1<<if: ZXIDBOOK>> 2<<else: >>97 ZXID FAQ 3====== 4 5> N.B. Some of these FAQs are repeated in the topic specific documentation, 6> e.g. zxid-java.pd. 7 81.1 Other documents 9------------------- 10 11<<doc-inc.pd>> 12<<htmlpreamble: <title>ZXID FAQ</title><link type="text/css" rel=stylesheet href="zx.css"><body><h1>ZXID FAQ</h1> >> 13<<fi: >> 14 15<<ignore: $Id: zxid-faq.pd,v 1.6 2010-01-08 02:10:09 sampo Exp $ >> 16 1797.1 Compilation Problems 18------------------------- 19 20(*** also in INSTALL.zxid) 21 22* Makefile tries to compile a bunch of check programs early in the 23 compilation to detect common problems with missing headers (include 24 files) and missing libraries. 25* If the checks fail, you need to adjust the -I and -L flags in Makefile 26 variables CDIR and LIBS (around line 123) 27* Alternately you can create localconf.mk file that will be 28 included by the main Makefile and put your modifications there. 29* ZXID dependency libraries are libcurl, openssl (libssl, libcrypto), and zlib 30* Although compiling the dependency libraries from source is adviced, 31 usually you can use the versions that are supplied with your distribution. 32 However in this case you MUST install also the headers. Usually these 33 are called "development" packages. 34* zxid assumes openssl, libcurl, Java, and Apache to be installed 35 in the locations where source distributions of those packages 36 install them in their default configuration (e.g. /usr/local/ssl, 37 /usr/local/httpd, etc.) 38* Many distributions (e.g. Ubuntu, Redhat, SUSE, ...) choose to install 39 those libraries in different places, thus requiring distribution 40 specific edits to localconf.mk 41* If you have difficulty in finding the headers and libraries (or whether 42 a package is installed at all), try the following commands 43 44 find / -name 'stdio.h' 45 find / -name 'libc.*' 46 find / -name 'zlib.h' 47 find / -name 'libz.*' 48 find / -name 'opensslv.h' 49 find / -name 'libssl.*' 50 find / -name 'libcrypto.*' 51 find / -name 'curlver.h' 52 find / -name 'libcurl.*' 53 find / -name 'ap_release.h' 54 find / -name 'apr_version.h' 55 find / -name 'libapr-1.*' 56 find / -name 'servlet-api.jar' 57 58 If you find more than one of any of the above, you need to be extra 59 careful about which one you use. 60 6197.1.1 OpenSSL not found: you need to create localconf.mk 62~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 63 64ZXID does NOT have a configure script. It ships with a notion 65of "standard" locations for the three dependency libraries, 66but if these libraries are not where it expects to find them, 67then typically you see (n.b. lines were folded for presentation): 68 69 make 70 If you get compilation errors, try: make help 71 gcc -g -fpic -fmessage-length=0 -Wno-unused-label -Wno-unknown-pragmas 72 -fno-strict-aliasing -D_REENTRANT -DDEBUG -DUSE_CURL -DUSE_OPENSSL 73 -DLINUX -I/tmp/zxid-0.20 -I/usr/local/ssl/include -I/usr/local/include 74 -c -o zxid.o zxid.c 75 zxid.c:34:23: curl/curl.h: No such file or directory 76 In file included from zxid.c:38: 77 zx.h:26:25: openssl/rsa.h: No such file or directory 78 ... 79 80What happened is that OpenSSL for some reason is not in the location 81where standard OpenSSL distribution would install it (as indicated by 82-I/usr/local/ssl/include flag that ships with ZXID Makefile). You need 83to determine where OpenSSL is installed in your case. You can use 84 85 find / -name rsa.h -ls 86 87to locate candidates. 88 89For example, if it turns out that OpenSSL is installed in /opt/ssl, then 90you need to create a localconf.mk file that indicates this location: 91 92 echo OPENSSL_ROOT=/opt/ssl >>localconf.mk 93 94There are several other make variables you may need to tweak. In the 95above example, we also notice that libcurl was not found where 96expected. This would be fixed like this 97 98 echo CURL_ROOT=/opt/curl >>localconf.mk 99 100Net result? ZXID does not try to guess where the libraries are. It 101makes you do the foot work of locating the correct libraries (some 102people have more than one instance installed) and prepare the 103localconf.mk. This may seem like a lot of work, but in my experience, 104fixing GNU autohell configure scripts that guess wrong is thousand 105times more frustrating. The system is dumb by design so you, as a human, 106do not have to try to second guess it - you are in control. 107 10897.1.2 Missing gperf 109~~~~~~~~~~~~~~~~~~~~ 110 111 gcc -g -fpic -fmessage-length=0 -Wno-unused-label -Wno-unknown-pragmas -fno-strict-aliasing -D_REENTRANT -DDEBUG -DUSE_CURL -DUSE_OPENSSL -DLINUX -I/c/cvs/zxid_cvs -I/usr/local/ssl/include -I/usr//include -c -o c/zx-a-aux.o c/zx-a-aux.c 112 c/zx-a-aux.c: In function "zx_NEW_a_Action": 113 c/zx-a-aux.c:80: error: "zx_a_Action_ELEM" undeclared (first use in this function) 114 115This happens because c/zx-const.h was misgenerated (it should not happen at 116all if you do not supply ENA_GEN=1) and does not include the necessary defines. 117c/zx-const.h should have more than 1900 lines and look something like 118 119 /* generated file, do not edit! zx_ _ATTR */ 120 #ifndef _zx__ATTR 121 #define _zx__ATTR 122 #define zx_use_ATTR 0 123 #define zx_used_ATTR 1 124 #define zx_sequence_ATTR 2 125 ... 126 #define zx_wantDSEPR_ATTR 347 127 #define zx_ZX_TOK_NOT_FOUND_ATTR 348 128 #define zx__ATTR_MAX 349 129 #endif 130 /* generated file, do not edit! zx_ _ELEM */ 131 #ifndef _zx__ELEM 132 #define _zx__ELEM 133 #define zx_ds_Y_ELEM 0 134 #define zx_gl_Y_ELEM 1 135 #define zx_gl_esrd_ELEM 2 136 ... 137 #define zx_wst_OnBehalfOf_ELEM 1629 138 #define zx_ZX_TOK_NOT_FOUND_ELEM 1630 139 #define zx__ELEM_MAX 1631 140 #endif 141 14297.1.3 make samlmod gives "incompatible types in assignment" 143~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 144 145Should not happen with version 0.21 or later. See zxidnoswig.h 146for explanation of the problem. 147 14897.1.4 Perl compiled with different compiler than zxid 149~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 150 151(*** this section also appears in zxid-perl.pd) 152 153Perl modules generally want to be compiled with the same C compiler 154and options as were used to compile perl itself (see perl -V). If this 155happens to be different than the compiler you have defined in CC 156variable (gcc by default, near top of Makefile or in localconf.mk), you may 157get an error like: 158 159 cd Net; perl Makefile.PL && make 160 Warning: -L.. changed to -L/home/sampo/zxid/Net/.. 161 Writing Makefile for Net::SAML 162 make[1]: Entering directory `/home/sampo/zxid/Net' 163 cc -c -I.. -I/apps/openssl/std/include -I/apps/include -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -pipe -Wdeclaration-after-statement -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -Wall -pipe -DVERSION=\"\" -DXS_VERSION=\"\" -fPIC "-I/usr/lib/perl5/5.8.8/i586-linux-thread-multi/CORE" SAML_wrap.c 164 /bin/sh: cc: command not found 165 make[1]: *** [SAML_wrap.o] Error 127 166 make[1]: Leaving directory `/zxid/Net' 167 make: *** [samlmod] Error 2 168 169*Solutions* 170 1711. Compile zxid with compiler that was used for perl, e.g. 172 173 make CC=the-compiler-that-perl-wants 174 1752. Recompile perl using the compiler that you want to use for zxid 176 1773. Tinker with PATH environment variable so that both C compilers 178 are found. However, using two different compilers is not really supported. 179 180In general these types of problems happen when you use perl installed 181by your distribution, but have later compiled a gcc of your own. It may 182even be that you never installed the distribution cc - in that case 183consider installing it and then trying approaches 1 or 3. 