philduba.comRecent Entries
- Real Season Begins!
- Good User Interface ...
- Restarting the User ...
- Flex Builder 3 Requi...
- A Good Night!
- OT: What happened to...
- Using jQuery
- Philly CFUG Dec. 18 ...
- Next Philly CFUG
- Philly CFUG Tomorrow
Popular Entries
- Import/Export in SQL...
- SAML and ColdFusion ...
- SAML and ColdFusion ...
- SAML and ColdFusion ...
- SQL Server 2005 Expr...
- SAML and ColdFusion ...
- Improving Performanc...
- Learning Flex
- SAML and ColdFusion ...
- Second Blog CFC Surv...
Top Commenters
- Nathan Mische (11)
- Peter Bell (4)
- Terrence Ryan (3)
- Scott (2)
- Jim Priest (2)
- David (2)
- Scott Stroz (2)
- Scott P (2)
- Justin Alpino (2)
- Ravneet (2)
Slideshows
Pool Surprises...Sponsored Links
Search
Subscribe
Enter your email address to subscribe to this blog.RSS
Tags
cfug coldfusion generalArchives
- Adobe (5) [RSS]
- AIR (6) [RSS]
- ASP.NET (2) [RSS]
- Books (1) [RSS]
- CFEclipse (5) [RSS]
- CFUG (24) [RSS]
- CFUnited (3) [RSS]
- ColdFusion (50) [RSS]
- College Football (3) [RSS]
- Conferences (1) [RSS]
- Development Tools (2) [RSS]
- DIY (1) [RSS]
- Eagles (3) [RSS]
- Fireworks (1) [RSS]
- Flash (3) [RSS]
- Flex (9) [RSS]
- Flyers (2) [RSS]
- Frameworks (5) [RSS]
- General (28) [RSS]
- Hockey (2) [RSS]
- Hosting (1) [RSS]
- House (2) [RSS]
- HTML (2) [RSS]
- JavaScript (1) [RSS]
- Jobs (1) [RSS]
- Macromedia (0) [RSS]
- Misc. (5) [RSS]
- Model-Glue (4) [RSS]
- Navy Football (5) [RSS]
- onair2007Philadelphia (3) [RSS]
- onairbustour (3) [RSS]
- Other Sports (4) [RSS]
- Performance (3) [RSS]
- Personal (2) [RSS]
- Phillies (2) [RSS]
- Projects, User Group Manager (1) [RSS]
- Rant (1) [RSS]
- Rants (1) [RSS]
- SAML (6) [RSS]
- Site (1) [RSS]
- Soccer (4) [RSS]
- SQL Server (2) [RSS]
- Transportation (1) [RSS]
- Wedding (2) [RSS]
AGGREGATORS
SAML and ColdFusion - Part 1
Posted On December 29, 2006 4:52 PM By Phil in SAML,ColdFusion
Over the summer, I began to work on a project that wnated to utilize SAML(all information in this post and follow on ones are retrieved from the OASIS site), or Security Assertion Markup Language. At the time, I wasn't given much information about SAML, except for the link to the site and asked: "Can we implement this?". Well, luckily, that customer decided to go in a different direction as if one looks through the SAML documentation, there are numerous Use Cases and Implementations. Although the project was dead, I thought about how to implement something like this within our company's suite of applications which are ColdFusion based. Now for some background on SAML. For those that may be unaware, SAML is an XML-based way of doing federated authentication, providing a level of single sign-on previously done through either adding a filter or executable to one's web server or custom-built exchange mechanisms/URL parameters . SAML's documentation talks to a number of ways to utilize what it calls Authentication Assertions, but, within a web-based environment, there are essentially 3 parties involved: Browser, Identity Provider or Source Site and a Service Provider or Destination Site. Essentially, the typical Use Case for web-based applications is as follows:
- User browses to the Source Site
- User attempts to access protected content on the Source Site
- User is prompted for authentication credentials within the Source Site
- Source Site validates authentication of the User's credentials
- User continues to utilize Source Site resources
- At some point, the User is redirected to a Third-party/Partner site due to their credentials, status or permissions
At this point, the user has been authenticated by some resource on the Source Site, thus the Source Site is referred to as an Identity Provider (IdP).The Destination Site for which the user is trying to access from the IdP is considered the Service Provider (SP), because it is usually an extension of the main site, providing specific services that may be more specialized than that of the main site. This is commonly referred to as the IdP-initiated SSO Use Case. Another common SSO request is ones where the SP initiates the authentication process, possibly through a bookmark or advertisement going to that resource. In my case, our site, which is the SP, has its own authentication mechanism besides the SSO one and the users do have their own credentials within our system, so this type of Use Case doesn't really apply. Now, there is a base agreement between the IdP and the SP on a unique identifier which will represent/identify that user in both systems. This is usually done either through some type of data load, service call from the IdP to the SP, or manual data entry when creating a user in the SP. So how do we get from the IdP to the SP? We do this through what SAML calls a binding which is nothing more than how the information is exchange, for example either through HTTP Post or SOAP. In our case, the appropriate binding to use is the HTTP Post binding defined in version 2.0 or the Browser/POST binding in version 1.1. Essentially, this is executed using a Form on the IdP site and it must adhere to the following restrictions:
