1README.zxid 2########### 3<<author: Sampo Kellom�ki (sampo@iki.fi)>> 4<<cvsid: $Id: README.zxid,v 1.125 2009-11-24 23:53:40 sampo Exp $>> 5<<class: article!a4paper!!ZXID 23>> 6 7See INSTALL.zxid for installation and quick tutorial. 8 9<<abstract: 10 11ZXID.org Identity Management toolkit implements standalone SAML 2.0, 12Liberty ID-WSF 2.0, and XACML 2.0 stacks and aims at implementing all popular 13federation, SSO, and ID Web Services protocols. It is a C implementation 14with minimal external dependencies - OpenSSL, CURL, and zlib - 15ensuring easy deployment (no DLLhell). Due to its small footprint and 16efficient and accurate schema driven implementation, it is suitable 17for embedded and high volume applications. Language bindings to all 18popular highlevel languages such as PHP, Perl, and Java, are provided 19via SWIG. ZXID implements, as of Nov 2011, SP, IdP, WSC, WSP, 20Discovery, PEP, and PDP roles. ZXID is the reference implementation 21of the core security architecture of the TAS3.eu project.\\\\ 22 23ZXID.org ist eine C-Bibliothek, die den vollst�ndigen SAML 242.0-Stack implementiert und alle popul�ren 25Identit�tsverwaltungs-Protokolle wie Liberty ID-FF 1.2, 26WS-Federation, WS-Trust und ID-Webservices wie Liberty ID-WSF 1.1 und 272.0 implementieren will. Sie beruht auf Schema-basierter 28Code-Erzeugung, woraus eine genaue Implementation resultiert. SWIG 29wird verwendet, um Schnittstellen zu Skriptsprachen wie Perl, PHP und 30Python sowie zu Java bereitzustellen. Sie kann als SP, IdP, WSC, 31WSP, Discovery, PEP, und PDP fungieren.\\\\ 32 33A biblioteca de gest�o de identidades ZXID.org � uma 34implementa��o, em C, das normas SAML 2.0, Liberty ID-WSF 2.0 e 35XACML 2.0 com depend�ncias externas m�nimas - OpenSSL, CURL, e 36zlib - facilitando uma implanta��o f�cil sem "inferno dos 37DLL". Sendo econ�mica em consumo de recursos � indicada para 38aplica��es embutidas ou de grande volume e performance. A 39biblioteca � disponibilizada para todos os linguagens de 40programa��o de alto n�vel como, p.ex., PHP, Perl, e Java, 41atravez de interf�ces SWIG. ZXID de hoje (Nov 2011) pode funcionar 42nos papeis SP (Provedor de Servi�os), IdP (Provedor de Identidade), 43WSC (Cliente de Servi�os Web) WSP (Provedor de Servi�os Web), 44Discovery (descobrimento de servi�os), PEP (controlo de acesso), e 45PDP (decis�o de acesso). ZXID � a implementa��o de refer�ncia 46do parte seguran�a do projecto TAS3.eu.\\\\ 47 48La librer�a de gesti�n de identidades ZXID.org es una 49implementaci�n en C de las normas SAML 2.0, Liberty ID-WSF 2.0, y 50XACML 2.0 con dependencias externas m�nimas - OpenSSL, CURL, y zlib 51- que elimina el "Infierno DLL" en su implantaci�n. Como ZXID es 52muy econ�mica, es apta para aplicaciones embebidas o de gran 53volumen y envergadura. Los lenguajes de programaci�n de alto nivel, 54como Perl, PHP, y Java, son soportados con generador de interfaces 55SWIG. Hoy (Nov 2011) el ZXID soporta los roles SP (proveedor de 56servicios), IdP (proveedor de identidades), WSC (cliente de los 57servicios web) WSP (proveedor de servicios web), Discovery 58(descubrimeinto de servicios), PEP (copntrolo de acesso), y PDP 59(decici�nes de acesso). ZXID es el implementaci�n de referencia 60de parte seguridad de proyecto TAS3.eu.\\\\ 61 62ZXID.org on verkkohenkil�llisyyden ja -tunnisteiden 63hallintakirjasto joka tukee SAML 2.0 (sis��nkirjaantuminen), 64Liberty ID-WSF 2.0 (henkil�llisyyteen pohjautuvat webbipalvelut), 65ja XACML 2.0 (k�ytt�oikeuksien hallinta) standardeja. ZXID 66vaatii vain OpenSSL, CURL ja zlib kirjastot joten se v�ltt�� 67"DLL helvetti"-ongelman. Skemapohjaisena C toteutuksena se on tarkka 68ja taloudellinen ja kelpaa sulautettuihin ja eritt�in kovaa 69suorituskyky� vaativiin sovelluksiin. Se tukee korkeantason 70kieli� - kuten Perli�, PHP:t�, CSharp:ia, ja Javaa - SWIG 71generoiduin rajapinnoin. ZXID tukee (Marraskuu 2011) SP 72(palveluntarjoaja), IdP (henkil�llisyydenvarmentaja), WSC 73(webbipalvelunkutsuja), WSP (webbipalveluntarjoaja), Discovery 74(webbipalveluiden l�yt�minen), PEP (k�ytt�oikeuden 75tarkistus), ja PDP (k�ytt�oikeuden p��t�s) rooleja. 76ZXID on TAS3.eu projektin referenssi toteutus turvallisuus- ja 77luottamusteknologioissa. 78 79>> 80 81<<maketoc: 1>> 82 831 Other Documentation 84===================== 85 86This README.zxid is in process of being rewritten and restructured. 87A lot of the material has moved to specific files, which 88you should read. 89 90* <<link:mod_auth_saml.html: mod_auth_saml>> Apache 91 module documentation: SSO without programming. 92* <<link:zxid-simple.html: zxid_simple()>> Easy API for SAML 93* <<link:zxid-raw.html: ZXID Raw API>>: Program like 94 the pros (and fix your own problems). See also <<link:../ref/html/index.html: Function Reference>> 95* <<link:zxid-wsf.html: ZXID ID-WSF API>>: Make Identity Web Services Calls using ID-WSF 96* <<link:zxid-install.html: ZXID Compilation and Installation>>: Compile 97 and install from source or package. See also <<link:html/INSTALL.zxid.html: INSTALL.zxid>> 98 for quick overview. 99* <<link:zxid-conf.html: ZXID Configuration Reference>>: Nitty gritty 100 on all options. 101* <<link:zxid-cot.html: ZXID Circle of Trust Reference>>: How to 102 set up the Circle of Trust, i.e. the partners your web site works with. 103* <<link:zxid-log.html: ZXID Logging Reference>>: ZXID digitally signed logging facility 104* <<link:zxid-java.html: javazxid>>: Using ZXID from Java 105* <<link:zxid-perl.html: Net::SAML>>: Using ZXID from Perl 106* <<link:zxid-php.html: php_zxid>>: Using ZXID from PHP 107* <<link:zxid-idp.html: IdP>>: Configuring zxididp 108* <<link:zxid-faq.html: FAQ>>: Frequently Asked Questions 109* <<link:../README.smime: README.smime>>: Crypto and Cert Tutorial 110 111* zxid.user@lists.unh.edu mailing list 112 1132 ZXID Project 114============== 115 116Web site:: http://zxid.org/ 117License:: Open source: Apache 2, see License chapter and file COPYING 118 119Immediate goal: build a SAML 2.0 SP and ID-WSF 2.0 WSC 120 121Goals of ZXID project include 122 123* SOAP 1.1 support (done) 124* SAML 2.0 compliance 125 - SP role (done) 126 - IdP role (done) 127* Liberty ID-FF 1.2 support 128 - SP 129 - IdP 130 - SAML 1.1 131* Liberty ID-WSF 1.1 support 132 - Discovery bootstrap 133 - Discovery WSC 134 - ID-DAP WSC 135 - ID-DAP WSP 136* Liberty ID-WSF 2.0 support 137 - Discovery bootstrap (done) 138 - Discovery WSC (done) 139 - Discovery WSP (done) 140 - ID-DAP WSC (done) 141 - ID-DAP WSP (done) 142 143<<table: ZXID Platform Support 144Platform Native Cross Compile Notes 145=============== ========== ================ ================================ 146Linux-ix86 gcc-3.4.6 n/a Development platform 147Solaris 8-sparc gcc-3.4.6 Linux gcc-3.4.6 Fully functional 148Windows 2000 - Linux gcc-3.4.6 Poorly tested 149xBSD/Unix gcc-3.4.6 n/a C core tested, language bindings not tested 150>> 151 152<<table: ZXID Feature and Language Support (version number indicates last testing) 153Feature C mod_perl mod_php Python Java/Tomcat Apache Shell 154===================== ===== ======== ======= ====== =========== ====== ===== 155Geo Location Alpha 156ID-MM7 Alpha 157ID-DAP Beta 158ID-HR-XML Beta 159Contact Book Alpha 160People Service Alpha 161Discovery 0.41 162Web Services (ID-WSF) 0.41 163Authorization (XACML) 0.40 yes 0.40 Plan 0.40 0.40 164SSO 0.17 0.17 0.17 Plan 0.17 0.40 0.17 165>> 166 167<<table: ZXID Enabled Application Packages 168Application Language Notes 169============== ============= ===================================================== 170DokuWiki PHP Patch available, in process of submitting to DokuWiki authors 171Mahara PHP 4Q2009 172>> 173 174<<ignore: table: ZXID Enabled Application Packages 175Application Language Notes 176============== ============= ============================== 177MediaWiki PHP Planned 178Cognito 179zxbug Perl Planned 180>> 181 1822.1 Project Layout 183------------------ 184 185Following directory layout is used by the project. Many of the specified 186directories are used by intermediate outputs that are not distributed 187in tarball releases, but may or may no be present in CVS checkouts. 