184 185A similar situation can arise with incompatibility of the compiler and 186options used for dependency libraries, such as OpenSSL or libcurl, and 187those used for compiling zxid itself. 188 18997.1.5 All files under zx missing 190~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 191 192(*** this section also appears in zxid-java.pd and zxid-perl.pd) 193 194You need to symlink zx to zxid source directory, thus 195 196 ln -s . zx 197 198If you do not have it, then you will get a lot of file inclusion errors for 199headers that are supposed to be in path starting by zx/ 200 201The symlink is there to keep all handwritten source files on top 202level of directory for ease of development, yet allow inclusions to go 203through ~zx~ subdirectory. When zxid is installed, it goes to 204/usr/include/zx. Hence the symlink keeps the includes the same whether 205developing or using installed version. 206 20797.1.6 Compiler Warnings 208~~~~~~~~~~~~~~~~~~~~~~~~ 209 210(*** this section also appears in zxid-java.pd and zxid-perl.pd) 211 212If you compile zxid with compiler warnings turned on (CFLAGS += -Wall), 213you will see quite a number of warnings, most of which are 214unwarranted. Since the warnings are unwarranted, I ship zxid Makefile 215with warnings turned off. If this bothers you, feel free to investigate 216the warnings and report to me any issues you uncover. 217 218Following warnings in partuclar are unwarranted: 219 2201. Any unusued variable warnings, especially in generated code. Most 221 common of these is ~se~ variable (see enc-templ.c). 2222. "Suggest parenthesis around assignment when used as truth value." I 223 rely on C language operator precedence. Also, in most cases the 224 assignment is the only expression in the truth test - there simply 225 is no opportunity for ambiguity -- and no justified case for gcc to 226 warn about this. 2273. "Suggest parenthesis around && when used in ||". I rely on C 228 language operator precedence, hence the suggestion is redundant. 229 230Some warnings you may want to worry about 231 232A. "int format, long int arg". On 32 bit platforms int and long 233 are both 32 bits so this warning is not an issue. On 64 bit platforms, 234 however, there may be cause for worry. 235 23697.1.7 SWIG and Java Problems 237~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 238 239(*** this section also appears in zxid-java.pd) 240 241javac -J-Xmx128m -g zxid.java zxidjava/*.java 242zxidjava/zxidjni.java:159: cannot find symbol 243symbol : class SWIGTYPE_p_p_void 244location: class zxidjava.zxidjni 245 public static zx_str zx_rsa_pub_enc(zx_ctx c, zx_str plain, SWIGTYPE_p_p_void rsa_pkey, int pad) { 246 ^ 247zxidjava/zxidjni.java:164: cannot find symbol 248symbol : class SWIGTYPE_p_p_void 249location: class zxidjava.zxidjni 250 public static zx_str zx_rsa_pub_dec(zx_ctx c, zx_str ciphered, SWIGTYPE_p_p_void rsa_pkey, int pad) { 251 ^ 252zxidjava/zxidjni.java:169: cannot find symbol 253symbol : class SWIGTYPE_p_p_void 254location: class zxidjava.zxidjni 255 public static zx_str zx_rsa_priv_dec(zx_ctx c, zx_str ciphered, SWIGTYPE_p_p_void rsa_pkey, int pad) { 256 ^ 257zxidjava/zxidjni.java:174: cannot find symbol 258symbol : class SWIGTYPE_p_p_void 259location: class zxidjava.zxidjni 260 public static zx_str zx_rsa_priv_enc(zx_ctx c, zx_str plain, SWIGTYPE_p_p_void rsa_pkey, int pad) { 261 ^ 262This was due to missing SWIG generated classes. Probably interrupted file transfer. 263 264javac -J-Xmx128m -g zxid.java zxidjava/*.java 265zxid.java:24: cannot find symbol 266symbol : method new_conf(java.lang.String) 267location: class zxidjava.zxidjni 268 cf = zxidjni.new_conf("/var/zxid/"); 269 ^ 270zxid.java:27: cannot find symbol 271symbol : method url_set(zxidjava.zxid_conf,java.lang.String) 272location: class zxidjava.zxidjni 273 zxidjni.url_set(cf, url); 274 ^ 275zxid.java:28: cannot find symbol 276 277jar cf zxidjava.jar *.class 278jar cf /tmp/zxidjava.jar zxidjava/*.class 279 280javac -J-Xmx128m -g zxid.java 281zxid.java:187: cannot access zxid_conf 282bad class file: /Library/Java/Extensions/zxidjava.jar(zxid_conf.class) 283class file contains wrong class: zxidjava.zxid_conf 284Please remove or make sure it appears in the correct subdirectory of the classpath. 285 public static int mgmt_screen(zxid_conf cf, zxid_cgi cgi, zxid_ses ses, char op) 286 ^ 2871 error 288 289Underscore in linking error 290 291./zxid-java.sh 292Start... 293Exception in thread "main" java.lang.NoSuchMethodError: zxidjava.zxidjni.new_conf(Ljava/lang/String;)Lzxidjava/zxid_conf; 294 at zxid.main(zxid.java:24) 295 296This was due to finding some old copies from system paths. 297 298java -classpath .:zxidjava -Djava.library.path=zxidjava zxid 299Start... 300Exception in thread "main" java.lang.UnsatisfiedLinkError: _zxid_new_conf 301 at zxidjava.zxidjniJNI._zxid_new_conf(Native Method) 302 at zxidjava.zxidjni.new_conf(zxidjni.java:586) 303 at zxid.main(zxid.java:24) 304 30597.1.8 SWIG and Perl Problems 306~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 307 308(*** this section also appears in zxid-perl.pd) 309 310ZXID is tested and known to work with SWIG version 1.3.40. It is known not 311to work with SWIG-2.0.4. The telltale sign is 312 313 perl -MNet::SAML -e 'print Net::SAML::call($cf,$ses,$svctype,$url,0,0,$soap)' 314 TypeError in method 'zxid_call', argument 5 of type 'char const *' 315 316SWIG version should not be a concern for those using .tgz distributions of 317ZXID as the tar gzip archives already contain the files generated by SWIG. 318Also installs from cpan should not be affected. 319 32097.2 Platform Specifics 321----------------------- 322 323If your Unix platform is not mentioned, you should try saying just 324 325 make 326 327which will compile with Linux options. These options actually 328are pretty close to pure POSIX compile so you should get very close 329to working configuration. 330 33197.2.1 Linux 332~~~~~~~~~~~~ 333 334Native development platform. Just say 335 336 make 337 338Seems there are some "improvements" that distributions have made. ZXID 339adopts the policy of expecting dependency modules where the module 340author meant it to be installed by default - for example OpenSSL by 341default installs in /usr/local/ssl (naming is historic, but has stuck). 342Many distros tinker with these paths. This means you need to create 343a localconf.mk. 344 345Redhat used to have an issue with Net::SAML (make samlmod). This has 346since been fixed, please see zxidnoswig.h for explanation. 347 348No doubt, distros will eventually pick up ZXID and provide it as a package. 349Once that happens they will solve any path issues accoring to their 350disto policy and that is fine, just do not ask me to comply with any 351such policy. 352 35397.2.2 FreeBSD 354~~~~~~~~~~~~~~ 355 356No target available on Makefile, but a port is available from 357http://www.freshports.org/security/zxid/ 358 35997.2.3 Solaris (Sparc) 360~~~~~~~~~~~~~~~~~~~~~~ 361 362 make TARGET=sol8 363 make TARGET=xsol8 # Cross compile for Solaris (e.g. on Linux host) 364 36597.2.4 MacOS X (PowerPC?) 366~~~~~~~~~~~~~~~~~~~~~~~~~ 367 368 make TARGET=macosx 369 37097.2.5 Windows Using MinGW 371~~~~~~~~~~~~~~~~~~~~~~~~~~ 372 373 make zxid.dll TARGET=xmingw # Cross compile on Linux host (best supported) 374 make zxid.dll TARGET=mingw # Native compile for mingw target in Cygwin environment 375 376Either way, the net result is native Windows DLL that does not have 377Cygwin library dependencies or GPL encumberation. 378 379See Makefile for further mingw notes. 380 38197.2.6 Windows Using Cygwin 382~~~~~~~~~~~~~~~~~~~~~~~~~~~ 383 384 make TARGET=cygwin 385 386Very experimental (as of Oct 2007) native build for Cygwin. 