Home Contact

PD Versus-inspired Logophilduba.com

Adventures in Web Application Develompent by Phil Duba

Recent Entries

Popular Entries

Top Commenters

  • Nathan Mische (12)
  • CFFusionDev (6)
  • CFdevfusion (6)
  • Peter Bell (4)
  • Sean Corfield (3)
  • Rey Bango (3)
  • Terrence Ryan (3)
  • ah7866 (3)
  • Scott (2)
  • Jim Priest (2)

Slideshows

Dresser/Changing Table...
Images related to the lay...
Nursery renovations...
Pool Surprises...

Sponsored Links

Text Link Ads

SAML and ColdFusion - Part 1

Posted On December 29, 2006 4:52 PM By Phil in SAML,ColdFusion

Over the summer, I began to work on a project that wnated to utilize SAML(all information in this post and follow on ones are retrieved from the OASIS site), or Security Assertion Markup Language. At the time, I wasn't given much information about SAML, except for the link to the site and asked: "Can we implement this?". Well, luckily, that customer decided to go in a different direction as if one looks through the SAML documentation, there are numerous Use Cases and Implementations. Although the project was dead, I thought about how to implement something like this within our company's suite of applications which are ColdFusion based. Now for some background on SAML. For those that may be unaware, SAML is an XML-based way of doing federated authentication, providing a level of single sign-on previously done through either adding a filter or executable to one's web server or custom-built exchange mechanisms/URL parameters . SAML's documentation talks to a number of ways to utilize what it calls Authentication Assertions, but, within a web-based environment, there are essentially 3 parties involved: Browser, Identity Provider or Source Site and a Service Provider or Destination Site. Essentially, the typical Use Case for web-based applications is as follows:

  • User browses to the Source Site
  • User attempts to access protected content on the Source Site
  • User is prompted for authentication credentials within the Source Site
  • Source Site validates authentication of the User's credentials
  • User continues to utilize Source Site resources
  • At some point, the User is redirected to a Third-party/Partner site due to their credentials, status or permissions

At this point, the user has been authenticated by some resource on the Source Site, thus the Source Site is referred to as an Identity Provider (IdP).The Destination Site for which the user is trying to access from the IdP is considered the Service Provider (SP), because it is usually an extension of the main site, providing specific services that may be more specialized than that of the main site. This is commonly referred to as the IdP-initiated SSO Use Case. Another common SSO request is ones where the SP initiates the authentication process, possibly through a bookmark or advertisement going to that resource. In my case, our site, which is the SP, has its own authentication mechanism besides the SSO one and the users do have their own credentials within our system, so this type of Use Case doesn't really apply. Now, there is a base agreement between the IdP and the SP on a unique identifier which will represent/identify that user in both systems. This is usually done either through some type of data load, service call from the IdP to the SP, or manual data entry when creating a user in the SP. So how do we get from the IdP to the SP? We do this through what SAML calls a binding which is nothing more than how the information is exchange, for example either through HTTP Post or SOAP. In our case, the appropriate binding to use is the HTTP Post binding defined in version 2.0 or the Browser/POST binding in version 1.1. Essentially, this is executed using a Form on the IdP site and it must adhere to the following restrictions:

  • "action" attribute is the SP SSO gateway (also called the Assertion consumer)
  • "method" attribute is "POST"
  • The control containing the Assertion must be hidden and named SAMLRequest
  • The value of the SAMLResponse control must be Base-64 encoded
  • The transport mechanism must be by SSL 3.0
So from an IdP perspective, the code for the form could be:
<form method="post" action="https://thirdparty.services.com/samlConsumer" name="samlSSO">
   <input type="hidden" name="SAMLResponse" value="#ToBase64(samlResponse)#"/>
</form>
</script language="JavaScript">
   function submitSSO(){
      document.samlSSO.submit();
   }
   setTimeout("submitSSO()",100);
</script>
The variable samlResponse can then be converted on the SP side using:
<cfset samlAssert = ToString(ToBinary(Form.samlResponse)) />
Now, what makes up an SAML assertion, I'll get into that in my next post.

