philduba.comRecent Entries
- MangoBlog/Oracle Int...
- OT - Google Maps: In...
- Email Hijacked?
- CFUnited: Refactorin...
- CFUnited: Continuous...
- CFUnited: Prototypin...
- CFUnited: All about ...
- CFUnited: Event Driv...
- CFUnited: Integrated...
- CFUnited: ColdBox Fr...
Popular Entries
- CFUnited: All about ...
- SAML and ColdFusion ...
- SAML and ColdFusion ...
- SAML and ColdFusion ...
- SAML and ColdFusion ...
- SAML and ColdFusion ...
- CFUnited: Google Web...
- Import/Export in SQL...
- Second Blog CFC Surv...
- Improving Performanc...
Top Commenters
- Nathan Mische (12)
- CFFusionDev (6)
- CFdevfusion (6)
- Peter Bell (4)
- Sean Corfield (3)
- Rey Bango (3)
- Terrence Ryan (3)
- ah7866 (3)
- Scott (2)
- Jim Priest (2)
Slideshows
Dresser/Changing Table...Images related to the lay...
Nursery renovations...
Pool Surprises...
Sponsored Links
Search
Subscribe
Enter your email address to subscribe to this blog.RSS
Tags
cfug cfunited coldfusion flex generalArchives
- Adobe (5) [RSS]
- AIR (6) [RSS]
- ASP.NET (2) [RSS]
- BlazeDS (1) [RSS]
- Books (1) [RSS]
- CFEclipse (5) [RSS]
- CFML (0) [RSS]
- CFUG (26) [RSS]
- CFUnited (23) [RSS]
- ColdFusion (53) [RSS]
- College Football (3) [RSS]
- Conferences (1) [RSS]
- Development Tools (3) [RSS]
- DIY (1) [RSS]
- Eagles (3) [RSS]
- Fireworks (1) [RSS]
- Flash (3) [RSS]
- Flex (10) [RSS]
- Flyers (2) [RSS]
- Frameworks (5) [RSS]
- General (28) [RSS]
- Hockey (2) [RSS]
- Hosting (1) [RSS]
- House (2) [RSS]
- HTML (2) [RSS]
- JavaScript (1) [RSS]
- Jobs (1) [RSS]
- Macromedia (0) [RSS]
- MangoBlog (1) [RSS]
- Misc. (5) [RSS]
- Model-Glue (4) [RSS]
- Navy Football (5) [RSS]
- onair2007Philadelphia (3) [RSS]
- onairbustour (3) [RSS]
- Open Source (0) [RSS]
- Other (2) [RSS]
- Other Sports (4) [RSS]
- Performance (3) [RSS]
- Personal (2) [RSS]
- Phillies (2) [RSS]
- Projects, User Group Manager (1) [RSS]
- Rant (1) [RSS]
- Rants (1) [RSS]
- SAML (6) [RSS]
- Site (1) [RSS]
- Soccer (4) [RSS]
- SQL Server (2) [RSS]
- Transportation (1) [RSS]
- Wedding (2) [RSS]
AGGREGATORS
SAML and ColdFusion - Part 1
Posted On December 29, 2006 4:52 PM By Phil in SAML,ColdFusion
Over the summer, I began to work on a project that wnated to utilize SAML(all information in this post and follow on ones are retrieved from the OASIS site), or Security Assertion Markup Language. At the time, I wasn't given much information about SAML, except for the link to the site and asked: "Can we implement this?". Well, luckily, that customer decided to go in a different direction as if one looks through the SAML documentation, there are numerous Use Cases and Implementations. Although the project was dead, I thought about how to implement something like this within our company's suite of applications which are ColdFusion based. Now for some background on SAML. For those that may be unaware, SAML is an XML-based way of doing federated authentication, providing a level of single sign-on previously done through either adding a filter or executable to one's web server or custom-built exchange mechanisms/URL parameters . SAML's documentation talks to a number of ways to utilize what it calls Authentication Assertions, but, within a web-based environment, there are essentially 3 parties involved: Browser, Identity Provider or Source Site and a Service Provider or Destination Site. Essentially, the typical Use Case for web-based applications is as follows:
- User browses to the Source Site
- User attempts to access protected content on the Source Site
- User is prompted for authentication credentials within the Source Site
- Source Site validates authentication of the User's credentials
- User continues to utilize Source Site resources
- At some point, the User is redirected to a Third-party/Partner site due to their credentials, status or permissions