387 388Cygwin appears to not have neither flock(2) nor lockf(2). This is 389strange because at least one of these is implemented on MinGW. 390Current workaround is to define flock() to be empty macro. This 391of course means there is no file locking. There are 3 known races 392where things can go wrong 393 3941. Audit logs can get garbled. This does not stop ZXID from working, 395 but may make log analysis more complicated. 3962. Auto-CoT metadata writes can get garbled. This is very unprobable, 397 but if it happens, the ZXID deployment will not work towards 398 affected IdP. Nothing to worry about really. 3993. Locking is used to protect against updates of zxid.conf while 400 zxid is running. Again any corruption is very unlikely. Nothing 401 to worry about. 402 403The results of Cygwin compile may be GPL encumbered due to libraries. 404 40597.2.7 Windows Using MSVC 406~~~~~~~~~~~~~~~~~~~~~~~~~ 407 408Never been done (as of Oct 2007), but probably this is not very 409difficult given that MinGW port already has addressed many Windows 410platform issues. Please send any success reports, and receipes, my way. 411 412As of June 2010 the MSVC support has improved. The sed dependency 413was removed and any C language constructs that MSVC has indigestion with 414have been removed. We are still aiming at Makefile based 415build using Microsoft's cl compiler. You should try 416 417 make TARGET=win32cl 418 419If you manage to build it using some IDE project, please contribute 420the project file. For ongoing maintenance, it would be good if the 421project was a text file to which new source code files and be added 422easily *without using the IDE*, i.e. using simple text editor. 423 42497.3 Configuration Questions 425---------------------------- 426 427(*** Some of these may be repeated in zxid-conf.pd) 428 4291. Q: In mod_auth_saml, what is the relation between ZXIDConf and httpd.conf? 430 431 A: httpd.conf can contain ZXIDConf directives. Those directives are 432 processed as if they came from /var/zxid/zxid.conf file (which is 433 processed first, before and ZXIDConf directives), except that if you 434 specify ZXIDConf "PATH=/your/path", this triggers reporcessing of 435 the zxid.conf (from the new path). 436 4372. Q: In mod_auth_saml, what is the relation between the +port+ in ZXIDConf 438 and the +port+ in the httpd.conf? 439 440 A: The ports must agree. ZXID configuration must match the way the 441 Apache layer is configured. 442 4433. Q: Multiple roles of same entity, acting as SP, WSC, and WSP for 444 different services 445 446 Asa: 447 > Part of what you are saying is that the service 448 > registration is WSC. This is rather confusing since the case is a WSP 449 > acting as a WSC of the Discovery Service. For the ClientLib thus far, 450 > I have chosen to think of service registration as a WSP to WSP. What is 451 > the downside to this approach? 452 453 Conor: 454 > Service registrations can't be done WSP to WSP with any Liberty protocol 455 > (in fact, we don't define any such method of invocation as the invoking 456 > party is always a WSC for the intent of that message - there's no 457 > problem with a WSP in turn being a WSC of another service instance, just 458 459 Right. You can don WSC role whenever convenient. There is nothing confusing 460 about WSP of one service being WSC of another service. Perhaps the 461 confusion would be avoided if everybody fully qualified their descriptions 462 until common convention about less than fully qualified roles emerges. 463 464 Entity E1, an ID-DAP WSP (primary role), will act as Discovery WSC 465 (secondary role) to perform metadata registration. This same entity E1 466 will also have SP interface (another secondary role) which allows 467 the user to trigger discovery association, again E1 acting in secondary 468 role of Discovery WSC. 469 470 No confusion as far as I can see. 471 4724. Q: What the "Entity ID" and the "Service Type" should be? 473 474 While entityID and Service Type selection are flexible and there is sophisticated 475 philosophy behind them, the short answers are: 476 477 a. entityID should be the URL from which your metadata can be fetched. The 478 URL should match the entityID field inside the metadata document. In 479 zxid deployments the entityID usually ends in "?o=B" and be beginning 480 part depends on the URL configuration parameter. 481 b. Service Type should be the namespace URI of the (first) top level child 482 of SOAP envelope Body element. 483 484 48597.3.1 No certificates appear in metadata 486~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 487 488Q: +I've been trying to set up ZXID's mod_auth_saml on an OS X server. The 489EntityDescriptor XML doesn't seem to contain the public x.509 cert.+ 490 491A: The metadata (the URL ending in o=B) will not have certificates if 492none actually were available. Thus visualizing the metadata in 493a brower is a good way to check whether it is finding the certs. So 494it is a feature ;-) 495 496Q: +Does mod_auth_saml use the cert from /var/zxid/pem/ssl-nopw-cert.pem?+ 497 498A: The certs for metadata live in files 499 500/var/zxid/pem/sign-nopw-cert.pem 501/var/zxid/pem/enc-nopw-cert.pem 502 503In more recent versions (current is 0.38, which version were you using?) 504ZXID will automatically generate self signed certs if the certs are 505not installed yet. However it may fail to write them to the filesystem 506due to permissions problem. You should check that the user as which 507Apache runs can indeed read from and write to /var/zxid/pem directory. 508 509If you want to use officially issued certificates, you will of course 510need to place them in the two files mentioned. Please note that the 511files should be concatenation of certificate and the private key. Due 512to this and the practise of not using password on the private keys 513you should pay attention to protecting these files with filesystem 514permissions - the caveat is that if you protect too well then 515even the apache process can't read them. Recommended permissions are 516 517 chown APACHEUSER /var/zxid/pem 518 chmod -R 02750 /var/zxid/pem 519 520where APACHEUSER is distribution dependent unix user account used to 521run the apache httpd process. You can do `ps axu | grep httpd' to see 522what user apache runs as (common ones are "www-data" and "apache"). 523 52497.3.2 Skipping IdP Selection: Hardwiring the IdP 525~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 526 527> I was hoping that you could answer a question for me about mod_auth_saml. 528> I have it installed on CentOS5 with Apache and every request to our 529> protected URL does bring up the IDP selection screen. Since we only want 530> customers to use the sole IDP we have configured, we'd like to 531> automatically redirect to the IDP instead of having the users's click a 532> login button. 533> 534> Is there a setting for zxid.conf or Apache that I need to set so it will 535> always redirect to the sole IDP if a session needs to be created without 536> presenting that IDP selection screen? 537 538This in fact is possible. It is a bit convoluted (and not documented) 539in that it effectively works by simulating submission of the 540IdP selection screen, with the form fields and all. This is done 541by setting DEFAULTQS configuration option. For example, following 542 543 ZXIDConf "DEFAULTQS=l0https://idp.tas3.eu/zxididp%25%33%66o%25%33%3dB=1%26fc=1%26fn=prstnt" 544 545would simulate clicking login button for idp.tas3.eu. Note the URL 546escaping that needs to be applied: %25%33%66 is decoded by the 547configuration layer to mean "%3f", which is how at query string 548layer the question mark needs to be escaped. The %26 means 549ampersand that separates the arguments at querystring layer. It 550is encoded only once. Hope this is not too confusing. 