188 189 zxid-0.xx 190 | 191 +-- Net The Net::SAML perl module (also mod_perl) 192 +-- php PHP / mod_php integration 193 +-- zxidjava The Java JNI interface to ZXID 194 +-- servlet Apache Tomcat integration 195 +-- c C code generated from the Schema Grammar descriptions 196 +-- sg Schema Grammar (.sg) descriptions of protocols 197 +-- xsd XML schema descriptions of protocols (not distributed) 198 +-- tex Temporary files for document generation using PlainDoc (not distributed) 199 +-- html HTML documentation generated using PlainDoc 200 +-- review Publicly released announcements and documents (not distributed) 201 +-- t Test scripts and expected test outputs 202 `-- tmp Temporary files, such as actual test outputs 203 204The Manifest file, which follows, explains each file in more detail. 205 206<<logoutput: 207<<Manifest>> 208>> 209 2102.2 Protocol Encoders and Decoders 211---------------------------------- 212 213The protocol encoders and decoders are generated automatically from 214the schema grammar (.sg) descriptions. This ensures accurate protocol 215implementation. While the output is strictly schema driven and correct, 216the decoders have some provisions to accept some deviations from 217strict spec (e.g. out of order elements are tolerated). However, 218one should note that XMLDSIG does not tolerate very much deviation, 219thus even if decoder accepts a slightly illformed message, it is likely 220to fail in signature verification. 221 222There are three outputs from generation 223 2241. Data structures describing the data (xx.h) 2252. Encoder that linearizes the data structure to wire protocol (xx-enc.c) 2263. Decoder that converts wire protocol byte stream to a data structure (xx-dec.c) 227 2282.3 Standards and Namespaces 229---------------------------- 230 231ZXID uses consistently the same namespace prefixes throughout the project. The 232generated encoders and decoders support following schemata 233 234<<longtable: ZXID Namespace Convention 235Prefix URI Description 236====== ============================================== ================================= 237sa urn:oasis:names:tc:SAML:2.0:assertion SAML 2.0 238sp urn:oasis:names:tc:SAML:2.0:protocol 239md urn:oasis:names:tc:SAML:2.0:metadata 240ecp urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp 241shibmd urn:mace:shibboleth:metadata:1.0 Shibboleth 2.0 Metadata extensions 242 243idpdisc 244urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol 245SAML IdP Discovery 246paos urn:liberty:paos:2006-08 247sa11 urn:oasis:names:tc:SAML:1.0:assertion SAML 1.1 248sp11 urn:oasis:names:tc:SAML:1.0:protocol 249ff12 urn:liberty:iff:2003-08 ID-FF 1.2 250m20 urn:liberty:metadata:2004-12 v2.0 (almost same as 1.2) 251ac urn:liberty:ac:2004-12 v2.0 (almost same as 1.2) 252b12 urn:liberty:sb:2003-08 ID-WSF 1.1 SOAP Binding 253sec12 urn:liberty:sec:2003-08 ID-WSF 1.1 Security Mechanisms 254di12 urn:liberty:disco:2003-08 ID-WSF 1.1 Discovery Service 255is12 urn:liberty:is:2003-08 ID-WSF 1.1 Interaction Service 256lu urn:liberty:util:2006-08 ID-WSF 2.0 Utility Schema 257sbf urn:liberty:sb Framework header 258b urn:liberty:sb:2006-08 ID-WSF 2.0 SOAP Binding 259sec urn:liberty:security:2006-08 ID-WSF 2.0 Security Mechanisms 260di urn:liberty:disco:2006-08 ID-WSF 2.0 Discovery Service 261is urn:liberty:is:2006-08 ID-WSF 2.0 Interaction Service 262dap urn:liberty:id-sis-dap:2006-08:dst-2.1 ID Directory Access Protocol 263dst urn:liberty:dst:2006-08 Data Services Template 2.1 264subs urn:liberty:ssos:2006-08 Subscription and Notification 265ps urn:liberty:ps:2006-08 People Service 266im urn:liberty:ims:2006-08 Identity Mapping svc (aka Token Map) 267as urn:liberty:sa:2006-08 ID-WSF 2.0 Authentication Service 268cb urn:liberty:id-sis-cb:2004-10 Contact Book Protocol (DST 2.0 based) 269cdm urn:liberty:cb:conceptual-data-model:2004-10 Contact Book Common Data Model 270gl urn:liberty:id-sis-gl:2005-07 Geolocation Service 271 272mm7 273http://www.3gpp.org/ftp/Specs/archive/23_series/23.140/schema/REL-6-MM7-1-4 274ID-MM7 (ID-SIS-CSM) 275dp urn:liberty:dp:2006-12 ID-WSF 2.0 Design Patterns 276idp urn:liberty:idp:2006-12 ID-WSF 2.0 IdP as web svc 277pmm urn:liberty:pmm:2006-12 ID-WSF 2.0 Prov Mod Mgr 278prov urn:liberty:prov:2006-12 ID-WSF 2.0 TM Provisioning 279shps urn:liberty:shps:2006-12 ID-WSF 2.0 Svc Handling and Proxying 280e http://schemas.xmlsoap.org/soap/envelope/ SOAP 1.1, with SAML and WSF 281xa urn:oasis:names:tc:xacml:2.0:policy:schema:os XACML 2.0 282xac urn:oasis:names:tc:xacml:2.0:context:schema:os 283xasp urn:oasis:xacml:2.0:saml:protocol:schema:os 284xasa urn:oasis:xacml:2.0:saml:assertion:schema:os 285 286xaspcd1 287urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol:cd-01 288Committee draft with extensions for passing policies as input 289 290xasacd1 291urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion:cd-01 292Committee draft with extentsions 293 294wst 295http://docs.oasis-open.org/ws-sx/ws-trust/200512/ 296WS-Trust 1.3 CD-01 297wsp http://schemas.xmlsoap.org/ws/2004/09/policy *** Newer version? http://www.w3.org/ns/ws-policy/ 298 299wsc 300http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512 301WS-Secure Conversation CD-01 302ds http://www.w3.org/2000/09/xmldsig# XML Signatures 303xenc http://www.w3.org/2001/04/xmlenc# XML Encryption 304exca http://www.w3.org/2001/10/xml-exc-c14n# Exclusive Canonicalization 305a http://www.w3.org/2005/08/addressing WSA 1.0 306 307wsse 308http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd 309WS Security SecExt 1.0 310 311wsu 312http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd 313WS Security Utility 1.0 314xml http://www.w3.org/XML/1998/namespace http://www.w3.org/2001/xml.xsd 315xsi http://www.w3.org/2001/XMLSchema-instance 316xs http://www.w3.org/2001/XMLSchema Namespace only, no code 317xop http://www.w3.org/2004/08/xop/include MOTM-XOP include tag 318 319bpel 320http://docs.oasis-open.org/wsbpel/2.0/process/executable 321Business Process Execution Language v2.0 322igf0 urn:LibertyAlliance:igf:0.3:core Early draft 01, WIP 323carml0 urn:LibertyAlliance:igf:0.3:carml Early draft 03, WIP 324tas3 http://tas3.eu/tas3/200911/ TAS3 Credentials passing 325 326tas3sol 327http://tas3.eu/tas3sol/200911/ 328TAS3 Simple Obligations Language 1 329sol urn:tas3:sol Simple Obligations Language Generic 330sol1 urn:tas3:sol1 Simple Obligations Language 1 331 332tas3spl 333http://tas3.eu/tas3sol/201111/ 334TAS3 Simple Policy Language 1 335spl urn:tas3:spl Simple Policy Language Generic 336spl1 urn:tas3:spl1 Simple Policy Language 1 337 338sup 339http://schemas.suplight.eu/plugin/common/2013-05/xs 340Suplight Common Schema 341 342px 343http://schemas.suplight.eu/plugin/ExamplePlugin/2013-05/xs 344Suplight ExamplePlugin Schema 345>> 346 347 34896 Copyright, License, Notices, and Acknowledgements 349==================================================== 350 351Copyright (c) 2006-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved. 352Author: Sampo Kellom�ki (sampo@iki.fi) 353 354Licensed under the Apache License, Version 2.0 (the "License"); 355you may not use this file except in compliance with the License. 356You may obtain a copy of the License at 357http://www.apache.org/licenses/LICENSE-2.0 358 359Unless required by applicable law or agreed to in writing, software 360distributed under the License is distributed on an "AS IS" BASIS, 361WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 362See the License for the specific language governing permissions and 363limitations under the License. 364 365The research leading to these results has received funding from the 366European Community's Seventh Framework Programme (FP7/2007-2013) under 367grant agreement number 216287 (TAS3 - Trusted Architecture for Securely 368Shared Services - www.tas3.eu). 369 370While the source distribution of ZXID does not contain 371SSLeay or OpenSSL code, if you use this code you will use OpenSSL 372library. Please give Eric Young and OpenSSL team credit (as required by 373their licenses). 374 375Binary distribution of this product includes software developed by the 376OpenSSL Project for use in the OpenSSL Toolkit 377(http://www.openssl.org/). See LICENSE.openssl for further information. 378 379Binary distribution of this product includes cryptographic software 380written by Eric Young (eay@cryptsoft.com). Binary distribution of 381this product includes software written by Tim Hudson 382(tjh@cryptsoft.com). See LICENSE.ssleay for further information. 