Related Blog Entries

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)

James Holmes's Gravatar Good stuff - we are looking at SAML at the moment so I'll be keeping an eye on this series as you go.
# By James Holmes | 12/31/06 11:48 PM
Phil Duba's Gravatar Thanks James. The hardest part we've found in dealing with SAML is trying to figure out what of the 7 different methods/bindings is best to use.
# By Phil Duba | 1/1/07 10:41 AM
Justin Alpino's Gravatar Hi Phil, its nice to see someone blogging about SSO and Coldfusion. I'm nearing the end of a 9 month long project which included SSO to partner in the UK to provide seamless 'login' into their application. Learning about SAML, the various profiles and digital signatures was definitely a challenge and even more so in relation to CF. I also had the pleasure of having to develop a prototype solution in PHP for our partners to handle the verification of our response tokens, that was fun =).

I'm interested to find out what tool kit (if any) you were looking at for implementing the SAML2.0 spec, all of the apps/apis/ect that I found were extremely costly or not mature enough for a production release.
# By Justin Alpino | 2/9/07 12:05 PM
Phil Duba's Gravatar @Justin,

I'd love to hear more about your experience. I'm working on my 3rd "implementation" right now. I put it in quotes because I did research on the first, and then it was cancelled, then did full blow design and definition meetings, then it was put on hold. The one I'm on know is going to pass both of those and be a full implementation. Per your question, I found these projects: Lightbulb - https://lightbulb.dev.java.net/, SAML 1.1 Java Toolkit - http://www.sourceid.org/projects/saml_1_1_toolkit (I think this one is more for use with the PingIdentity server), and OpenSAML - http://www.opensaml.org/
# By Phil Duba | 2/9/07 12:34 PM
Justin Alpino's Gravatar @phil

OpenSAML is the toolkit that we chose to implement, we went with the 1.1 version instead of the 2.0 release for the reasons that I mentioned above (primarily project immaturity). We looked at the SourceId toolkit also but discounted it b/c the system requirements stated that it ran on JBoss and since we run Websphere for app servers it didn't make sense to investigate further. As far Lightbulb goes, we looked at that also, but our partner didn't feel comfortable using the Java bridge (which from my understanding is still somewhat experimental) or setting up an application server to host a web service written in Java. Ideally it would have been nice to have handed over what we had written for token verification using the same toolkit, but they were looking for a pure php solution. They also have a smaller development group than us, so I can understand why they wanted to stay with what they are comfortable with and had the capacity to support.

As far as my experience went with implementing openSAML, we ran into some interesting challenges, mostly related to the requirement is has of the JRE having to support Level 3 DOM parsing. The toolkit uses the standard Java2 interfaces for document building and parsing, which meant that we couldn't load the necessary versions of xerces after start up of the JRE (we are running on jdk1.4). We knew that JDK1.5 has built in support for DOM 3 parsing, but I don't think Adobe officially supports MX on that version and b/c of that management didn't want to upgrade and be out of support with them. So we were left having to make use of the Endorsed Standards Override Mechanism of jdk1.4 to get proper xml parsing in place, which 'broke' MX. *As a side note we found that you could remove the instances of xereces, xalan, ect.. from within the Coldfusion.war, but again that would have voided our support with Adobe. We pretty much ran out of options and decided to physically separate it from our CF servers which led us to the web service.
# By Justin Alpino | 2/9/07 4:31 PM
Jeff Hodges's Gravatar W.R.T. learning SAML, see my brief, nascent, document "How to Study and Learn SAML" here:

http://identitymeme.org/archives/2006/09/08/how-to...