551 552> > The big question is which IdP? If for your 553> > user base there is only one, then user can be redirected to that one 554> > without any further ado and if they are already logged in at the IdP, 555> > they will be redirected back without user having to interact (otherwise 556> > user needs to log into the IdP and then he is redirected back). 557> In this case, it'll be an internal IdP, totally private. 558 559Ok, that makes it easy. With mod_auth_saml you may want to set the 560configuration option DEFAULTQS=l2EEE=1 where EEE is the EntityID URL 561of the IdP. Without mod_auth_saml, upon user clicking "Login using SAML", 562you would formulate to zxid_simple() call a query string containing 563"l2EEE=1". Then redirect to the return value. 564 565 56697.3.3 Web Service Provider Metadata 567~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 568 569The metadata is needed in the web service call mainly to know the 570certificates. The endpoints in the metadata are ignored for purposes 571of the web service call as the endpoint is supplied by the EPR. 572 573Since SAML defines a metadata format with certificates (and SAML 574relevant endpoints), the convention is that web service call consults 575the SAML metadata for the certificates. 576 577It is very common for same service to be accessible as a web GUI (SAML 578SP) and web service (ID-WSF WSP), therefore it is considered 579convenient for the SAML metadata to be used. 580 581If the service does not want to be SAML SP and only wants to be ID-WSF 582WSP, then it still needs to supply the SAML SP metadata just for the 583purpose of the certificates (the SAML SP end point URLs will not be 584used). 585 586> My service only wants to be a ID-WSF WSP. For example, Custodix want 587> to be able to call a SOA Gateway web service, and the SOA Gateawy 588> knows nothing about SAML, etc. 589 590> I need to ensure that ZXID will process necessary soap headers and 591> accept or reject as appriorate. 592 593You still need to generate metadata. Since your service does not have 594SAML SP facet, you can't (directly) use o=B method (but see my example 595zxidwspdemo.java how it still supports o=B). However you can just hand 596edit a metadata file (perhaps using something from o=B as a template). 597 598If you place the hand edited metadata in the right file on WSC side, 599using 600 601 .zxcot -a <meta.xml 602 603then no dynamic metadata fetch will be attempted and you 604do not need to support o=B. 605 606See also zxid-idp.pd for registration of EPR and bootstrap. 607 60897.3.4 Two site in same domain: sessions interfere 609~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 610 611If two sites share a domain, they also share cookies. To avoid the 612cookies intefering with each other, use the SES_COOKIE_NAME 613configuration option to set the cookies different (the default is 614ZXIDSES). You may also have similar issue WRT PTM_COOKIE_NAME. 615 616One particular instance of this issue manifests when IdP and SP 617run on same host. On SP log right after SSO you may see 618 619 zx E get_ses: File(/var/zxid/ses/MMSESNULVSoj4lBYsqYhxCvXodNLM/.ses) not found errno=2 err(No such file or directory). flags=0x0 0, euid=443 egid=443 cwd(/var/zxid/webroot/zxid.org) 620 zx d No session(MMSESNULVSoj4lBYsqYhxCvXodNLM) active op(P) 621 622This is because the IdP already set the session cookie (IdP sessions 623usually start with "MMSES") and the SP is errornously picking it up 624and then not finding the corresponding session in its session store. 625 62697.3.5 Using HTTP or SOCKS proxy 627~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 628 629ZXID uses libcurl as its underlying HTTP client. Although ZXID does 630not offer any proxy related options, it respects the environment 631variables ~https_proxy~, ~all_proxy~, and ~no_proxy~, because libcurl sees 632them and uses them. Thus you can 633 634 all_proxy=corpproxy:1080 zxcot -g https://some.external.com/url 635 all_proxy=corpproxy:1080 zxcall ... 636 637or you can set the variables more permently 638 639 export all_proxy=corpproxy:1080 640 export no_proxy=localhost 641 zxcot -g https://external.url/ 642 643See libcurl documentation at curl.haxx.se for more information. 644 64597.4 API Questions 646------------------ 647 6481. *Q*: What do I need to pass in as +enve+ argument to zxidjni.wsc_prepare_call()? 649 650 *A*: zxidjni.wsc_prepare_call() has some auto detection. If you pass entire 651 SOAP <e:Envelope>, then it will just add some headers. If you pass <e:Body> 652 it will add <e:Envelope> and headers. If you pass anything else, it 653 assumes that is meant to be content of the body and will add 654 <e:Envelope><e:Headers>...</><e:Body>your stuff</></> 655 6562. *Q*: What exactly is a "sha1 name"? 657 658 *A*: Since ZXID (originally) uses filesystem as backend, a method 659 for generating filesystem-safe strings, to be used as filenames, 660 was needed. Further, there was occasionally requirement that each 661 different file have different name. Solution to these problems 662 is to hash the whatever part that is unique and use safe base64 [RFC3548] 663 encoding of the hash as the filename. 664 665 They are not very human friendly, but they are filesystem safe 666 and unique as required. They are also constant width, which tends 667 to make directory listing prettier, and also handles anomalously 668 long Entity IDs gracefully. 669 670 sha1 hashing is much less error prone than trying to escape or squash 671 the various Entity IDs, Name IDs, and who-know-what to be filesystem 672 safe. Add to the squasing bugs, the convolutions of ensuring uniqueness 673 and dealing with too long input and you should see why sha1 names are 674 the most secure, easiest to implement, approach. 675 676 See also sha1_safe_base64() in zxutil.c 677 67897.4 Common Mistakes 679-------------------- 680 6811. When I try accessing https://sp1.zxidsp.org:8443/zxidtest.sh nothing happens! 682 683 Assuming you have the web server correctly running, the most common 684 gotcha is that zxidhlo has dynamic linking problem. 685 See <<see: ZXID-Installing-CannedTutorialRunningZXIDasCGIundermini_httpd-AccessingZXID>> 686 subsection "Dynamic Linking Problems", for explanation and resolution. 687 6882. Single Logout does not end the IdP session (i.e. IdP does 689 not force you to supply password when you do SSO next time). 690 691 Usual cause is that the management form (the one with the SLO buttons) 692 does not have correct or any session ID. Do a view source on the 693 the page and look for field called "s". The session ID is 694 supposed to be extracted from the Single Sign-On result. For 695 zxid_simple() you need to parse the returned LDIF and 696 take the sesid. Pass that to zxid_fed_mgmt() as second argument. 697 6983. Login buttons do nothing. 699 700 A possible cause is that the entity ID is not passed from 701 the IdP selection form. If the form is using POST method, 702 you must make sure you actually read the HTTP body and 703 pass its contents to the zxid_simple() as the ~qs~ argument. 704 7054. The SP Login, a.k.a. IdP selection, page shows, but SSO does not work 706 707 a. Your configuration does not match actual URL used to 708 access the zxid system. For the zxidhlo family of 709 examples you MUST edit the configuration string 710 to match your situation. Watch out for domain name 711 and port number. 712 713 b. Connectivity issue prevents IdP from fetching metadata. 714 Make sure your domain name is resolvable at IdP (e.g. 715 add it to /etc/hosts). See also next point. 