383 384And remember, you, and nobody else but you, are responsible for 385auditing ZXID and OpenSSL library for security problems, 386back-doors, and general suitability for your application. 387 38896.1 Dependency Library Licenses 389-------------------------------- 390 391ZXID strives to maintain IPR hygiene and avoid both 392non-free and GPL license contamination. All the 393dependency libraries have, and shall have, BSD style licenses 394 395* OpenSSL under BSDish (with "advertising" clause) 396* libcurl under BSDish 397* zlib under BSDish 398* libc available as part of the operating system 399 400Please see each library package for the exact details of their 401licenses. 402 40396.1.1 Yubikey 404~~~~~~~~~~~~~~ 405 406Contains libyubikey components which are subject to following 407notice: 408 409> Written by Simon Josefsson <simon@josefsson.org>. 410> Copyright (c) 2006, 2007, 2008, 2009 Yubico AB 411> All rights reserved. 412> 413> Redistribution and use in source and binary forms, with or without 414> modification, are permitted provided that the following conditions are 415> met: 416> 417> > Redistributions of source code must retain the above copyright 418> notice, this list of conditions and the following disclaimer. 419> 420> > Redistributions in binary form must reproduce the above 421> copyright notice, this list of conditions and the following 422> disclaimer in the documentation and/or other materials provided 423> with the distribution. 424> 425> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 426> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 427> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 428> A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 429> OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 430> SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 431> LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 432> DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 433> THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 434> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 435> OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 436 43796.1.2 OpenSSL 438~~~~~~~~~~~~~~ 439 440The source distribution references, but does not contain, OpenSSL. The 441binary distributions may incorporate or dynamically link to OpenSSL, 442which is subject to the following terms and conditions: 443 444> Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 445> 446> Redistribution and use in source and binary forms, with or without 447> modification, are permitted provided that the following conditions 448> are met: 449> 450> 1. Redistributions of source code must retain the above copyright 451> notice, this list of conditions and the following disclaimer. 452> 453> 2. Redistributions in binary form must reproduce the above copyright 454> notice, this list of conditions and the following disclaimer in 455> the documentation and/or other materials provided with the 456> distribution. 457> 458> 3. All advertising materials mentioning features or use of this 459> software must display the following acknowledgment: 460> "This product includes software developed by the OpenSSL Project 461> for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 462> 463> 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used 464> to endorse or promote products derived from this software without 465> prior written permission. For written permission, please contact 466> openssl-core@openssl.org. 467> 468> 5. Products derived from this software may not be called "OpenSSL" 469> nor may "OpenSSL" appear in their names without prior written 470> permission of the OpenSSL Project. 471> 472> 6. Redistributions of any form whatsoever must retain the following 473> acknowledgment: 474> "This product includes software developed by the OpenSSL Project 475> for use in the OpenSSL Toolkit (http://www.openssl.org/)" 476> 477> THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 478> EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 479> IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 480> PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 481> ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 482> SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 483> NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 484> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 485> HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 486> STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 487> ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 488> OF THE POSSIBILITY OF SUCH DAMAGE. 489> ==================================================================== 490> 491> This product includes cryptographic software written by Eric Young 492> (eay@cryptsoft.com). This product includes software written by Tim 493> Hudson (tjh@cryptsoft.com). 494 49596.1.3 SSLeay 496~~~~~~~~~~~~~ 497 498The source distribution references, but does not contain, OpenSSL 499which contains SSLeay. The binary distributions may incorporate or 500dynamically link to OpenSSL containing SSLeay, which is subject to the 501following terms and conditions: 502 503> Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 504> All rights reserved. 505> 506> This package is an SSL implementation written 507> by Eric Young (eay@cryptsoft.com). 508> The implementation was written so as to conform with Netscape's SSL. 509> 510> This library is free for commercial and non-commercial use as long as 511> the following conditions are adhered to. The following conditions 512> apply to all code found in this distribution, be it the RC4, RSA, 513> lhash, DES, etc., code; not just the SSL code. The SSL documentation 514> included with this distribution is covered by the same copyright terms 515> except that the holder is Tim Hudson (tjh@cryptsoft.com). 516> 517> Copyright remains Eric Young's, and as such any Copyright notices in 518> the code are not to be removed. 519> If this package is used in a product, Eric Young should be given 520> attribution as the author of the parts of the library used. 521> This can be in the form of a textual message at program startup or 522> in documentation (online or textual) provided with the package. 523> 524> Redistribution and use in source and binary forms, with or without 525> modification, are permitted provided that the following conditions 526> are met: 527> 528> 1. Redistributions of source code must retain the copyright 529> notice, this list of conditions and the following disclaimer. 530> 2. Redistributions in binary form must reproduce the above copyright 531> notice, this list of conditions and the following disclaimer in 532> the documentation and/or other materials provided with the 533> distribution. 534> 3. All advertising materials mentioning features or use of this 535> software must display the following acknowledgement: 536> "This product includes cryptographic software written by 537> Eric Young (eay@cryptsoft.com)" 538> 539> The word 'cryptographic' can be left out if the routines from the 540> library being used are not cryptographic related :-). 541> 4. If you include any Windows specific code (or a derivative thereof) 542> from the apps directory (application code) you must include an 543> acknowledgement: 544> "This product includes software written by Tim Hudson 545> (tjh@cryptsoft.com)" 546> 547> THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 548> ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 549> IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 550> PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS 551> BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, 552> OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 553> OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 554> BUSINESS INTERRUPTION) 555> HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 556> STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 557> IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 558> POSSIBILITY OF SUCH DAMAGE. 559> 560> The license and distribution terms for any publicly available 561> version or derivative of this code cannot be changed. i.e. this 562> code cannot simply be copied and put under another distribution 563> license [including the GNU Public License.] 