WRT SAML opensource implementations, see also the LASSO project, which has recently completed a certified-interoperable SAMLv2 implementation:

http://lasso.entrouvert.org/
# By Jeff Hodges | 2/9/07 4:41 PM
Phil's Gravatar Thanks for your feedback Justin. I had the same feeling about SourceId. I figured it would most likely be OpenSAML. That's pretty much my assignment for next week, figure out how best to do this without going too crazy. Thanks again!
# By Phil | 2/9/07 4:43 PM
Phil Duba's Gravatar @Jeff - Thanks for the links. I'll check them out, especially the LASSO project.
# By Phil Duba | 2/9/07 4:50 PM
Jeff Hodges's Gravatar @Justin--

I think you actually are referring to http://opensso.dev.java.net/ rather than Lightbulb, which is a subproject of the overall opensso project. Lightbulb is simply a pure PHP "service provider" (SP) aka "relying party" (RP) SAMLv2 implementation. E.g. if you have a site you want to quickly SAML-enable, and it supports PHP scripting, you can just drop lightbulb in and tweak a couple things and you're set. Conversely, opensso is a full java-based identity provider implementation (and of course includes java-based SP implemntation).
# By Jeff Hodges | 2/9/07 5:06 PM
Phil Duba's Gravatar @Jeff - thanks for clearing that up. I thought that was what Lightbulg was which is why it has peaked my interest. The project I'm working on right now, and what I think is most appropriate for the CF community in general, is the Service Provider aspect within a SAML implementation. I only think that there are some PHP libraries one needs to get (I'm not a PHP developer by any means, that was just the gist I got from reading posts on the project) in order to implement it fully.
# By Phil Duba | 2/9/07 5:15 PM
CFdevfusion's Gravatar I want to implement SAML using CF 7 and we use IIS 6. Any suggestions as to which API or lib will suit us. We dont want to get into crazy stuff. We need something that is stable and doesnt need changes in CF environment or IIS or any architecture changes.

Thanks,
# By CFdevfusion | 5/2/08 12:54 PM
CFdevfusion's Gravatar As mentioned earlier, We want to implement SSO for our site which has its own login authentication procedure. We use CF 7 on Windows Server 2003 with IIS and SQL Server 2000 as the database.

Will OpenSAML work for me? Any suggestions for Windows implementation of SSO using SAML?
# By CFdevfusion | 5/19/08 1:03 PM
Phil Duba's Gravatar @CFdevfusion - if you look at the rest of this series, you'll see how I implemented my solution. I was using CF7 and used the Apache Security library, but I had to use a specific one as the latest will not work with the ColdFusion JRE. OpenSAML had the same type of compatabiity issues which s why I ended up using the Apache library and writing my own Java classes to perform the decryption and verification.
# By Phil Duba | 5/20/08 7:18 AM
CFdevfusion's Gravatar Hi Phil, Thanks for the comments. I will try the Apache Security Library you have mentioned.

At this moment, after reading all the parts, I have these questions. I hope someone can answer them for me

As I said, our website, which has its own authentication mechanism, will be accessed by IDP users.

1. So, how will IDP will send me SAMLResponse? You said in Part 1 that a form needs to be submitted with SAMLResponse. Just wondering, how will a form submission will come to me because in your example you were taking care of both IDP & SP.

2. Will I need to ask the IDP to give me the certificate/Key. How does this thing work?

3. as per your tutorial, SamlTest class file is needed for signing signature. I guess I wont need this class since IDP signs the signature right?

4. also iam assuming, I will have to use VerifySignature to do the validation. Can you tell me what classes I need to import because it was missing in your code.

Pardon my ignorance because I am still learning and I not able to visualize the whole process i.e. what the IDP is supposed to give me vs what exactly would be done at my end.

Thanks
# By CFdevfusion | 6/3/08 5:11 PM
Phil Duba's Gravatar I'll give a shot at answering the questions.

1. The IDP will build and send you the Assertion. The way to do it in the first code piece of this article and the code piece in Part 2. The exact attributes expected in the various areas are up to you (before/after conditions, ids, etc.).

2. You will actually generate the public/private key and send them the public one. They will use this to sign the certificate and you will use the private one to validate/verify the signature.

