Support SAML 2.0 Artifact

[GoogleCodeExporter]

Support the Artifact binding in SAML 2.0 for the AuthnResponse. This
functionality is related to the SAML 2.0 IdP part.

This would require a storage to cache artifactID -> AuthNResponses. May use
the memcache session plugin.

Not planned for inclusion in near future.

Original issue reported on code.google.com by andreass...@gmail.com on 16 Jan 2008 at 7:32

[GoogleCodeExporter]

Original comment by andreass...@gmail.com on 14 Feb 2008 at 8:43

• Changed title: Support SAML 2.0 Artifact

[GoogleCodeExporter]

Setting this to New. Not accepted yet.

Original comment by andreass...@gmail.com on 3 Jun 2008 at 4:39

• Changed state: New

[GoogleCodeExporter]

Original comment by andreass...@gmail.com on 27 Jun 2008 at 10:33

• Added labels: Priority-Low
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Hello, I am trying to implement support for saml 2.0 artifact.

Step 1: for the service provider
==> read artifact: check
==> parse bytes to know, where to send the url: partially, I can already obtain 
the
sha1 code, but still need to make it, so i can find it in the list of idp's.
==> encryption: having real difficulty here. I am getting exceptions:
Failed to verify signature using either KeyInfo-derived or directly trusted 
credentials
PKIX validation of signature failed, unable to resolve valid and trusted 
signing key
I already searched hard, but I am having difficulty finding something usefull.

Conclusion: proof of concept works, I can send a request and receive an 
artifact and
send it in artifact resolve message and get and get my data.

Is there someone, who can give me some information, how I might solve my 
problem with
the idp:
I am getting exceptions:
Failed to verify signature using either KeyInfo-derived or directly trusted 
credentials
PKIX validation of signature failed, unable to resolve valid and trusted 
signing key

Step 2: for the identity provider
Non steps taken so far.

Secondly: can I please submit code, once I am done with the service provider.

Original comment by danny.bo...@gmail.com on 1 Sep 2009 at 2:55

[GoogleCodeExporter]

Is this based on the new SAML 2 classes which were committed in the start of 
the 
month? If not, you may want to try to integrate it with those. Those classes 
have a 
much better seperation between messages, bindings and application logic, 
something 
that should make this task easier.

Regarding the errors you report: Where do they come from? When do they occur? 
I'm 
going to guess that you receive them when sending an ArtifactResolve-message to 
the 
IdP? In that case, I believe it is caused by the ArtifactResolve-message not 
being 
signed, or the signature being invalid. It is also possible that the IdP is 
missing 
the public key of the SP, and is therefore unable to validate the signature.

In any case, please submit your code.

Original comment by olavmrk@gmail.com on 2 Sep 2009 at 10:24

[GoogleCodeExporter]

Hello, my "design" is based on the latest version in the trunk.
I am using initSSO.php, SAML2_HTTPPost as an example to implement my own pages.
The problem right now is everything is still hard coded. I am trying to make a 
proof
of concept first and then make it dynamic.

The service provider is almost finished, can I submit this to a branch, so I do 
not
break anything. I still need to make adjust the parser to read the 
artifactResolve.
Right now it just prints/dumps the xml.

I also have a small question.
I wish to add variables to my saml20-sp-hosted, so I can add my certificate, 
private
key and artifactResolution. Can you please explain me how you do this. I tried 
and I
kept losing my additional variables. Would help a lot for cleaning up my code. 
The
same question also for saml20-idp-remote, but to add sha-1 parameter. Need the 
sha-1
for the artifact source attribute.

Thanks in advance, looking forward to contributing to the project.

Original comment by danny.bo...@gmail.com on 4 Sep 2009 at 3:11

[GoogleCodeExporter]

You might want to use the saml-module when developing this, since we are 
planning to 
make that module the standard in the future, and depreceate the code found in 
www/
saml2/sp and the saml2-module.

As for submitting this, I think it would be easiest if you sent one (or more 
patches), and then we can apply it when it is ready. We have never really used 
branches for anything.

You should not have to do anything special to add extra fields to the metadata. 
Nothing is automatically removed from the metadata array.

There are already fields for the private key and certificate in the 
saml20-sp-hosted 
metadata file. Take a look at modules/saml2/lib/Message.php to see how it 
accesses 
those.