564 56596.2 Specification IPR 566---------------------- 567 568ZXID is based on open SAML, Liberty, and TAS3 specifications. The 569parties that have developed these specifications, including Symlabs, 570have made Royalty Free (RF) licensing commitment. Please ask OASIS, 571Liberty Alliance, and TAS3 project for the specifics of their IPR 572policies and IPR disclosures. 573 574Some protocols, such as WS-Trust and WS-Federation enjoy Microsoft's 575pledge<<footnote: If you have a reference to where this pledge can be 576found, please let me know so it can be included here.>> that they will 577not sue you even if you implement these specifications. You should 578evaluate yourself whether this is good enough for your situation. 579 58096.3 Further Warranties 581----------------------- 582 583If you need the author or Symlabs to further disclaim IPR interest or 584make warranties of non-infringement, such declarations are 585available for a fee. Please contact sales@symlabs.com 586 587Legal queries and clarifications will be answered at then-current 588Symlabs Professional Services rate, please contact sales@symlabs.com. 589 59020 Testing 591========== 592 593ZXID test suite is still in tatters. Some things that should 594be tested 595 5961. Will generated HTTP redirect sig validate at IdP? 5972. Does IdP issued A7N validate? 5983. Validation of EncryptedAssertion? 5994. Will generated SOAP binding sig validate at IdP? 6005. Does IdP issued SOAP sig validate? 601 602Metadata related 603 6041. IBM metadata (can we parse) 6052. Sun metadata (can we parse) 606 607XML related 608 6091. Fully qualified XML parses? 6102. Unknown ns prefix that refers to known namespace URI 6113. Known ns prefix, referring to wrong URI 6124. Known prefix refers to aliased URI 6135. Use of default namespaces working? 6146. Unknown prefix and URI as long as it is never used 6157. Unknown prefix and URI, used 6168. Known NS (prefix or URI), unknown element 617 61814 Integration of Other Implementations with ZXID 619================================================= 620 62114.1 Conor Cahill's C++ Library for ID-WSF 622------------------------------------------ 623 624Conor P. Cahill, of AOL and Intel fame, has developed and maintains a 625C++ library for ID-WSF 2.0 Web Service Client functionality for 626selected application protocols, including the ID-WSF 2.0 Discovery and 627some application protcols. Conor also provides a server side package 628that implements the corresponding WSP roles in Java. These libraries 629are valuable resources and come with extensive test suites - in fact, 630passing Conor's test suites has become the gold standard for validity 631and interoperability of any ID-WSF implmentations (this is not to 632detract from formal IOP events and the Liberty certification program, 633but passing Conor's test suite is a good predictor of getting 634certified). 635 636*Install Recipe* 637 638Conor's libraries have certain dependencies. Following is my best understanding 639of how to get them installed.<<footnote: As of May 2007, Conor's packages 640explode in the current working directory. I recommend creating a wrapper 641directory first. Also, the client and server functionality can not be 642unpacked in same directory without creating conflict and overwriting some files.>> 643 644 mkdir conor 645 cd conor 646 tar xvf /t/LibertyIDWSFServices-v0.8.2.tgz 647 cd .. 648 mkdir conor-cli 649 cd conor-cli/ 650 tar xvf /t/LibertyClientToolkit-v1.0.1.tgz 651 65214.2 Pat Patterson's php module 653------------------------------- 654 655(*** This section also appears in zxid-php.pd) 656 657Pat Patterson of Sun distributes a pure PHP module (not to be confused 658with Sun's OpenSSO open source effort, with which Pat has some 659contact) that implements some aspects of SAML 2.0. As of May 2007, his 660library provides functionality that, by and large, parallels that of the 661php_zxid module. A major advatage of his module is that it does not have 662C shared library dependency, but beware that he still depends on XML 663parsing and popular crypto libraries (openssl) to be available. These 664assumptions are not onerous, but you should be aware of them in case 665your system differs from main stream deployments. 666 667Overall, Pat's PHP implementation, as of May 2007, is still lacking 668in metadata generation and loading (it does not implement Auto-CoT 669or Well Known Location) and has some rough edges around less frequently 670used parts of the SAML specification. No doubt matters will improve 671over the time. 672 673Pat's library handles only SSO and not ID Web Services. It would be 674possible to extract the discovery bootstrap from SSO using his library 675after which you can use ZXID WSC API to actually call the services. 676 67714.3 Sun OpenSSO 678---------------- 679 680Sun Microsystems distributes an open source implementation of SAML 2.0. 681Their implementation is of primary interest as it provides a freely available 682IdP implementation (as of May 2007 IMNSHO the ZXID SP interface is 683superior to the OpenSSO SP - and since both implement an open standard, 684you can mix ZXID SP with OpenSSO IdP). 685 686Thus, the ZXID to OpenSSO integration reduces to each one acting in its 687role using standard wire protocol - SAML 2.0. 688 68914.4 University of Kent's PERMIS PDP 690------------------------------------ 691 692University of Kent is a supplier of PERMIS XACML PDP software. ZXID has been 693interoperated and found compatible on wire with PERMIS as of Nov. 2009. 694However, not integration at library or API level has been attempted. 695 69614.5 Shibboleth 2 697----------------- 698 699Shibboleth 2, a SAML 2.0 based IdP, has been interoperated with ZXID SP 700code as of Nov. 2009. 701 70299 Appendix: Schema Grammars 703============================ 704 705Large parts of ZXID code are generated from +schema grammars+ which 706are a convenient notation for describing XML schmata. This chapter 707gives a sampling of some schema grammars that are currently implemented and 708distributed in the ZXID package. For fuller list, see sg subdirectory 709of the distribution or schemata.pd file. 710 711<<table: Schema grammar syntax 712Construct Description 713============= ==================================================================== 714 ee Bareword signifies an XML element 715 @aa At (@) prefix signifies an XML attribute 716 %tt Percent (%) prefix signifies a complexType 717 &gg Ampersand (&) prefix a signifies group 718 &@ag Ampersand and at (&@) prefix signifies attributeGroup 719 xx -> %tt Arrow (->) signifies reference to type that defines element or attribute 720 xx: ... ; Colon (:) means that the definition of type follows immediately 721 ee An element or attribute by itself means exactly one occurance is expected 722 ee? Question mark (?) means the element or attribute is optional 723 ee* Asterisk (*) means the element may appear from zero to infinite number of times (same as * in regular expressions) 724 ee+ Plus (+) means the element must appear at least once, but may appear an infinite number of times (same as + in regular expressions) 725 ee{x,y} The element must appear between x and y times (same as in regex) 726 ee | ee The pipey symbol (|) means elements are mutually exclusive choices. 