
# By CFdevfusion | 5/2/08 12:54 PM
Post Your Comments

Captcha

If you subscribe, any new posts to this thread will be sent to your email address.