716 717 c. IdP is not configured to get your metadata automatically. 718 You have to configure your metadata to the IdP manually. 719 How to do this depends on IdP product. Do not ask us. 720 721 d. You supplied IdP URL that, in fact, is not the well known 722 location for fetching IdP metadata. Or the IdP does 723 not have well known location enabled. In the latter 724 case you will need to install the IdP metadata 725 manually (*** procedure to be documented). See [SAML2meta] 726 section 4.1 "Publication and Resolution via Well-Known Location", 727 p.29, for normative description of this method. 728 729 e. Connectivity issue at web browser level. Make sure your 730 web browser can resolve both SP and IdP domain names. 731 Edit /etc/hosts as needed on the machine where the browser runs. 732 733 f. Personal firewall blocks access. Check firewall set up on 734 * browser machine 735 * SP machine 736 * IdP machine 737 7385. The SP Login, a.k.a. IdP selection, page does not show at all 739 740 a. Connectivity issue at web browser level. Make sure your 741 web browser can resolve both SP and IdP domain names. 742 Edit /etc/hosts as needed. 743 744 b. Personal firewall blocks access. Check firewall set up on 745 * browser machine 746 * SP machine 747 748 c. You deployed the zxid in some other URL than you thought. 749 Double check your webserver or servlet container 750 configuration and be sure you understand where 751 zxid is supposed to appear. Be sure you are editing 752 the right configuration - some people run multiple 753 web servers in their machine and get confused about 754 which one actually is active on which port and where 755 the configuration files are located. 756 757 d. ZXID lacks execute permissions, dynamic link libraries 758 are missing (use "ldd zxid" to check), or CGI permission 759 setup prevents it from running. See previous bullet. 760 7616. Mystery configuration problems. Double check /var/zxid/zxid.conf 762 or consider removing it if you do not understand what it does. 763 Double check the conf string if using zxid_simple() interface. 764 7657. Writes a user... 766 767 > Once it has been compiled, I copied the files zxidhlo.php and zxid.php 768 > to /var/www/zxid (my webroot). I accessed zxidhlo.php?o=E with my browser 769 > and I saw a page asking for IDP metadata. But when I looked at 770 > the /var/log/apache2/error.log, I found these: 771 > 772 > tb77f96c0 zxidmeta.c:352 zxid_get_ent_by_sha1_name zxid d Trying 773 > sha1_name(cot) open (vopen_fd_from_path): No such file or directory 774 775 Did you create the /var/zxid hierarchy (make dir) and make sure your 776 web user (nobody?) has write permission to the ~log~ directory? Or did 777 you configure it to use some other directory than /var/zxid? 778 7798. What is this /var/zxidcot directory? 780 781 It is supposed to be /var/zxid/cot 782 783 When configuring PATH, did you forget trailing slash? E.g. 784 785 "PATH=/var/zxid&URL=..." # WRONG! 786 "PATH=/var/zxid/&URL=..." # Right 787 7889. *Q1:* I get rejection due to NotOnOrAfter or NotBefore. I think I have 789 synchronized the clocks on IdP and SP. Log messages are 790 791 t zxidsso.c:466 zxid_validate_cond zx d ssof: NotOnOrAfter ok. Time to expiry 21900 secs 792 t zxidsso.c:476 zxid_validate_cond zx E ssof: NotBefore rejected with slop of 7300. Time to validity 21600 secs 793 794 *A1:* This seems awful lot like a timezone issue. Slop is ZXID config 795 parameter that defines the tolerance. I recently reduced it from 1 day 796 to 3 hours because I got feeback that it was security issue to have 797 such overbroad tolerance (which it is, but 1 day slop allows people 798 with bad time zone configs to still have initial success - may be 799 I go back to one day). 800 801 On both IdP and SP, run 802 803 TZ=GMT date 804 805 and see if that is about 6 hour difference. I stronly suspect other 806 machine being correctly on GMT (which does not even have concept 807 of summer time that causes so much productivity losss :-) and other 808 is on something like US Central time (your guess if summer time error applies). 809 810 You can synchronize using 811 812 TZ=GMT ntpdate pool.ntp.org 813 814 (there may be server closer to you than Finland) 815 816 *Q2:* I double checked the clocks, the SP and IdP are very close to our NTP 817 server, within 100ms or so. Why would it say there's a slop of 7300 818 seconds? 819 820 *A2:* Slop is just tolerance. The real problem is "Time to validity 21600 secs". 821 If you can't get the clocks to synchronize, you can increase 822 the config option BEFORE_SLOP=22000 in /var/zxid/zxid.conf. This 823 of course has some security implications. 824 825 *Q3:* My time zone is set to CDT on both machines. Is it possible that 826 Shibboleth is using GMT and zxid is using my local time? (Or the 827 other way around) 21600 seconds seems too obvious to 828 be a real clock skew. If both systems have the same locale settings, then 829 something in software must be choosing the wrong time zone. 830 831 I set TIMEOUT_FATAL=0 and it does work. I get my nid and my login session 832 is working! So, major hurtle accomplished, but I think I'd like to get to 833 the bottom of this and find out what the real problem is. 834 835 *A3:* 21600 seems very obvious timezone issue. 836 837 On Unix the timezone behavior of a process is determined by setting 838 of TZ environment variable. To my best knowledge I always use gmtime(3) 839 which to my best understanding ignores the TZ environment variable. 840 However, it is possible that I errornously or the Shib IdP use 841 localtime(3), which will take TZ in account. Therefore I recommend 842 launching all processes with environment TZ=GMT (see the date 843 example above). 844 84597.4.2 Doubts 846~~~~~~~~~~~~~ 847 848How to decode auto_flags 849 850 0x1d54 1 = debug; d = FORMT + FORMF + MGMTC; 5 = METAC + LOGINC; 4 = SOAPC 851 85297.5 Consent 853------------ 854 855A frequent concern among the business people and lawyer types is 856whether the architecture provides for consent by the user. Usually 857this is related to (avoidance of) liability. If the system can be 858said to have gathered the consent of the user, we are safe. 859 860Unfortunately the standards do not mandate an uniform user interface, 861thus there is no single specific way how the consent is gathered or 862determined: it depends from business situation and application to 863another. Fortunately the Liberty and SAML 2.0 architectures provide 864plenty of ways and hooks to gather and convey the consent. Consider the 865following: 866 8671. When arriving to SP, user chooses IdP for SSO. This act 868 of course manifests user's intent to perform SSO. 869 8702. IdP can ask the user whether he wants to perform SSO to 871 the SP (IdP can make this question even if user is already 872 logged in to the IdP, though most demos omit the question 873 in the already logged in case). 874 875 At this point the IdP may also ask whether the user 876 wants to create a federation so that the SP can track 877 the user. Creating federation is consenting to be 878 tracked by the SP. 879 880 If the federation already exists, the IdP can still 881 offer a choice: should the federation be used 882 this time, i.e. does the user consent to be tracked 883 this time specifically. 884 885 If user does not consent to federation and use of 886 federation this time, but still consents to SSO, 887 the SSO will be made using a temporary name ID. 888 8893. If user gives any Personally Identifying Information 890 to the SP (beyond the federated pseudonym), then 891 the SP may be able to "connect the dots" and 892 correlate user's actions on the SP with his actions 893 in some other systems (technically this is called 894 collusion). 