727 ee ee Concatenation of elements or attributes means sequence 728 base( t ) Introduce Extension base type (derive a type) 729 redef( .. ) Redefine a type (using <xs:redefine> construct) 730 mixed(1) Mark a complex type as having mixed content type, i.e. strings and elements alternate 731 enum( ... ) Introduce enumeration of xs:strings 732 any xs:any, the XML arbitrary element extension mechanism 733 @any xs:anyAttribute, the XML arbitrary attribute extension mechanism 734target( ... ) Define target namespace described by the schema 735import( ... ) Bring in other schemata and namespaces 736ns( ... ) Declare existence of another namespace (without importing it) 737>> 738 739<<tex: \small>> 740 74199.1 SAML 2.0 742------------- 743 74499.1.1 saml-schema-assertion-2.0 (sa) 745~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 746 747<<schema: 748<<sg/saml-schema-assertion-2.0.sg>> 749>> 750 75199.1.2 saml-schema-protocol-2.0 (sp) 752~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 753 754<<schema: 755<<sg/saml-schema-protocol-2.0.sg>> 756>> 757 75899.1.4 saml-schema-metadata-2.0 (md) 759~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 760 761<<schema: 762<<sg/saml-schema-metadata-2.0.sg>> 763>> 764 76599.5 Liberty ID-WSF 2.0 766----------------------- 767 76899.5.1 liberty-idwsf-utility-v2.0 (lu) 769~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 770 771<<schema: 772<<sg/liberty-idwsf-utility-v2.0.sg>> 773>> 774 77599.5.3 liberty-idwsf-soap-binding-v2.0 (b) 776~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 777 778<<schema: 779<<sg/liberty-idwsf-soap-binding-v2.0.sg>> 780>> 781 78299.5.4 liberty-idwsf-security-mechanisms-v2.0 (sec) 783~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 784 785<<schema: 786<<sg/liberty-idwsf-security-mechanisms-v2.0.sg>> 787>> 788 78999.5.5 liberty-idwsf-disco-svc-v2.0 (di) 790~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 791 792<<schema: 793<<sg/liberty-idwsf-disco-svc-v2.0.sg>> 794>> 795 79699.5.7 id-dap (dap) 797~~~~~~~~~~~~~~~~~~~ 798 799<<schema: 800<<sg/id-dap.sg>> 801>> 802 80399.5.8 liberty-idwsf-subs-v1.0 (subs) 804~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 805 806<<schema: 807<<sg/liberty-idwsf-subs-v1.0.sg>> 808>> 809 81099.5.9 liberty-idwsf-dst-v2.1 (dst) 811~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 812 813<<schema: 814<<sg/liberty-idwsf-dst-v2.1.sg>> 815>> 816 81799.6 SOAP 1.1 Processor wsf-soap11 (e) 818-------------------------------------- 819 820<<schema: 821<<sg/wsf-soap11.sg>> 822>> 823 82499.7 XML and Web Services Infrastructure 825---------------------------------------- 826 82799.7.1 xmldsig-core (ds) 828~~~~~~~~~~~~~~~~~~~~~~~~ 829 830<<schema: 831<<sg/xmldsig-core.sg>> 832>> 833 83499.7.2 xenc-schema (xenc) 835~~~~~~~~~~~~~~~~~~~~~~~~~ 836 837<<schema: 838<<sg/xenc-schema.sg>> 839>> 840 84199.7.3 ws-addr-1.0 (a) 842~~~~~~~~~~~~~~~~~~~~~~ 843 844<<schema: 845<<sg/ws-addr-1.0.sg>> 846>> 847 848100 Appendix: Some Example XML Blobs 849==================================== 850 851These XML blobs are for reference. They have been pretty 852printed. Indentation indicates nesting level and closing tags have 853been abbreviated as "</>". The actual XML on wire generally does not 854have any whitespace. 855 856100.1 SAML 2.0 Artifact Response with SAML 2.0 SSO Assertion and Two Bootstraps 857------------------------------------------------------------------------------- 858 859This example corresponds to t/sso-w-bootstraps.xml in the distribution. 860 861Both bootstraps illustrate SAML assertion as bearer token. 862 863 <soap:Envelope 864 xmlns:lib="urn:liberty:iff:2003-08" 865 xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 866 xmlns:wsa="http://www.w3.org/2005/08/addressing"> 867 <soap:Body> 868 869 <sp:ArtifactResponse 870 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol" 871 ID="REvgoIIlkzTmk-aIX6tKE" 872 InResponseTo="RfAsltVf2" 873 IssueInstant="2007-02-10T05:38:15Z" 874 Version="2.0"> 875 <sa:Issuer 876 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 877 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 878 https://a-idp.liberty-iop.org:8881/idp.xml</> 879 <sp:Status> 880 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></> 881 882 <sp:Response 883 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol" 884 ID="RCCzu13z77SiSXqsFp1u1" 885 InResponseTo="NojFIIhxw" 886 IssueInstant="2007-02-10T05:37:42Z" 887 Version="2.0"> 888 <sa:Issuer 889 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 890 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 891 https://a-idp.liberty-iop.org:8881/idp.xml</> 892 <sp:Status> 893 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></> 894 895 <sa:Assertion 896 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 897 ID="ASSE6bgfaV-sapQsAilXOvBu" 898 IssueInstant="2007-02-10T05:37:42Z" 899 Version="2.0"> 900 <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 901 https://a-idp.liberty-iop.org:8881/idp.xml</> 902 903 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 904 <ds:SignedInfo> 905 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 906 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 907 <ds:Reference URI="#ASSE6bgfaV-sapQsAilXOvBu"> 908 <ds:Transforms> 909 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 910 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 911 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 912 <ds:DigestValue>r8OvtNmq5LkYwCNg6bsRZAdT4NE=</></></> 913 <ds:SignatureValue>GtWVZzHYW54ioHk/C7zjDRThohrpwC4=</></> 914 915 <sa:Subject> 916 <sa:NameID 917 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 918 NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">PB5fLIA4lRU2bH4HkQsn9</> 919 <sa:SubjectConfirmation 920 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 921 <sa:SubjectConfirmationData 922 NotOnOrAfter="2007-02-10T06:37:41Z" 923 Recipient="https://sp1.zxidsp.org:8443/zxidhlo?o=B"/></></> 924 925 <sa:Conditions 926 NotBefore="2007-02-10T05:32:42Z" 927 NotOnOrAfter="2007-02-10T06:37:42Z"> 928 <sa:AudienceRestriction> 929 <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></> 930 931 <sa:Advice> 932 933 <!-- This assertion is the credential for the ID-WSF 1.1 bootstrap (below). --> 934 935 <sa:Assertion 936 ID="CREDOTGAkvhNoP1aiTq4bXBg" 937 IssueInstant="2007-02-10T05:37:42Z" 938 Version="2.0"> 939 <sa:Issuer 940 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 941 https://a-idp.liberty-iop.org:8881/idp.xml</> 942 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 943 <ds:SignedInfo> 944 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 945 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 946 <ds:Reference URI="#CREDOTGAkvhNoP1aiTq4bXBg"> 947 <ds:Transforms> 948 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 949 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 950 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 951 <ds:DigestValue>dqq/28hw5eEv+ceFyiLImeJ1P8w=</></></> 952 <ds:SignatureValue>UKlEgHKQwuoCE=</></> 953 <sa:Subject> 954 <sa:NameID/> <!-- *** Bug here!!! --> 955 <sa:SubjectConfirmation 956 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></> 957 <sa:Conditions 958 NotBefore="2007-02-10T05:32:42Z" 959 NotOnOrAfter="2007-02-10T06:37:42Z"> 960 <sa:AudienceRestriction> 961 <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></></></> 962 963 <sa:AuthnStatement 964 AuthnInstant="2007-02-10T05:37:42Z" 965 SessionIndex="1171085858-4"> 966 <sa:AuthnContext> 967 <sa:AuthnContextClassRef> 968 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></> 969 970 <sa:AttributeStatement> 971 972 <!-- Regular attribute --> 973 974 <sa:Attribute 975 Name="cn" 976 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 977 <sa:AttributeValue>Sue</></> 978 979 <!-- ID-WSF 1.1 Bootstrap for discovery. See also the Advice, above. --> 980 981 <sa:Attribute 982 Name="DiscoveryResourceOffering" 983 NameFormat="urn:liberty:disco:2003-08"> 984 <sa:AttributeValue> 985 <di12:ResourceOffering 986 xmlns:di12="urn:liberty:disco:2003-08" 987 entryID="2"> 988 <di12:ResourceID> 989 https://a-idp.liberty-iop.org/profiles/WSF1.1/RID-DISCO-sue</> 990 <di12:ServiceInstance> 991 <di12:ServiceType>urn:liberty:disco:2003-08</> 992 <di12:ProviderID>https://a-idp.liberty-iop.org:8881/idp.xml</> 993 <di12:Description> 994 <di12:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</> 995 <di12:CredentialRef>CREDOTGAkvhNoP1aiTq4bXBg</> 996 <di12:Endpoint>https://a-idp.liberty-iop.org:8881/DISCO-S</></></> 997 <di12:Abstract>Symlabs Discovery Service Team G</></></></> 998 999 <!