At this point, the user has been authenticated by some resource on the Source Site, thus the Source Site is referred to as an Identity Provider (IdP).The Destination Site for which the user is trying to access from the IdP is considered the Service Provider (SP), because it is usually an extension of the main site, providing specific services that may be more specialized than that of the main site. This is commonly referred to as the IdP-initiated SSO Use Case. Another common SSO request is ones where the SP initiates the authentication process, possibly through a bookmark or advertisement going to that resource. In my case, our site, which is the SP, has its own authentication mechanism besides the SSO one and the users do have their own credentials within our system, so this type of Use Case doesn't really apply. Now, there is a base agreement between the IdP and the SP on a unique identifier which will represent/identify that user in both systems. This is usually done either through some type of data load, service call from the IdP to the SP, or manual data entry when creating a user in the SP. So how do we get from the IdP to the SP? We do this through what SAML calls a binding which is nothing more than how the information is exchange, for example either through HTTP Post or SOAP. In our case, the appropriate binding to use is the HTTP Post binding defined in version 2.0 or the Browser/POST binding in version 1.1. Essentially, this is executed using a Form on the IdP site and it must adhere to the following restrictions:
- "action" attribute is the SP SSO gateway (also called the Assertion consumer)
- "method" attribute is "POST"
- The control containing the Assertion must be hidden and named SAMLRequest
- The value of the SAMLResponse control must be Base-64 encoded
- The transport mechanism must be by SSL 3.0
<form method="post" action="https://thirdparty.services.com/samlConsumer" name="samlSSO">
<input type="hidden" name="SAMLResponse" value="#ToBase64(samlResponse)#"/>
</form>
</script language="JavaScript">
function submitSSO(){
document.samlSSO.submit();
}
setTimeout("submitSSO()",100);
</script>
The variable samlResponse can then be converted on the SP side using:
<input type="hidden" name="SAMLResponse" value="#ToBase64(samlResponse)#"/>
</form>
</script language="JavaScript">
function submitSSO(){
document.samlSSO.submit();
}
setTimeout("submitSSO()",100);
</script>
<cfset samlAssert = ToString(ToBinary(Form.samlResponse)) />
Now, what makes up an SAML assertion, I'll get into that in my next post.
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
I'm interested to find out what tool kit (if any) you were looking at for implementing the SAML2.0 spec, all of the apps/apis/ect that I found were extremely costly or not mature enough for a production release.
I'd love to hear more about your experience. I'm working on my 3rd "implementation" right now. I put it in quotes because I did research on the first, and then it was cancelled, then did full blow design and definition meetings, then it was put on hold. The one I'm on know is going to pass both of those and be a full implementation. Per your question, I found these projects: Lightbulb - https://lightbulb.dev.java.net/, SAML 1.1 Java Toolkit - http://www.sourceid.org/projects/saml_1_1_toolkit (I think this one is more for use with the PingIdentity server), and OpenSAML - http://www.opensaml.org/
OpenSAML is the toolkit that we chose to implement, we went with the 1.1 version instead of the 2.0 release for the reasons that I mentioned above (primarily project immaturity). We looked at the SourceId toolkit also but discounted it b/c the system requirements stated that it ran on JBoss and since we run Websphere for app servers it didn't make sense to investigate further. As far Lightbulb goes, we looked at that also, but our partner didn't feel comfortable using the Java bridge (which from my understanding is still somewhat experimental) or setting up an application server to host a web service written in Java. Ideally it would have been nice to have handed over what we had written for token verification using the same toolkit, but they were looking for a pure php solution. They also have a smaller development group than us, so I can understand why they wanted to stay with what they are comfortable with and had the capacity to support.