895 896 In a very technical sense users should be aware 897 of this risk or the implication and therefore by 898 providing such information they are effectively 899 consenting to be correlated across systems. 900 901 However, lawyers would probably say that if 902 the SP intends to correlate, it should state 903 so to the user at the time the information is 904 asked so that the user can make an informed decision. 905 If, after being informed, the user still supplies 906 the information, then user is clearly 907 consenting to the information being used for 908 the stated purpose, i.e. correlation. 909 9104. When user starts to use an ID web service, the user is 911 consenting to this service being visible to at least 912 some parties (why use the service if you did not 913 intend this). 914 915 To make this consent explicit, the user interface 916 of the ID Web Service can ask. 917 918 Also, the Discovery Service can ask consent using 919 the Liberty Interaction Service. It is quite 920 appropriate for the DS to ask this consent 921 because it allows the ACL to be set correctly 922 right from the beginning, when the service is 923 registered. 924 9255. When the user later accesses an SP that needs to 926 contact an ID Web Service, it could be 927 construed that the user, by using the SP 928 at all, is effectively consenting that the SP 929 may access the ID Web Services of the user. 930 931 If this is not enough, the Discovery Service 932 can use the Interaction Service on per service 933 invocation basis to ask if the user consents 934 to the specific request. 935 936 Finally, the actual ID Web Service can also 937 invoke the Interaction Service to ask the 938 user to consent to the specific request, 939 or otherwise enforce its policies. 940 9416. When using People Service, the inviter (Alice) 942 consents to the access by the invitee (Bob) 943 by requesting an invitation string from the 944 system. 945 946 Once the invitation has been sent (and 947 accepted by invitee) there is no easy way 948 to collect consent from inviter on per 949 request basis. For example Alice may not 950 be online at the time when Bob accesses 951 her resource. 952 953 Alice can later revoke Bob's invitation, 954 but in the window between Alice sending 955 the invite and revoking it, Bob can access 956 Alice's resource without Alice actively 957 consenting to every access. 958 959 Of course the resource can implement ACL 960 policies, like only allowing Bob to access 961 the resource a limited number of times, 962 such as once. 963 9647. When the invitee (Bob) uses inviter's (Alice's) 965 ID Web Services (resources), Bob has 966 consented to some form of tracking by 967 Alice's resources by accepting the 968 invite. Further consent may be obtained 969 by Bob's own IdP, see bullet 2. 970 97197.6 Deployment Planning 972------------------------ 973 974Here is a rudimentary decision tree for deployment planning 975 9761. List your applications 977 a. Any provided by external partner? 978 b. Non web apps 9792. Document your existing identity stores and approaches to 980 a. User provisioning (when someone is employed) 981 b. Application provisioning (when someone starts using app) 982 c. Authorization: how do you know who is supposed to be 983 doing what? 984 d. Deprovisioning: what happens when someone is fired? 985 e. Login? Per app? Harmonized user names? Enterprise SSO? 9863. Document your goal: federated SAML SSO �ber alles :-) 987 a. Do you want to run IdP? 988 b. Could you out-source IdP? 989 c. Will your partners / customers be running their own IdPs? 990 d. Will you participate (or run) single CoT or do you 991 need to consider cross CoT inter-operation (e.g. IdP proxying) 992 993To be continued... 994 99597.7 Use of Signing and Crypto, Security Concerns 996------------------------------------------------- 997 99897.7.1 How is mod_auth_saml better than HTTP Basic Auth that it claims to emulate? HTTP Basic Auth does not address transport encryption. Is mod_auth_saml HTTP Basic Auth emulation vulnearable due to this? 999~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1000 1001> I have looked at HTTP basic auth and it does not provide any 1002> transport level security, is it secure to use HTTP basic auth with 1003> certificates? is it common to do it that way? 1004 1005HTTP-Basic is a method for authenticating a user using username and 1006password. This is orthogonal to whether the connection is encrypted. 1007Most common current practise is to combine HTTP-Basic-Auth with TLS (SSL) 1008encryption. This is considered safe, to the extent that passwords 1009can ever be safe. mod_auth_saml keeps the TLS encryption part intact, 1010but improves on the password insecurity part by either allowing 1011nonpassword authentication, such as Yubikey token, or at least allowing 1012one password disclosed to only one party (the IdP), rather than multiple 1013passwords at multiple parties (the weakness of the latter approach 1014is that the users tend to use the same passwords at the multiple 1015parties, allowing each party to impersonate the user at the other 1016party - and then there is the guessable password vulnearability). 1017 101897.7.2 Receipe for debugging signature validation problems 1019~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1020 1021This mail thread fragment discusses how to debug signature problems 1022between ZXID deployments. If the signer is not ZXID, then you 1023need to figure out how to get it to print the canonicalized 1024form. Often this turns out to be surprisingly difficult because 1025the signing end uses some library which does not document 1026how this vital debugging information can be obtained. 1027 1028<<logoutput: 1029> > Message digest does not match because canonicalizations 1030> > are different. You can dig the canonicalized forms of body from /var/zxid/log/xml.dbg 1031> > There should be one entry from time when signature is created and another from time 1032> > the signature validation was attempted. The two are different. 1033> > 1034> > BTW, I usually run 1035> > 1036> > tailf /var/zxid/log/xml.dbg | ./xml-pretty.pl 1037> > 1038 1039> The failure appears in log as: 1040> 1041> <!-- XMLBEG 1548:46 zxsig.c:308 zxsig_validate zx d call: VFY FAIL CANON BLOB len=337 --> 1042> <a:MessageID xmlns:a="http://www.w3.org/2005/08/addressing" 1043> xmlns:e="http://schemas.xmlsoap.org/soap/envelope/" 1044> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 1045> wsu:Id="MID" e:actor="http://schemas.xmlsoap.org/soap/actor/next" 1046> e:mustUnderstand="1">urn:MlQY4jARBIitwHPf6vIIyk_LZ</a:MessageID> 1047> <!-- XMLEND 1548:46 --> 1048> 1049> now what? 1050 1051Yes, this is the failure, but somewhere earlier in the log (perhaps in different server - the 1052WSC server), there should be block labelled similar to 1053 1054<!-- XMLBEG 13098:108 zxsig.c:124 zxsig_sign zx d call: SIG CANON len=337 --> 1055... 1056<!-- XMLEND 13098:108 --> 1057 1058You can find it quickly by searching backwards for something like the message ID or timestamp 1059string. 1060 1061That block indicates how the signer canonicalized the blob. I claim the two will turn 1062out to be different. Once the difference is known, I can investigate whether it is 1063my bug or due to somehow malformed or incomplete input. 1064>> 1065 106697.7.3 Signature validation problems in body 1067~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1068 1069In typical web service call, using zxid_call() API, the programmer supplies 1070a fragment of payload XML. This can be a source of canonicalization problems. 