3. That is correct, you will not need that class since, in this case, you are a service provider (SP).

4. Correct, you will have to use VerifySignature or something similar to verify the document as a whole.

The IDP submits a base64 encoded form variable which contains the Assertion XML that is found in part 2. There's a link in those comments that's pretty good (it might also be in this one) and provides a nice overview of SAML itself. HTH
# By Phil Duba | 6/3/08 6:49 PM
CFFusionDev's Gravatar Hi, Thanks for the info. That really helped me a lot.

for question 2, i used keytool to generate certificate as you had mentioned
keytool -selfcert -alias SamlTest -genkey -keystore temp.keystore -keyalg RSA

this creates the temp.keystore in CFpath/jre/bin . So when you say, send public key to

them, do you mean I have to do this command and give them SamlTest.cer ?
keytool -export -alias SamlTest -file SamlTest.cer

I am assuming that if I am right, they will sign SamlTest.cer which has my public key and

send me the digital signature/certificate in xml format in the SAMLResponse, and I would

verify/validate this digitalSignature using the VerifySignature program.

Does it makes sense? Please advise.

Also do I need to stick to DSA or RSA algorithm. Any reason you picked RSA and not the

default DSA?

In validation, your code has reference to "path.to.SamlTest" which you also do in CF code

to sign the document. I believe you are referring to java class SAMLTest and My question

is why do we need this in VerifySignature ?

<cfset objSamlTest = CreateObject("java","path.to.SamlTest").init() />
<cfset ksString = "#GetTempDirectory()#temp.keystore">
<cfif objSamlTest.VerifySignature(token,ksString)>

here is the part, from your tutorial 5 : Signing a Document:

Once the item is compiled, a signed document should be able to be created by executing

the following code (continued from above):
<cfset objSamlTest = CreateObject("java","path.to.SamlTest").init() />
<cfset ksString = "#GetTempDirectory()#temp.keystore">
<cfset token = objSamlTest.SignDocument(ToString(samlAssert),ksString) />


Please answer these as I continue to progress further in my SAML project.

Thanks for your time.
# By CFFusionDev | 6/4/08 7:51 PM
CFdevfusion's Gravatar Let me make list short, so you can answer them

1) i used keytool to generate certificate as you had mentioned
keytool -selfcert -alias SamlTest -genkey -keystore temp.keystore -keyalg RSA

this creates the temp.keystore in CFpath/jre/bin . So when you say, send public key to them, do you mean I have to do this command and give them SamlTest.cer ?
keytool -export -alias SamlTest -file SamlTest.cer

I am assuming that if I am right, they will sign SamlTest.cer which has my public key and send me the digital signature/certificate in xml format in the SAMLResponse, and I would verify/validate this digitalSignature using the VerifySignature method.

2. IDP is supposed to send us in assertion the Employee ID & Company ID , which gets loaded in our database through a nightly demographic import. Shall I expect that in conditions element of XML Token?

3. Last step. Once I get conditions, I guess I can take the employee id from the conditions element of XML and find user info from userlog table. I can set client variables like user name , etc and redirect the user to the applications url so user can access the application.

4. General question. Every user at IDP logs in to his own pc/intranet using his credentials right. So how does this form submission for SAMLResponse takes place. Does the IDP, informs the users that to access the application site, you need to run this form page, which they will create? How does it work? can you clarify from the user aspect for me?
# By CFdevfusion | 6/9/08 4:54 PM
Phil Duba's Gravatar I'll answer these best I can

1. It's been so long by, yes, I believe that's what you do. If I remember correctly, I was cent a .cer file to use to extract the public key for my assertion.

2. Those are in the AttributeStatement. If you look on my example (ignoring the fact I don't have a closing AttributeStatement tag) in part 2, you'll see I have an id there. The Attribute tag is what you'd use to pass these two values, if they aren't one of SAML's predefined attributes.