As far as my experience went with implementing openSAML, we ran into some interesting challenges, mostly related to the requirement is has of the JRE having to support Level 3 DOM parsing. The toolkit uses the standard Java2 interfaces for document building and parsing, which meant that we couldn't load the necessary versions of xerces after start up of the JRE (we are running on jdk1.4). We knew that JDK1.5 has built in support for DOM 3 parsing, but I don't think Adobe officially supports MX on that version and b/c of that management didn't want to upgrade and be out of support with them. So we were left having to make use of the Endorsed Standards Override Mechanism of jdk1.4 to get proper xml parsing in place, which 'broke' MX. *As a side note we found that you could remove the instances of xereces, xalan, ect.. from within the Coldfusion.war, but again that would have voided our support with Adobe. We pretty much ran out of options and decided to physically separate it from our CF servers which led us to the web service.
http://identitymeme.org/archives/2006/09/08/how-to...
WRT SAML opensource implementations, see also the LASSO project, which has recently completed a certified-interoperable SAMLv2 implementation:
http://lasso.entrouvert.org/
I think you actually are referring to http://opensso.dev.java.net/ rather than Lightbulb, which is a subproject of the overall opensso project. Lightbulb is simply a pure PHP "service provider" (SP) aka "relying party" (RP) SAMLv2 implementation. E.g. if you have a site you want to quickly SAML-enable, and it supports PHP scripting, you can just drop lightbulb in and tweak a couple things and you're set. Conversely, opensso is a full java-based identity provider implementation (and of course includes java-based SP implemntation).
Thanks,
Will OpenSAML work for me? Any suggestions for Windows implementation of SSO using SAML?
At this moment, after reading all the parts, I have these questions. I hope someone can answer them for me
As I said, our website, which has its own authentication mechanism, will be accessed by IDP users.
1. So, how will IDP will send me SAMLResponse? You said in Part 1 that a form needs to be submitted with SAMLResponse. Just wondering, how will a form submission will come to me because in your example you were taking care of both IDP & SP.
2. Will I need to ask the IDP to give me the certificate/Key. How does this thing work?
3. as per your tutorial, SamlTest class file is needed for signing signature. I guess I wont need this class since IDP signs the signature right?
4. also iam assuming, I will have to use VerifySignature to do the validation. Can you tell me what classes I need to import because it was missing in your code.
Pardon my ignorance because I am still learning and I not able to visualize the whole process i.e. what the IDP is supposed to give me vs what exactly would be done at my end.
Thanks
1. The IDP will build and send you the Assertion. The way to do it in the first code piece of this article and the code piece in Part 2. The exact attributes expected in the various areas are up to you (before/after conditions, ids, etc.).
2. You will actually generate the public/private key and send them the public one. They will use this to sign the certificate and you will use the private one to validate/verify the signature.
3. That is correct, you will not need that class since, in this case, you are a service provider (SP).
4. Correct, you will have to use VerifySignature or something similar to verify the document as a whole.
The IDP submits a base64 encoded form variable which contains the Assertion XML that is found in part 2. There's a link in those comments that's pretty good (it might also be in this one) and provides a nice overview of SAML itself. HTH
for question 2, i used keytool to generate certificate as you had mentioned
keytool -selfcert -alias SamlTest -genkey -keystore temp.keystore -keyalg RSA
this creates the temp.keystore in CFpath/jre/bin . So when you say, send public key to
them, do you mean I have to do this command and give them SamlTest.cer ?
keytool -export -alias SamlTest -file SamlTest.cer
I am assuming that if I am right, they will sign SamlTest.cer which has my public key and
send me the digital signature/certificate in xml format in the SAMLResponse, and I would
verify/validate this digitalSignature using the VerifySignature program.
Does it makes sense? Please advise.
Also do I need to stick to DSA or RSA algorithm. Any reason you picked RSA and not the
default DSA?
In validation, your code has reference to "path.to.SamlTest" which you also do in CF code
to sign the document. I believe you are referring to java class SAMLTest and My question
is why do we need this in VerifySignature ?