1071 1072ZXID will attempt to canonicalize it on basis of well formed XML and if it is not 1073well formed, it will almost certainly give unpredictable results. 1074 1075Another common problem is omitting namespace declarations: ZXID considers 1076all XML to have namespace, and if it does not find a namespace, then it will 1077fabricate one. By supplying a namespace declaration, you control the situation 1078instead of relying on unpredictable fabricated one. 1079 108097.7.4 VFY FAIL CANON SIGINFO 1081~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1082 1083The logs say VFY FAIL CANON SIGINFO 1084 1085Basically a signature has message digests at two layers: 1. over 1086payload data (e.g. #BDY), 2. over the <SignedInfo> element. The latter 1087is what gets private key encrypted when signature is made. The 1088encrypted value appears in <SignatureValue>. 1089 1090The validation decrypts <SignatureValue> with public key from cert. If 1091the public key does not match the private key, you will get, if you 1092are lucky, a padding error, which you were getting earlier. But if you 1093are not lucky, you will just get garbage decrypt. 1094 1095The garbage decrypt is then compared against message digest computed 1096over <SignedInfo>. 1097 1098This is reported as VFY FAIL CANON SIGINFO, which may be misleading if 1099the real reson was garbage decrypt. However, it would be the right 1100error message in case the <SignatureValue> decrypt was valid, but the 1101<SignedInfo> had actually been tampered with. 1102 1103I would concentrate the investigation on the theory of garbage decrypt 1104due to wrong certificate. 1105 1106The certificate for signature validation is chosen on basis of 1107<Sender> header's ~providerID~ XML attribute. 1108 110997.7.5 Perils of Turning Off AuthnReq Signing 1110~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1111 1112Q: In response to signature problems relating to missing root 1113authority certificate and AuthnRequest, other vendor is proposing 1114that they do not require signed requests for web applications. Is it 1115possible to turn off the need for certificates? 1116 1117A: Yes. In SP's zxid.conf, set AUTHN_REQ_SIGN=0 1118 1119However, this opens the IdP to a variant of unsolicited 1120request attack as they would not know if the request is coming from 1121a legitimate source. It saves the request signature verification cost, 1122but allows Denial of Service by incurring SAML assertion generation and 1123signing cost. You could argue that these cancel each other out. In any 1124case the user would be entering the password to legitimate place: the IdP, 1125so this is not really a phising attack. 1126 1127If IdP is buggy and blindly trusts the AssertionConsumerServiceURL 1128field in the authentication request, not verifying the request 1129signature could lead to inappropriate party being able to obtain the 1130SSO assertion. Unless the assertion is encrypted (the default in 1131ZXID), this could lead to that party gaining knowledge of the 1132attributes passed in that assertion. It is not uncommon for IdPs to be 1133buggy in this way (as of 2012). Such bug constitutes a violation of 1134SAML2 specs, but may not be caught in software testing as everything 1135seems to work. Only negative testing would catch it. (Needless to say, 1136zxididp paid attention to this detail.) 1137 113897.8 Audit Trail 1139---------------- 1140 11411. How can I see what attributes the single sign on assertion contains? 1142 1143 From IdP side (assuming zxididp, for other IdPs consult respective documentation): 1144 1145 a. Locate the SSOA7N line from IdP activity log, e.g. 1146 1147 grep SSOA7N /var/zxid/log/act 1148 1149 which might return (single line, linewrap is only for this document) 1150 1151 PP - 20100112-144157.750 20100112-144157.750 127.0.0.1:- \ 1152 9u_7LsQjkz0VaXKucmx1_sYjQnM - AWTILy8_0yre96om7n4H-4fMW ENC \ 1153 zxidp U K SSOA7N - - 1154 1155 b. The 8th field is the assertion ID, here AWTILy8_0yre96om7n4H-4fMW. With 1156 A7N ID you can grep the issued assertions, e.g. 1157 1158 grep -l AWTILy8_0yre96om7n4H-4fMW /var/zxid/idplog/issue/*/a7n/* 1159 1160 which might return something like 1161 1162 /var/zxid/idplog/issue/9u_7LsQjkz0VaXKucmx1_sYjQnM/a7n/MxevnQGqKFwyBTPUZ-hI7m1PR-Q 1163 1164 This file contains the assertion in plain text. You can inspect it to 1165 see what NameID is sent and what attributes are sent. One convenient command is 1166 1167 grep -l AWTILy8_0yre96om7n4H-4fMW /var/zxid/idplog/issue/*/a7n/* \ 1168 | xargs cat | ./xml-pretty.pl 1169 1170 From SP side the steps would be 1171 1172 i. Locate FEDSSO line 1173 1174 grep SSOA7N /var/zxid/log/act 1175 1176 which might return (single line, linewrap is only for this document) 1177 1178 PP - 20100112-144639.184 20100112-144157.501 -:- \ 1179 xsKJr3DL7sUPDdbdqgC2H_eP-UM - AWTILy8_0yre96om7n4H-4fMW \ 1180 FIrFwFdR4wO2UFLQZl8c3LlUW zx O K FEDSSO MSES6GOG4ta-nQdYlRVJriv24dj8 - 1181 1182 ii. The 8th field is the assertion ID. To locate the assertion in the rely 1183 audit trail of the SP you can grep as follows: 1184 1185 grep -l AWTILy8_0yre96om7n4H-4fMW /var/zxid/log/rely/*/a7n/* \ 1186 | xargs cat | ./xml-pretty.pl 1187 118897.9 Vendor products 1189-------------------- 1190 119197.9.1 Symlabs Federated Identity Suite (SFIS) 1192~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1193 1194Interoperates. SP and IdP. 1195 1196Metadata import to IdP? 1197 1198What I usually do is 1199 1200 cd /opt/SYMfiam/3.0.x/conf/symdemo-idpa 1201 echo 'sp: zxid-sp1$https://sp1.zxidsp.org:8443/zxid?o=B$$' >>cot.ldif 1202 1203Double check with text editor that the file is sensible. 1204Note that the single quotes are essential as the dollars 1205are to be interpretted literally, as separators. 1206 1207 cd pem 1208 wget https://sp1.zxidsp.org:8443/zxid?o=B >zxid-sp1.xml 1209 1210Here the intent is to fetch the metadata from the SP and 1211store it in a file whose name (without .xml extension) 1212matches the first component of the sp: line. I am not 1213100% on the wget syntax. You can also use browser 1214to fetch the metadata and simply Save as under the 1215correct name. 1216 1217 cd /opt/SYMfiam/3.0.x/conf/symdemo-idpa/start.sh restart 1218 1219This should restart the IdP server process and cause a 1220refresh of the metadata it may have cached. You may 1221want to 1222 1223 tail -f /opt/SYMfiam/3.0.x/conf/symdemo-idpa/log/debug.log 1224 1225to see if its getting indigestion. 1226 1227N.B. FIAM seems to have NameID encryption on by default, Turn 1228this off by editing slimidp.ldif: 1229 1230 encnids: 0 1231 1232If this is not done, the SSO will fail (with what appears like signature 1233error). 1234 123597.9.2 Shibboleth and OpenSAML 1236~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1237 1238Shibboleth 2.1.5 IdP interoperates since 0.65. Earlier versions 1239interoperated in some configurations. 1240 1241Many Shibboleth SPs interoperate (exact version numbers lost). 1242 124397.9.3 Lasso and Authentic 1244~~~~~~~~~~~~~~~~~~~~~~~~~~ 1245 1246Used to work, may be still does. Not tested in recent memory. 1247 124897.9.4 OpenSSO 1249~~~~~~~~~~~~~~ 1250 1251Used to work, may be still does. Not tested in recent memory. 1252 125397.9.5 simpleSAMLphp 1254~~~~~~~~~~~~~~~~~~~~ 1255 1256Interoperates, but as of Sept 2010, simpleSAMLphp IdP has problems with 1257EncryptedAssertions. Nothing ZXID can do (but you can turn off the 1258encryption if you are willing to assume the consequences). 1259 1260simpleSAMLphp SP works. 1261 126297.9.6 Ping 1263~~~~~~~~~~~ 1264 1265Not tested in recent memory. 1266 126797.9.7 SiteMinder 1268~~~~~~~~~~~~~~~~~ 1269 1270CRLF emitting. Works since 0.65. 