What is the purpose of the artifactResolution attribute in the 
saml20-sp-hosted? If 
it is the address of the ArtifactResolutionService endpoint, I think it should 
go in 
saml20-idp-remote?

The sha-1 parameter you want to add to saml20-idp-hosted - isn't this the sha-1 
of 
the entity id? Would it not be better to just calculate it when needed? You can 
always access the entity id through the 'entityid' metadata variable - it is 
always 
present.

You may also be interrested to know that we have been working a bit on adding 
artifact support to the SAML 1 handler. During this work we have added parsing 
of 
the ArtifactResolutionService endpoint to the metadata parser (both for SAML 1 
and 
SAML 2), and generation of AssertionConsumerService endpoints in the metadata 
generator (also for both SAML 1 and SAML 2).

Original comment by olavmrk@gmail.com on 10 Sep 2009 at 6:56

[GoogleCodeExporter]

Version 0.1 is finished, there are still some problems with the signing, of the
artifact, if you turn the verify signature of, everything should be working 
properly.

Before the latest update, a week ago, it worked.

Now you will get this error:

Reference validation failed

0:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/xmlseclibs.ph
p:911
(XMLSecurityDSig::validateReference)
1:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/SAML2/Utils.p
hp:52
(SAML2_Utils::validateElement)
2:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/SAML2/Asserti
on.php:457
(SAML2_Assertion::parseSignature)
3:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/SAML2/Asserti
on.php:210
(SAML2_Assertion::__construct)
4:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/SAML2/Artifac
tResponse.php:40
(SAML2_ArtifactResponse::__construct)
5:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/SAML2/Message
.php:550
(SAML2_Message::fromXML)
6:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/lib/SAML2/HTTPArt
ifact.php:233
(SAML2_HTTPArtifact::receive)
7:
/home/dbollaer/workspace-sts-2.1.0.RELEASE/SimpleSamlPhpUpdate/www/saml2/sp/Asse
rtionConsumerService.php:74
(N/A)

How to enable

add this to your service provider info

right now memcache is needed, I will replace this in the future. So it http 
artifact
can also use cache.

saml20-idp-remote.php
  'ArtifactResolutionService' => '***/saml2/idp/ArtifactResolution.php'

saml20-sp-remote.php
 'AssertionConsumerServiceArtifact' => '***/saml2/sp/AssertionConsumerService.php',
/** otherwise artifact profile is not used **/
 'artifact'         => true,

saml20-sp-hosted.php
    'artifact'          => true,

Well I hope you all have fun playing with the artifact profile. It's still not
finished and it will need a lot of work, but right I am looking first for some
feedback, so I can integrate it correctly/properly  in simpleSamlPhp.

Original comment by danny.bo...@gmail.com on 11 Sep 2009 at 10:03

Attachments:

• patch0.2_11_09_2009_update_simplesamlphp_artifact.txt

[GoogleCodeExporter]

Can someone please look at this issue, so I know how to proceed. It's been a 
week and
I would very much like to improve it.

Thanks in advance

Original comment by danny.bo...@gmail.com on 18 Sep 2009 at 12:06

[GoogleCodeExporter]

The bugs seem to have disappeared with the new updates.
thank you olavmrk

Original comment by danny.bo...@gmail.com on 18 Sep 2009 at 2:44

[GoogleCodeExporter]

Original comment by andreass...@gmail.com on 21 Sep 2009 at 11:51

• Removed labels: Milestone-Release-Undefined

[GoogleCodeExporter]

Can some one please provide some feedback. I want to know how to continue. It's 
been
almost two weeks. I want to continue my work on the artifact profile.

Original comment by danny.bo...@gmail.com on 24 Sep 2009 at 12:02

[GoogleCodeExporter]

Hi,

I have had a look at you patch, and it requires a lot of work before it can be 
integrated in simplesamlphp. I have attached an edited version of the patch 
file 
where I have commented on some parts of the patch.

I see that you are implementing both sending and receiving of artifacts, which 
I 
think complicates your task.

But: Have you tested this against a different IdP than simpleSAMLphp? From what 
I 
understand of the artifact protocol and how you have implemented it, I think 
the 
messages should have a different format?

Original comment by olavmrk@gmail.com on 24 Sep 2009 at 1:46

Attachments:

• patch.txt

[GoogleCodeExporter]

Hi,

Thank you for looking at my patch. I will be starting to work on it again next 
week.
I had tested my first version on my own shibboleth 2.1, but I had some
problems(signing related) because of some changes in the repository.
Which test federation are you using, so I can test against those as well.