3. That is correct and that's what our client did.

4. Form submission is usually handled either behind the scenes on login to a particular section of a site or in our case it was when they went to access a particular account that we registered as "SSO". The system I was working on was rather complicated, a psuedo-CMS/aggregation application. So really, the IDP has to build the "gateway" from the application to yours. If they can do all that behind the scenes, great, if not, then there will be some browser redirects going on.

HTH, Phil
# By Phil Duba | 6/9/08 9:38 PM
CFFusionDev's Gravatar Hi Phil,
Once I get conditions, I guess I can take the employee id from the conditions element of XML and find user info from userlog table. I can set client variables like user name , etc and redirect the user to the applications url so user can access the secureArea application.

Todo that, I would have to add code in Application.cfm of securearea so that SSO code is run and user is automatically logged in. But lets say the redirection url with client vars gets into hands of hacker or someone who is sniffing the network packets, this will result in replay attack i.e. someone can use that url and he will be automatically logged in to the application.

How do you avoid that? Did you come across something like this? let me know if the question is not clear.

Any ideas?
# By CFFusionDev | 7/30/08 12:30 PM
Phil Duba's Gravatar Remember, there is the digital singature area which is an encryption of all of the SAML request, including conditions. So even someone hijacked it, the time conditions would no longer be met and if they manipulated the SAML that's in text, the signature validation would fail.
# By Phil Duba | 8/1/08 10:58 AM
CFFusionDev's Gravatar Hi Phil,

Thanks for the reply. But I was talking more in terms of someone hijacking my relocation url which will have some information in it, and even though url will have parameters encrypted, the user could copy that url and paste it in the browser to access the site.

I read about this issue and many people are suggesting to use a transaction ID to validate/expire once used.

Thanks,
# By CFFusionDev | 8/4/08 4:33 PM
Phil Duba's Gravatar Maybe I'm not following any more, lots of comments on this one, :). Are you receiving an Assertion and have to validate or are you posting an assertion? If you are posting, remember you do it through a form submission, meaning you create a form variable and submit to the other side. In this case, your redirection occurs in form submission so if there is anything needed, it should be part of the assertion itself.
# By Phil Duba | 8/4/08 6:13 PM
ah7866's Gravatar Phil,

You mentioned
OpenSAML had the same type of compatabiity issues which is why I ended up using the Apache library and writing my own Java classes to perform the decryption and verification.

Can you share the decryption process with me? I followed your tutorial and its great. I am just stuck at decryption part. Using CF 7 with jdk1.4. Please respond ASAP.

Please help
# By ah7866 | 8/22/08 5:58 PM
Phil Duba's Gravatar @ah7866, what do you mean by decryption? Are you referring to verification of signature or are you looking at something else?
# By Phil Duba | 8/26/08 3:03 PM
ah7866's Gravatar XML encryption/decryption and its different from verification of digital signature.

With XML encryption, client can sent some elements encrypted and you have to decrypt it before you can make use of it.

But its ok, I figured a way to decrypt the contents of samlResponse/xml.

Thanks,
# By ah7866 | 8/26/08 5:33 PM
Phil Duba's Gravatar Ok, I've never dealt with Encryption but I would assume it would've been like CF's encryption (although something tells me it is a little more complicated).
# By Phil Duba | 8/26/08 7:59 PM
ah7866's Gravatar Sure is.

But there are some nice tutorials to get started. Needs good knowledge of so many things to make it work.

Thanks,
# By ah7866 | 8/26/08 9:35 PM
Phillip Senn's Gravatar Hello SAML knowledge experts.
I'm trying to implement a solution for a local college where students sign in and are presented with an icon that will log them into their GMail account.
Q: Is SAML the right direction for me to be looking?
# By Phillip Senn | 5/18/09 10:50 AM
Phil Duba's Gravatar SAML is definitely a solution and this link, http://code.google.com/apis/apps/sso/saml_referenc..., talks about how to implement it to access Google Apps like Gmail and Calendar.
# By Phil Duba | 5/18/09 12:54 PM
Post Your Comments

Captcha

If you subscribe, any new posts to this thread will be sent to your email address.