-- ID-WSF 2.0 Bootstrap for Discovery. The credential (bearer token) is inline. --> 1000 1001 <sa:Attribute 1002 Name="urn:liberty:disco:2006-08:DiscoveryEPR" 1003 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 1004 <sa:AttributeValue> 1005 <wsa:EndpointReference 1006 xmlns:wsa="http://www.w3.org/2005/08/addressing" 1007 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 1008 notOnOrAfter="2007-02-10T07:37:42Z" 1009 wsu:Id="EPRIDcjP8ObO9In47SDjO9b37"> 1010 <wsa:Address>https://a-idp.liberty-iop.org:8881/DISCO-S</> 1011 <wsa:Metadata xmlns:di="urn:liberty:disco:2006-08"> 1012 <di:Abstract>SYMfiam Discovery Service</> 1013 <sbf:Framework xmlns:sbf="urn:liberty:sb" version="2.0"/> 1014 <di:ProviderID>https://a-idp.liberty-iop.org:8881/idp.xml</> 1015 <di:ServiceType>urn:liberty:disco:2006-08</> 1016 <di:SecurityContext> 1017 <di:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</> 1018 1019 <sec:Token 1020 xmlns:sec="urn:liberty:security:2006-08" 1021 usage="urn:liberty:security:tokenusage:2006-08:SecurityToken"> 1022 1023 <sa:Assertion 1024 ID="CREDV6ZBMyicmyvDq9pLIoSR" 1025 IssueInstant="2007-02-10T05:37:42Z" 1026 Version="2.0"> 1027 <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 1028 https://a-idp.liberty-iop.org:8881/idp.xml</> 1029 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 1030 <ds:SignedInfo> 1031 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 1032 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 1033 <ds:Reference URI="#CREDV6ZBMyicmyvDq9pLIoSR"> 1034 <ds:Transforms> 1035 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 1036 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 1037 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 1038 <ds:DigestValue>o2SgbuKIBzl4e0dQoTwiyqXr/8Y=</></></> 1039 <ds:SignatureValue>hHdUKaZ//cZ8UYJxvTReNU=</></> 1040 <sa:Subject> 1041 <sa:NameID 1042 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 1043 NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml"> 1044 9my93VkP3tSxEOIb3ckvjLpn0pa6aV3yFXioWX-TzZI=</> 1045 <sa:SubjectConfirmation 1046 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></> 1047 <sa:Conditions 1048 NotBefore="2007-02-10T05:32:42Z" 1049 NotOnOrAfter="2007-02-10T06:37:42Z"> 1050 <sa:AudienceRestriction> 1051 <sa:Audience>https://a-idp.liberty-iop.org:8881/idp.xml</></></> 1052 <sa:AuthnStatement AuthnInstant="2007-02-10T05:37:42Z"> 1053 <sa:AuthnContext> 1054 <sa:AuthnContextClassRef> 1055 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></></></></></></></></></></></></></></> 1056 1057N.B. The AttributeStatement/Attribute/AttributeValue/ 1058EndpointReference/Metadata/SecurityContext/ 1059Token/Assertion/Conditions/AudienceRestriction/Audience is the same as 1060the IdP because in many products the IdP and Discovery Service roles 1061are implemented by the same entity. Note also that the audience of the inner 1062assertion is the discovery service where as the audience of the outer assertion 1063is the SP that will eventually call the Discovery Service. 1064 1065100.2 ID-WSF 2.0 Call with X509v3 Sec Mech 1066------------------------------------------ 1067 1068 <e:Envelope 1069 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/" 1070 xmlns:b="urn:liberty:sb:2005-11" 1071 xmlns:sec="urn:liberty:security:2005-11" 1072 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 1073 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 1074 xmlns:wsa="http://www.w3.org/2005/08/ addressing"> 1075 <e:Header> 1076 <wsa:MessageID wsu:Id="MID">123</> 1077 <wsa:To wsu:Id="TO">...</> 1078 <wsa:Action wsu:Id="ACT">urn:xx:Query</> 1079 <wsse:Security mustUnderstand="1"> 1080 <wsu:Timestamp wsu:Id="TS"><wsu:Created>2005-06-17T04:49:17Z</></> 1081 <wsse:BinarySecurityToken 1082 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 1083 wsu:Id="X509Token" 1084 EncodingType="http://docs.oas is-open.org/wss/2004/01/oasis-200401-wss-soap-message-securiy-1.0#Base64Binary"> 1085 MIIB9zCCAWSgAwIBAgIQ...</> 1086 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 1087 <ds:SignedInfo> 1088 <ds:Reference URI="#MID">...</> 1089 <ds:Reference URI="#TO">...</> 1090 <ds:Reference URI="#ACT">...</> 1091 <ds:Reference URI="#TS">...</> 1092 <ds:Reference URI="#X509"> 1093 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 1094 <ds:DigestValue>Ru4cAfeBAB</></> 1095 <ds:Reference URI="#BDY"> 1096 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 1097 <ds:DigestValue>YgGfS0pi56p</></></> 1098 <ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#X509"/></></> 1099 <ds:SignatureValue>HJJWbvqW9E84vJVQkjDElgscSXZ5Ekw==</></></></> 1100 <e:Body wsu:Id="BDY"> 1101 <xx:Query/></></> 1102 1103The salient features of the above XML blob are 1104 1105* Signature that covers relevant SOAP headers and Body 1106* Absence of any explicit identity token. 1107 1108Absence of identity token means that from the headers it is not 1109possible to identify the taget identity. The signature generally 1110coveys the Invoker identity (the WSC that is calling the 1111service). Since one WSC typically serves many principals, knowing 1112which principal is impossible. For this reason X509 security mechanism is 1113seldom used in ID-WSF 2.0 world (with ID-WSF 1.1 the ResourceID 1114provides an alternative way of identifying the principal, thus making 1115X509 a viable option). 1116 1117100.3 ID-WSF 2.0 Call with Bearer (Binary) Sec Mech 1118--------------------------------------------------- 1119 1120 <e:Envelope 1121 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/" 1122 xmlns:b="urn:liberty:sb:2005-11" 1123 xmlns:sec="urn:liberty:security:2005-11" 1124 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 1125 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 1126 xmlns:wsa="http://www.w3.org/2005/03/ addressing"> 1127 <e:Header> 1128 <wsa:MessageID wsu:Id="MID">...</> 1129 <wsa:To wsu:Id="TO">...</> 1130 <wsa:Action wsu:Id="ACT">urn:xx:Query</> 1131 <wsse:Security mustUnderstand="1"> 1132 <wsu:Timestamp wsu:Id="TS"> 1133 <wsu:Created>2005-06-17T04:49:17Z</></> 1134 <wsse:BinarySecurityToken 1135 ValueType="anyNSPrefix:ServiceSess ionContext" 1136 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64 Binary" 1137 wsu:Id="BST"> 1138 mQEMAzRniWkAAAEH9RWir0eKDkyFAB7PoFazx3ftp0vWwbbzqXdgcX8fpEqSr1v4 1139 YqUc7OMiJcBtKBp3+jlD4HPUaurIqHA0vrdmMpM+sF2BnpND118f/mXCv3XbWhiL 1140 VT4r9ytfpXBluelOV93X8RUz4ecZcDm9e+IEG+pQjnvgrSgac1NrW5K/CJEOUUjh 1141 oGTrym0Ziutezhrw/gOeLVtkywsMgDr77gWZxRvw01w1ogtUdTceuRBIDANj+KVZ 1142 vLKlTCaGAUNIjkiDDgti=</> 1143 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig #"> 1144 <ds:SignedInfo> 1145 <ds:Reference URI="#MID">...</> 1146 <ds:Reference URI="#TO">...</> 1147 <ds:Reference URI="#ACT">...</> 1148 <ds:Reference URI="#TS">...</> 1149 <ds:Reference URI="#BST">...</> 1150 <ds:Reference URI="#BDY"> 1151 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 "/> 1152 <ds:DigestValue>YgGfS0pi56pu</></></> 1153 ...</></></> 1154 <e:Body wsu:Id="BDY"> 1155 <xx:Query/></></> 1156 1157100.4 ID-WSF 2.0 Call with Bearer (SAML) Sec Mech 1158------------------------------------------------- 1159 1160 <e:Envelope 1161 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/" 1162 xmlns:sb="urn:liberty:sb:2005-11" 1163 xmlns:sec="urn:liberty:security:2005-11" 1164 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 1165 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 1166 xmlns:wsa="http://www.w3.org/2005/08/addressing" 1167 xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 1168 xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> 1169 <e:Header> 1170 <sbf:Framework version="2.0-simple" e:mustUnderstand="1" 1171 e:actor="http://schemas.../next" 1172 wsu:Id="SBF"/> 1173 <wsa:MessageID wsu:Id="MID">...</> 1174 <wsa:To wsu:Id="TO">...</> 1175 <wsa:Action wsu:Id="ACT">urn:xx:Query</> 1176 <wsse:Security mustUnderstand="1"> 1177 <wsu:Timestamp wsu:Id="TS"> 1178 <wsu:Created>2005-06-17T04:49:17Z</></> 1179 1180 <sa:Assertion 1181 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 1182 Version="2.0" 1183 ID="A7N123" 1184 IssueInstant="2005-04-01T16:58:33.173Z"> 1185 <sa:Issuer>http://idp.symdemo.com/idp.xml</> 1186 <ds:Signature>...</> 1187 <sa:Subject> 1188 <sa:EncryptedID> 1189 <xenc:EncryptedData>U2XTCNvRX7Bl1NK182nmY00TEk==</> 1190 <xenc:EncryptedKey>...</></> 1191 <sa:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></> 1192 <sa:Conditions 1193 NotBefore="2005-04-01T16:57:20Z" 1194 NotOnOrAfter="2005-04-01T21:42:4 3Z"> 1195 <sa:AudienceRestrictionCondition> 1196 <sa:Audience>http://wsp.zxidsp.org</></></> 1197 <sa:AuthnStatement 1198 AuthnInstant="2005-04-01T16:57:30.000Z" 1199 SessionIndex="6345789"> 1200 <sa:AuthnContext> 1201 <sa:AuthnContextClassRef> 1202 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></></> 1203 <sa:AttributeStatement> 1204 <sa:EncryptedAttribute> 1205 <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"> 1206 mQEMAzRniWkAAAEH9RbzqXdgcX8fpEqSr1v4=</> 1207 <xenc:EncryptedKey>...