Original comment by danny.bo...@gmail.com on 29 Sep 2009 at 7:30

[GoogleCodeExporter]

Hi,

I was wondering, in the recent post on the website I read this:
# SimpleSAMLphp do not support the SAML 2.0 Artifact binding for Response. 
Estimated
to be available in SimpleSAMLphp 1.6.
Does that mean you are making it one or your priorities?

Are you going to implement only the service provider side, like you suggested 
in this
mail:
"
We have decided that we want to
implement SAML 2.0 Artifact for the SP, but I cannot say when it will
be available. I assume you want SAML 2.0 and not SAML 1.1 artifact.
"

or are there plans to implement the idp as well?

Could you please clarify this for me?

Original comment by danny.bo...@gmail.com on 14 Oct 2009 at 8:16

[GoogleCodeExporter]

We have no plans on implementing it on the IdP as of now. It might very well be 
that we do, but no promises.

On the SP side, we much likely will include it in 1.6, but no dates for that 
yet. 1.5 will be released within 
October.

Original comment by andreass...@gmail.com on 14 Oct 2009 at 10:10

[GoogleCodeExporter]

We've been testing/tweaking an implementation of SP side Artifact binding with 
good 
result, but keen to use an "official" release.  How can we help?  Testing, 
coding? 

Original comment by billie...@gmail.com on 9 Nov 2009 at 8:43

[GoogleCodeExporter]

Can you please create a patch with your modifications. So I can help test it.

Original comment by danny.bo...@gmail.com on 12 Nov 2009 at 10:33

[GoogleCodeExporter]

Hi Billieboi - it would be great if you can provide patches of what you've done 
so
far, as I would like to help with the testing - we have a need of Artifact 
support
here in NZ, too.

Cheers,
Piers Harding.

Original comment by piers.harding on 18 Nov 2009 at 9:49

[GoogleCodeExporter]

Hi all,

I am almost finished with (re)implementing the idp side of the artifact 
profile, now
I got idp initiated, and today I am doing the sp initiated side. I am planning 
on
releasing a patch this week. But I would very much like to test against some 
test sp's.
Right now it's only tested against my fedlet and opensso. So I am searching for 
other
saml 2 sp. for example shibboleth 2.

Thanks in advance.

Cheers,

Danny

Original comment by danny.bo...@gmail.com on 30 Nov 2009 at 9:02

[GoogleCodeExporter]

Hello all,

Here is almost completely reworked version of my original artifact support for 
the
idp-side. The sp side still needs to be rewritten, but I will leave that job 
billieboi.

I have already tested, a lot.
it works for:
fedlet opensso(not opensso)
shibboleth2(securely!)

*REQUIRES memcache.

I am still using the old version of SSOService.php and I am planning on 
updating that
in the near future.

If at all possible I hoping this will be implemented in 1.7.

Cheers,

Danny

Original comment by danny.bo...@gmail.com on 6 Jan 2010 at 12:09

Attachments:

• patch06_01_2010.diff

[GoogleCodeExporter]

The code for sending responses via the HTTP-Artifact binding was added to svn 
in 
r2121.

Thanks!

Original comment by olavmrk@gmail.com on 15 Jan 2010 at 10:18

[GoogleCodeExporter]

Original comment by andreass...@gmail.com on 25 Jan 2010 at 11:19

• Changed state: Started

[GoogleCodeExporter]

I am trying to make a Zend framework based project and i am new to this 
technology 
and i am facing a few difficulties.

1) How to integrate Zend framework based project with simplesamlphp.
2) At present the default simlesamlphp is working with a service provider and 
identity provider, but what i have is the login form in my SP and i want to 
authenticate the credentials filled through IdP and then come back.. How to do 
that?
3) Also just need to check if the session is present in IdP then it would 
redirect 
to my SP. how to do that?

Awaiting for response asap.

Original comment by PratikJi...@gmail.com on 15 Mar 2010 at 11:46

[GoogleCodeExporter]

Please clarify what this has to do, with the SAML2 artifact.

Kind regards,

Danny

Original comment by danny.bo...@gmail.com on 15 Mar 2010 at 12:19

[GoogleCodeExporter]

Both SP and IdP is now included in simpleSAMLphp. Marking this as fixed.

Original comment by olavmrk@gmail.com on 20 May 2010 at 12:04

• Changed state: Fixed