<cfset objSamlTest = CreateObject("java","path.to.SamlTest").init() />
<cfset ksString = "#GetTempDirectory()#temp.keystore">
<cfif objSamlTest.VerifySignature(token,ksString)>
here is the part, from your tutorial 5 : Signing a Document:
Once the item is compiled, a signed document should be able to be created by executing
the following code (continued from above):
<cfset objSamlTest = CreateObject("java","path.to.SamlTest").init() />
<cfset ksString = "#GetTempDirectory()#temp.keystore">
<cfset token = objSamlTest.SignDocument(ToString(samlAssert),ksString) />
Please answer these as I continue to progress further in my SAML project.
Thanks for your time.
1) i used keytool to generate certificate as you had mentioned
keytool -selfcert -alias SamlTest -genkey -keystore temp.keystore -keyalg RSA
this creates the temp.keystore in CFpath/jre/bin . So when you say, send public key to them, do you mean I have to do this command and give them SamlTest.cer ?
keytool -export -alias SamlTest -file SamlTest.cer
I am assuming that if I am right, they will sign SamlTest.cer which has my public key and send me the digital signature/certificate in xml format in the SAMLResponse, and I would verify/validate this digitalSignature using the VerifySignature method.
2. IDP is supposed to send us in assertion the Employee ID & Company ID , which gets loaded in our database through a nightly demographic import. Shall I expect that in conditions element of XML Token?
3. Last step. Once I get conditions, I guess I can take the employee id from the conditions element of XML and find user info from userlog table. I can set client variables like user name , etc and redirect the user to the applications url so user can access the application.
4. General question. Every user at IDP logs in to his own pc/intranet using his credentials right. So how does this form submission for SAMLResponse takes place. Does the IDP, informs the users that to access the application site, you need to run this form page, which they will create? How does it work? can you clarify from the user aspect for me?
1. It's been so long by, yes, I believe that's what you do. If I remember correctly, I was cent a .cer file to use to extract the public key for my assertion.
2. Those are in the AttributeStatement. If you look on my example (ignoring the fact I don't have a closing AttributeStatement tag) in part 2, you'll see I have an id there. The Attribute tag is what you'd use to pass these two values, if they aren't one of SAML's predefined attributes.
3. That is correct and that's what our client did.
4. Form submission is usually handled either behind the scenes on login to a particular section of a site or in our case it was when they went to access a particular account that we registered as "SSO". The system I was working on was rather complicated, a psuedo-CMS/aggregation application. So really, the IDP has to build the "gateway" from the application to yours. If they can do all that behind the scenes, great, if not, then there will be some browser redirects going on.
HTH, Phil
Once I get conditions, I guess I can take the employee id from the conditions element of XML and find user info from userlog table. I can set client variables like user name , etc and redirect the user to the applications url so user can access the secureArea application.
Todo that, I would have to add code in Application.cfm of securearea so that SSO code is run and user is automatically logged in. But lets say the redirection url with client vars gets into hands of hacker or someone who is sniffing the network packets, this will result in replay attack i.e. someone can use that url and he will be automatically logged in to the application.
How do you avoid that? Did you come across something like this? let me know if the question is not clear.
Any ideas?
Thanks for the reply. But I was talking more in terms of someone hijacking my relocation url which will have some information in it, and even though url will have parameters encrypted, the user could copy that url and paste it in the browser to access the site.
I read about this issue and many people are suggesting to use a transaction ID to validate/expire once used.
Thanks,
You mentioned
OpenSAML had the same type of compatabiity issues which is why I ended up using the Apache library and writing my own Java classes to perform the decryption and verification.
Can you share the decryption process with me? I followed your tutorial and its great. I am just stuck at decryption part. Using CF 7 with jdk1.4. Please respond ASAP.
Please help
With XML encryption, client can sent some elements encrypted and you have to decrypt it before you can make use of it.
But its ok, I figured a way to decrypt the contents of samlResponse/xml.
Thanks,
But there are some nice tutorials to get started. Needs good knowledge of so many things to make it work.
Thanks,
I'm trying to implement a solution for a local college where students sign in and are presented with an icon that will log them into their GMail account.
Q: Is SAML the right direction for me to be looking?