</></></></> 1208 1209 <wsse:SecurityTokenReference 1210 xmlns:wsse11="..." 1211 wsu:Id="STR1" 1212 wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"> 1213 <wsse:KeyIdentifier 1214 ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"> 1215 A7N123</></> 1216 1217 <ds:Signature> 1218 <ds:SignedInfo> 1219 <ds:Reference URI="#MID">...</> 1220 <ds:Reference URI="#TO">...</> 1221 <ds:Reference URI="#ACT">...</> 1222 <ds:Reference URI="#TS">...</> 1223 <ds:Reference URI="#STR1"> 1224 <ds:Transform Algorithm="...#STR-Transform"> 1225 <wsse:TransformationParameters> 1226 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></></></> 1227 <ds:Reference URI="#BDY"/></> 1228 ...</></></> 1229 <e:Body wsu:Id="BDY"> 1230 <xx:Query/></></> 1231 1232*** is the reference above to wsse11:TokenType really correct? 1233 1234Note how the <Subject> and the attributes are encrypted such that only 1235the WSP can open them. This protects against WSC gaining knowledge of 1236the NameID at the WSP. 1237 1238<<references: 1239 1240[SAML11core] SAML 1.1 Core, OASIS, 2003 1241 1242[SAML11bind] "Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1", Oasis Standard, 2.9.2003, oasis-sstc-saml-bindings-1.1 1243 1244[IDFF12] http://www.projectliberty.org/resources/specifications.php 1245 1246[IDFF12meta] Peted Davis, Ed., "Liberty Metadata Description and Discovery Specification", version 1.1, Liberty Alliance Project, 2004. (liberty-metadata-v1.1.pdf) 1247 1248[SAML2core] "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-core-2.0-os 1249 1250[SAML2prof] "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-profiles-2.0-os 1251 1252[SAML2bind] "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-bindings-2.0-os 1253 1254[SAML2context] "Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-authn-context-2.0-os 1255 1256[SAML2meta] Cantor, Moreh, Phipott, Maler, eds., "Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-metadata-2.0-os 1257 1258[SAML2security] "Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-sec-consider-2.0-os 1259 1260[SAML2conf] "Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-conformance-2.0-os 1261 1262[SAML2glossary] "Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-glossary-2.0-os 1263 1264[XML-C14N] XML Canonicalization (non-exclusive), http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML Version 1.0", W3C Recommendation, 15.3.2001, http://www.w3.org/TR/xml-c14n, RFC3076 1265 1266[XML-EXC-C14N] Exclusive XML Canonicalization, http://www.w3.org/TR/xml-exc-c14n/ 1267 1268[Shibboleth] http://shibboleth.internet2.edu/shibboleth-documents.html 1269 1270[XMLENC] "XML Encryption Syntax and Processing", W3C Recommendation, 10.12.2002, http://www.w3.org/TR/xmlenc-core 1271 1272[XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275 1273 1274[Disco2] Liberty ID-WSF Discovery service 2.0 1275 1276[Disco12] Liberty ID-WSF Discovery service 1.1 (liberty-idwsf-disco-svc-v1.2.pdf) 1277 1278[SecMech2] Liberty ID-WSF 2.0 Security Mechanisms 1279 1280[SOAPAuthn2] Liberty ID-WSF 2.0 Authentication Service 1281 1282[SOAPBinding2] Liberty ID-WSF 2.0 framework document that pulls together all aspects 1283 1284[DST21] Liberty Data Services Template 2.1 1285 1286[DST20] Liberty DST v2.0 1287 1288[DST11] Liberty DST v1.1 1289 1290[IDDAP] Liberty Identity based Directory Access Protocol 1291 1292[IDPP] Liberty Personal Profile specification. 1293 1294[Interact11] Liberty ID-WSF Interaction Service protocol 1.1 1295 1296[FF12] Liberty ID Federation Framework 1.2, Protocols and Schemas 1297 1298[SUBS2] Liberty Subscriptions and Notifications specification 1299 1300[Schema1-2] Henry S. Thompson et al. (eds): XML Schema Part 1: Structures, 2nd Ed., WSC Recommendation, 28. Oct. 2004, http://www.w3.org/2002/XMLSchema 1301 1302[XML] http://www.w3.org/TR/REC-xml 1303 1304[RFC1950] P. Deutcsh, J-L. Gailly: "ZLIB Compressed Data Format Specification version 3.3", Aladdin Enterprises, Info-ZIP, May 1996 1305 1306[RFC1951] P. Deutcsh: "DEFLATE Compressed Data Format Specification version 1.3", Aladdin Enterprises, May 1996 1307 1308[RFC1952] P. Deutcsh: "GZIP file format specification version 4.3", Aladdin Enterprises, May 1996 1309 1310[RFC2246] TLSv1 1311 1312[RFC2251] LDAP 1313 1314[RFC3548] S. Josefsson, ed.: "The Base16, Base32, and Base64 Data Encodings", July 2003. (Section 4 describes Safebase64) 1315 1316[MS-MWBF] Microsoft Web Browser Federated Sign-On Protocol Specification, 20080207, http://msdn2.microsoft.com/en-us/library/cc236471.aspx 1317 1318>> 1319 1320<<htmlpreamble: <title>README ZXID</title><body bgcolor="#330033" text="#ffaaff" link="#ffddff" vlink="#aa44aa" alink="#ffffff"><font face=sans><h1>README ZXID</h1> >> 1321 1322<<notapath: TCP/IP a.k.a xBSD/Unix n/a Perl/mod_perl PHP/mod_php Java/Tomcat>> 1323<<EOF: >> 1324 1325SAML Open Source catalogs 1326http://saml.xml.org/saml-open-source-implementations 1327http://openliberty.org/wiki/index.php/Existing_Identity_Systems#Open_Source_ 1328http://docs.safehaus.org/display/HAUS/Id+OSS+Map 1329 1330Suspicious: when decrypting elements and plugging their plain 1331text variants into original data structure, the wo pointers 1332are not updated. Thus the "old" encrypted data may remain 1333accessible for some purposes. 1334 1335Pointers from Pat 1336http://rnd.feide.no/2007/04/13/light-bulb-update-request-for-testing/ 1337https://opensso.dev.java.net/public/extensions/index.html 1338 1339Add macros for OK response. 1340 1341http://wiki.oasis-open.org/security/SstcSamlX509AuthnAttribProfile 1342http://wiki.oasis-open.org/security/SimpleSignBinding 1343 1344 1345On CYGWIN lockf() and flock() apparently are not defined. 1346On mingw they are. 1347 1348Way to pass RelayState through zxid_simple() 1349 1350AuditExplorer 1351 1352elgg.org is very relevant for e-Learning / HR-XML market 1353https://imb.phil.uni-augsburg.de/elgg/ 1354 1355FEDORA 1356 1357Moodle (Open Source, Open University) 1358MyStuff (Open Source, Open University) 1359 1360Privacy features of SAML/Liberty 1361User centric features of SAML/Liberty 1362- User control (not necessarily interaction every steps of the way) 1363 1364ECP + IS plugin for Firefox 1365 1366================== 1367In general, wild card cert is one whose cn field is of form *.cellmail.com 1368 1369The openssl command for creating CSR is 'openssl req', for example 1370 1371> openssl req -new -nodes -keyout pkey.pem -out req.pem 1372Generating a 1024 bit RSA private key 1373......................++++++ 1374.................................................................................++++++ 1375writing new private key to 'pkey.pem' 1376----- 1377You are about to be asked to enter information that will be incorporated 1378into your certificate request. 1379What you are about to enter is what is called a Distinguished Name or a DN. 1380There are quite a few fields but you can leave some blank 1381For some fields there will be a default value, 1382If you enter '.', the field will be left blank. 1383----- 1384Country Name (2 letter code) [AU]:FI 1385State or Province Name (full name) [Some-State]: 1386Locality Name (eg, city) []:Helsinki 1387Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tietosampo 1388Organizational Unit Name (eg, section) []: 1389Common Name (eg, YOUR name) []:*.tietosampo.fi 1390Email Address []:sampo@iki.fi 1391 1392Please enter the following 'extra' attributes 1393to be sent with your certificate request 1394A challenge password []: 1395An optional company name []: 1396 1397 1398In the example above I left the challenge password and company name empty, but 1399it could be that Thawte insists that you fill in something there. They may 1400also have specific requirements about the company name (and possibly the Organization 1401Name and Oraganization Unit Name) matching the registered name of your company. 