- "action" attribute is the SP SSO gateway (also called the Assertion consumer)
- "method" attribute is "POST"
- The control containing the Assertion must be hidden and named SAMLRequest
- The value of the SAMLResponse control must be Base-64 encoded
- The transport mechanism must be by SSL 3.0
<form method="post" action="https://thirdparty.services.com/samlConsumer" name="samlSSO">
<input type="hidden" name="SAMLResponse" value="#ToBase64(samlResponse)#"/>
</form>
</script language="JavaScript">
function submitSSO(){
document.samlSSO.submit();
}
setTimeout("submitSSO()",100);
</script>
The variable samlResponse can then be converted on the SP side using:
<input type="hidden" name="SAMLResponse" value="#ToBase64(samlResponse)#"/>
</form>
</script language="JavaScript">
function submitSSO(){
document.samlSSO.submit();
}
setTimeout("submitSSO()",100);
</script>
<cfset samlAssert = ToString(ToBinary(Form.samlResponse)) />
Now, what makes up an SAML assertion, I'll get into that in my next post.
Comments
I'm interested to find out what tool kit (if any) you were looking at for implementing the SAML2.0 spec, all of the apps/apis/ect that I found were extremely costly or not mature enough for a production release.
I'd love to hear more about your experience. I'm working on my 3rd "implementation" right now. I put it in quotes because I did research on the first, and then it was cancelled, then did full blow design and definition meetings, then it was put on hold. The one I'm on know is going to pass both of those and be a full implementation. Per your question, I found these projects: Lightbulb - https://lightbulb.dev.java.net/, SAML 1.1 Java Toolkit - http://www.sourceid.org/projects/saml_1_1_toolkit (I think this one is more for use with the PingIdentity server), and OpenSAML - http://www.opensaml.org/
OpenSAML is the toolkit that we chose to implement, we went with the 1.1 version instead of the 2.0 release for the reasons that I mentioned above (primarily project immaturity). We looked at the SourceId toolkit also but discounted it b/c the system requirements stated that it ran on JBoss and since we run Websphere for app servers it didn't make sense to investigate further. As far Lightbulb goes, we looked at that also, but our partner didn't feel comfortable using the Java bridge (which from my understanding is still somewhat experimental) or setting up an application server to host a web service written in Java. Ideally it would have been nice to have handed over what we had written for token verification using the same toolkit, but they were looking for a pure php solution. They also have a smaller development group than us, so I can understand why they wanted to stay with what they are comfortable with and had the capacity to support.
As far as my experience went with implementing openSAML, we ran into some interesting challenges, mostly related to the requirement is has of the JRE having to support Level 3 DOM parsing. The toolkit uses the standard Java2 interfaces for document building and parsing, which meant that we couldn't load the necessary versions of xerces after start up of the JRE (we are running on jdk1.4). We knew that JDK1.5 has built in support for DOM 3 parsing, but I don't think Adobe officially supports MX on that version and b/c of that management didn't want to upgrade and be out of support with them. So we were left having to make use of the Endorsed Standards Override Mechanism of jdk1.4 to get proper xml parsing in place, which 'broke' MX. *As a side note we found that you could remove the instances of xereces, xalan, ect.. from within the Coldfusion.war, but again that would have voided our support with Adobe. We pretty much ran out of options and decided to physically separate it from our CF servers which led us to the web service.
http://identitymeme.org/archives/2006/09/08/how-to...
WRT SAML opensource implementations, see also the LASSO project, which has recently completed a certified-interoperable SAMLv2 implementation:
http://lasso.entrouvert.org/
I think you actually are referring to http://opensso.dev.java.net/ rather than Lightbulb, which is a subproject of the overall opensso project. Lightbulb is simply a pure PHP "service provider" (SP) aka "relying party" (RP) SAMLv2 implementation. E.g. if you have a site you want to quickly SAML-enable, and it supports PHP scripting, you can just drop lightbulb in and tweak a couple things and you're set. Conversely, opensso is a full java-based identity provider implementation (and of course includes java-based SP implemntation).
Thanks,