6:17 p.m.
Hi, guys,
The current SPFilter doesn't support
1. signing AuthnRequest
2. decrypting Assertion NameID (it seems to support validating assertion signature,
but I didn't get that far yet)
3. loading/understanding the standard IDP metadata file (example below).
Is my understanding above correct ?
The reason I'm using the filter and not the valve is because I have to support web
containers other than JBoss.
If I need those three things, should I go ahead and code them myself (and after testing, I
could contribute back to the community, with the permission of my company) ?
Or is there effort already under-way ?
Or better yet, these are already done and ready to be shared ?
Thanks for any feed back.
Adam Dong
---------------------------------------- example IDP metadata file
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"
standalone="true"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://idp.ssocircle.com">
-<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
WantAuthnRequestsSigned="false">
-<KeyDescriptor use="signing">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate>
MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV
BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx
WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV
BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/
aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78
fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62
2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB
AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5
tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6
ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn
cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak
eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
-<KeyDescriptor use="encryption">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate>
MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV
BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx
WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV
BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/
aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78
fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62
2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB
AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5
tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6
ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn
cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak
eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:...
</EncryptionMethod>
</KeyDescriptor>
<ArtifactResolutionService
Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true"
index="0"/>
<SingleLogoutService
Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>
<SingleLogoutService
Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>
<SingleLogoutService
Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<ManageNameIDService
Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>
<ManageNameIDService
Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>
<ManageNameIDService
Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<SingleSignOnService
Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<SingleSignOnService
Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<SingleSignOnService
Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<NameIDMappingService
Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
</IDPSSODescriptor>
</EntityDescriptor>
7:42 p.m.
Some time ago we did identify that we need to update the SPFilter. We have not got to it
yet. We certainly value your contribution immensely.
If you want to contribute, just send in a PR in increments.
On Aug 7, 2014, at 6:18 PM, Adam Dong <adamdong(a)vidder.com>
wrote:
Hi, guys,
The current SPFilter doesn’t support
1. signing AuthnRequest
2. decrypting Assertion NameID (it seems to support validating assertion signature,
but I didn’t get that far yet)
3. loading/understanding the standard IDP metadata file (example below).
Is my understanding above correct ?
The reason I’m using the filter and not the valve is because I have to support web
containers other than JBoss.
If I need those three things, should I go ahead and code them myself (and after testing,
I could contribute back to the community, with the permission of my company) ?
Or is there effort already under-way ?
Or better yet, these are already done and ready to be shared ?
Thanks for any feed back.
Adam Dong
---------------------------------------- example IDP metadata file
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"
standalone="true"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://idp.ssocircle.com">
-<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
WantAuthnRequestsSigned="false">
-<KeyDescriptor use="signing">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate>
MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV
BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx
WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV
BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/
aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78
fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62
2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB
AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5
tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6
ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn
cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak
eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
-<KeyDescriptor use="encryption">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate>
MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV
BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx
WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV
BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/
aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78
fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62
2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB
AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5
tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6
ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn
cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak
eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:...
</EncryptionMethod>
</KeyDescriptor>
<ArtifactResolutionService
Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true"
index="0"/>
<SingleLogoutService
Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>
<SingleLogoutService
Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>
<SingleLogoutService
Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<ManageNameIDService
Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>
<ManageNameIDService
Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>
<ManageNameIDService
Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<SingleSignOnService
Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<SingleSignOnService
Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<SingleSignOnService
Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<NameIDMappingService
Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
</IDPSSODescriptor>
</EntityDescriptor>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
3758
days inactive
3759
days old
1 comments
2 participants
participants (2)
-
Adam Dong -
Anil Saldhana