1402 1403Anyway, the output from the above should be 1404 1405> cat req.pem 1406-----BEGIN CERTIFICATE REQUEST----- 1407MIIBwjCCASsCAQAwgYExCzAJBgNVBAYTAkZJMRMwEQYDVQQIEwpTb21lLVN0YXRl 1408MREwDwYDVQQHEwhIZWxzaW5raTETMBEGA1UEChMKVGlldG9zYW1wbzEYMBYGA1UE 1409AxQPKi50aWV0b3NhbXBvLmZpMRswGQYJKoZIhvcNAQkBFgxzYW1wb0Bpa2kuZmkw 1410gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALudDsX0ZU13ajartg4IECD0+5Lo 1411xSThKu47vQ6GfIeh1+5QO0PCytmrUAI+w0mai9gIp4MssBGqvLs5e2No09ih1KmM 14127s8tgXnnexRQ7FsTEVnaZlZ2dgMNO4DYYtRgX+Kxks6hpHLEY0R3VmCVe1BPlkPs 14130Y4gP1yDNMXMAO+bAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBSWviTot4mScAi 1414xGlky+UqkYtih0dmqhBBTiiSaVHBerUATKG0p8NkM0NGXuPt8Wozx6t53f8VeXDo 1415BML4SzkoYSrmOkEqk8np8O3IWSG4+HRwhetG/THOvNwRz9shvadPec+VQxJEL2FC 1416vxz/z/oQ8oFxyCwVUtTb4zKhT9rFEw== 1417-----END CERTIFICATE REQUEST----- 1418 1419Or if you want to convince yourself that the wild card is 1420really in there, you can check with 1421 1422> openssl asn1parse <req.pem 1423 0:d=0 hl=4 l= 450 cons: SEQUENCE 1424 4:d=1 hl=4 l= 299 cons: SEQUENCE 1425 8:d=2 hl=2 l= 1 prim: INTEGER :00 1426 11:d=2 hl=3 l= 129 cons: SEQUENCE 1427 14:d=3 hl=2 l= 11 cons: SET 1428 16:d=4 hl=2 l= 9 cons: SEQUENCE 1429 18:d=5 hl=2 l= 3 prim: OBJECT :countryName 1430 23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :FI 1431 27:d=3 hl=2 l= 19 cons: SET 1432 29:d=4 hl=2 l= 17 cons: SEQUENCE 1433 31:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 1434 36:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State 1435 48:d=3 hl=2 l= 17 cons: SET 1436 50:d=4 hl=2 l= 15 cons: SEQUENCE 1437 52:d=5 hl=2 l= 3 prim: OBJECT :localityName 1438 57:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Helsinki 1439 67:d=3 hl=2 l= 19 cons: SET 1440 69:d=4 hl=2 l= 17 cons: SEQUENCE 1441 71:d=5 hl=2 l= 3 prim: OBJECT :organizationName 1442 76:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Tietosampo 1443 88:d=3 hl=2 l= 24 cons: SET 1444 90:d=4 hl=2 l= 22 cons: SEQUENCE 1445 92:d=5 hl=2 l= 3 prim: OBJECT :commonName 1446 97:d=5 hl=2 l= 15 prim: T61STRING :*.tietosampo.fi 1447 114:d=3 hl=2 l= 27 cons: SET 1448 116:d=4 hl=2 l= 25 cons: SEQUENCE 1449 118:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 1450 129:d=5 hl=2 l= 12 prim: IA5STRING :sampo@iki.fi 1451 143:d=2 hl=3 l= 159 cons: SEQUENCE 1452 146:d=3 hl=2 l= 13 cons: SEQUENCE 1453 148:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 1454 159:d=4 hl=2 l= 0 prim: NULL 1455 161:d=3 hl=3 l= 141 prim: BIT STRING 1456 305:d=2 hl=2 l= 0 cons: cont [ 0 ] 1457 307:d=1 hl=2 l= 13 cons: SEQUENCE 1458 309:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 1459 320:d=2 hl=2 l= 0 prim: NULL 1460 322:d=1 hl=3 l= 129 prim: BIT STRING 1461 1462Here we can see that hitting empty for State or Provice question was not 1463such a smart idea after all: it used nonsensical default value. I guess 1464you would have to invent something as place holder. 1465 1466> On another train of thought, if I was to have a local CA here, could I use the 1467> commercial certificate I get to sign the x509 certificates I would make? The 1468> x509 would be used to sign emails via smart cards. This is not a commercial 1469> project but rather one to learn more about smart cards. Sun has made code 1470> available to manage smart cards so it may be interesting to learn more. 1471 1472The regular SSL certificate usually will not work as CA certificate due 1473to certificate usage indicators. Technically it is possible to ignore 1474such indicators and use the certificate anyway, but a lot of widely 1475distributed software does not ignore them so you would have a lot of 1476interoperability problems or at least confirmation questions. 1477 1478Commercial CAs do issue CA certificates, but they tend to be expensive. 1479 1480Even if you get commercial CA certificate, you should know that some (older) 1481software only supports one level of certificate hierarchy. This problem 1482has surfaced when some commercial CAs tried to structure themselves 1483internally as multi layer CA. 1484 1485If you want to run your own CA, all you really have to do is configure 1486the CA cert of yours to be trusted by all the software. For browsers 1487this is easy enough within the GUI itself. For servers (such as apache 1488or dsproxy), there is a way to do this at config file level. Configuring 1489direct trust to your CA cert tends to be easier than trying to get 1490commercial CA cert and playing multilayer CA games. 1491 1492Re Thunderbird, I am bit surprised that it does not accept self signed 1493certs. It seems more probable to me that it actually can be configured 1494to accept them, but does not ship with that turned on to protect 1495naive users. The most basic way to use self signed cert would be 1496to import the self signed cert as one of the trusted CA certs. 1497 1498Was your problem with Thunderbird not accepting the IMAPS connection? In 1499that case the Thunderbird client software needs to start trusting the 1500self signed cert as CA cert. There is probably a GUI way to do this - probably 1501something very similar to the Firefox GUI for configuring certs. 1502 1503If you were trying to configure a ClientTLS certificate and the IMAPS 1504server refused it, then you need to adjust configuration in the 1505server end, probably in a config file. 1506 1507 1508 1509----- 1510 1511ZXID CARML stack 1512 1513* frontend API bindings 1514* middle layer routing and mapping engine 1515* backend connectors 1516 1517--Sampo 1518 1519 1520----- 1521 1522http://saml.xml.org/products 1523http://saml.xml.org/zxid 1524 1525ZXID.org Identity Management toolkit implements standalone SAML 2.0 1526and Liberty ID-WSF 2.0 stacks. It is a C implementation with minimal 1527external dependencies - OpenSSL, CURL, and zlib - ensuring easy 1528deployment (no DLLhell). Due to its small footprint and efficient and 1529accurate schema driven implementation, it is suitable for embedded and 1530high volume applications. Language bindings to all popular highlevel 1531languages such as PHP, Perl, and Java, are provided via SWIG. ZXID 1532implements, as of July 07, SP, WSC, and WSP roles. 1533 1534 1535 1536 1537Paul Madsen wrote: 1538> http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement 1539> 1540> Dear Sirs, my name is Gianluca from Italy 1541> I'm trying to calculate the Digest value of a SAML Authentication 1542> STatement whith the SHA-1 algorithm. Let us suppose that we are dealing 1543> with a string representing the following node: 1544> 1545> <saml:AuthenticationStatement> 1546> <saml:Subject> 1547> <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier> 1548> </saml:Subject> 1549> </saml:AuthenticationStatement> 1550> 1551> When I try to calculate SHA-1 with the function b64_sha1(str2Digest) 1552> what 1553> exactly should the string str2Digest contain? I mean it should be equal to 1554> "<saml:AuthenticationStatement><saml:Subject><saml:NameIdentifier>GIANLUCA< 1555> /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>" 1556> or only "GIANLUCA" or ....what else? 1557 1558Its a pity he did not provide email address, but lets hope this reaches 1559him anyway. 1560 15611. There is no univesally agreed way to digest Authentication Statements 15622. "Universally" agreed way to digest XML in general is exc-c14n (exclusive 1563 canonicalization) [XML-EXC-C14N]. This method is used by all certified 1564 SAML implementations. It is also the method used by digital 1565 signatures [XMLDSIG]. 15663. Canonicalization is difficult and typically 80% of digital signature 1567 failures derive from canonicalization bugs. Of those 95% are 1568 XML namespace related (curse the inventor of XML namespaces), and 1569 4% are whitespace related. 15704. For what you are apparently trying to do, it is important to 1571 digest the entire canonicalized Authentication Statement. 1572 If the question had been about canonicalizing the NameID, it 1573 would still be important to digest the entire canonicalized 1574 Name Identifier as the actual value in isolation is meaningless. 1575 You need the identifier type and namespace qualification 1576 for the digest to be meaningful. 1577 1578[XML-C14N] XML Canonicalization (non-exclusive), http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML Version 1.0", W3C Recommendation, 15.3.2001, http://www.w3.org/TR/xml-c14n, RFC3076 1579 1580[XML-EXC-C14N] Exclusive XML Canonicalization, http://www.w3.org/TR/xml-exc-c14n/ 1581 1582[XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275 1583 1584Cheers, 1585--Sampo 1586