1271 127297.9.8 Bouncing Castle vs. OpenSSL Padding Problem 1273~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1274 1275There is a XML ENC padding problem between OpenSSL and Bouncing Castle 1276Java Crypto Library. See OpenSSL bug number 1067: 1277http://rt.openssl.org/Ticket/Display.html?user=guest&;pass=guest&id=1067 1278 1279<<logoutput: 1280 1281From: sampo@symlabs.com 1282To: rt@openssl.org, xml-encryption@w3.org 1283Cc: eric@projectliberty.org, sampo@symlabs.com 1284Subject: OpenSSL symmetric crypto padding check incompatible with XMLENC 1285Date: Thu, 12 May 2005 20:22:50 +0000 1286 1287Please find below a patch, with spec reference, against OpenSSL 0.9.7g. 1288 1289It could be argued that XMLENC spec is wrong in insisting on unpredictable 1290values for the padding because this allows padding to be used as a 1291covert channel. However, to deploy interoperable implementations it seems 1292patching OpenSSL is the right thing to do. It has been observed that 1293other crypto libraries, such as bouncing castle (a pure Java 1294implementation) do not set all padding bytes to OpenSSL's satisfaction. 1295 1296--Sampo 1297 1298--- evp_enc.c~ 2005-01-28 14:03:53.000000000 +0000 1299+++ evp_enc.c 2005-05-12 03:26:44.000000000 +0000 1300@@ -509,6 +509,21 @@ 1301EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT); 1302return(0); 1303} 1304+#ifdef PADDING_CHECK 1305+ /* Following loop checks that all padding has known value, 1306+ * presumably to prevent covert channel or some form of 1307+ * chosen text attack. However this check is in violation 1308+ * of [XMLENC] specification section 5.2 subsection 1309+ * "Padding", which states that only last octet of the 1310+ * block matters and values of other octets are not 1311+ * predictable. Thus to implement XMLENC decryption with 1312+ * openssl it is necessary to disable this code. 1313+ * -- 11.5.2005, Sampo Kellomaki (sampo@symlabs.com) 1314+ * 1315+ * [XMLENC] D. Eastlake, ed., XML Encryption Syntax and 1316+ * Processing, W3C Recommendation 10. Dec. 2002, 1317+ * http://www.w3.org/TR/2002/REC-xmlenc-core-20021210 */ 1318+ 1319for (i=0; i<n; i++) 1320{ 1321if (ctx->final[--b] != n) 1322@@ -517,6 +532,7 @@ 1323return(0); 1324} 1325} 1326+#endif 1327n=ctx->cipher->block_size-n; 1328for (i=0; i<n; i++) 1329out[i]=ctx->final[i]; 1330 1331----------- 1332 1333OpenSSL is complying with various other standards with its current 1334behaviour. For example PKCS#7. 1335 1336If the EVP functions are being called directly (instead of inside 1337OpenSSL in its PKCS#7 code for example) you can disable the padding 1338altogether EVP_CIPHER_CTX_set_padding() and perfom padding and pad 1339checking at an application level. 1340 1341Steve. 1342>> 1343 1344Since ZXID version 0.65 (Oct 2010), this has been addressed via 1345the EVP_CIPHER_CTX_set_padding() route. 1346 134797.9.7 Active Directory Federation Services (ADFS) 1348~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1349 1350ZXID 1.02 SP has been confirmed to work with ADFS IdP (STS, 1351unknown verion in April 2012). 1352 1353Sometimes ADFS IdP does not emit assertion at all. There seems to be 1354some configuration change in ADFS viz its default install that is 1355needed to get it to emit SAML2. Symptom may be the following ZXID 1356debug log (see Apache error.log, catalina.out, or 1357/var/tmp/zxid.stderr, depending on your installation) entries: 1358 1359 p2192 zxlog.c:682 zxlog_blob zx d dec_redir_post nosig: LOGBLOB15(<samlp:Response) len=3994 path(/var/zxid/log/rely/hJ7us-0hhS2XLwl3VTPZoStmgRY/wir/n4CfarJbNloArnYTCI1BfOmIHg4) 1360 p2192 zxidlib.c:540 zxid_saml_ok zx E SAML Fail what(SAMLresp) SC1(urn:oasis:names:tc:SAML:2.0:status:Responder) 1361 1362although this could be caused by other errors that send status. Basically 1363you can check the file indicated by the path on the LOGBLOB15 line and 1364verify that it does not have Assertion. The Status element may also 1365have human readable error string, though in the specific case of ADFS refusing 1366to send assertion, no human readable error was supplied. At any 1367rate, the status code 1368 1369 urn:oasis:names:tc:SAML:2.0:status:Responder 1370 1371signifies that the error happened due to the IdP (which is responding 1372to the AuthnRequest, hence "Responder") and that the request sent by 1373SP was considered OK. 1374 1375Sometimes ADFS IdP emits an assertion without NameID (or EncryptedID) 1376element, which makes it difficult for other SAML2 compliant SPs to 1377work. Symptom may be the following ZXID debug log (see Apache 1378error.log, catalina.out, or /var/tmp/zxid.stderr, depending on your 1379installation) entries: 1380 1381 p18379 zxidlib.c:662 zxid_chk_sig zx d No signature in Response 1382 p18379 zxidlib.c:595 zxid_decrypt_nameid zx E ssof: Neither NameID nor EncryptedID available 0 1383 p18379 zxidsso.c:617 zxid_sp_sso_finalize zx E ssof: SSO failed: assertion does not have Subject->NameID. 0x0 1384 1385Reportedly the fix at ADFS IdP side is 1386 1387> "Create a claim rule to set the PartnerImmutableID as the the unique identifier. 1388> This should then send it as the SAML NameID in assertion." 1389 139097.10 Known Bugs 1391---------------- 1392 1393Following are known limitations. We document them here 1394because we do not plan to fix them in foreseeable future. 1395 13961. Namespace qualified XML attributes have underscore instead of colon 1397 139897.11 Mysterious Error Messages 1399------------------------------- 1400 1401"Random number generator not seeded!!!" 1402 1403This warning indicates that randomize() was not able to read 1404/dev/random or /dev/urandom, possibly because your system does not 1405have them or they are differently named. You can still use SSL, but 1406the encryption will not be as strong. Investigate setting up 1407EGD (entropy gathering daemon) or PRNG (Pseudo Random Number 1408Generator). Both are available on the net. 1409 1410"msg 123: 1 - error:140770F8:SSL routines:SSL23_GET_SERVER_HELLO:unknown proto" 1411 1412SSLeay error string. First number (123) is PID, second number (1) indicates 1413the position of the error message in SSLeay error stack. You often see 1414a pile of these messages as errors cascade. 1415 1416"msg 123: 1 - error:02001002::lib(2) :func(1) :reason(2)" 1417 1418The same as above, but you didn't call load_error_strings() so SSLeay 1419couldn't verbosely explain the error. You can still find out what it 1420means with this command: 1421 1422 /usr/local/ssl/bin/ssleay errstr 02001002 1423 142497.11.1 snprintf() multibyte character related errors in log 1425~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1426 1427This is due to locale setting. Try 1428 1429 export LANG=C 1430 1431This will disable any UTF-8 processing in sprintf(). 1432 1433BTW, Win32 native _snprintf() on does not nul terminate if buffer is 1434full. Gotcha! All zxid code has additional manual nul termination, 1435just in case. 1436 143797.11.2 My own messages are redirected back to me 1438~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1439 1440In several SAML profiles a HTTP redirect is performed to 1441send the user to other party, usually with a request or 1442response in the query string. 1443 1444A mysterious error is when you see yourself receiving 1445as input the stuff that was supposed to be sent to the 1446other end. The way this happens is, if for some reason the 1447other party's URL can not be determined, then the 1448Location header will only consist of the query string 1449that you are trying to send. Without domain name part 1450of the URL, the browser will redirect back to the 1451web site where the redirection came from. This is 1452called "local redirect" and is usually the cause 1453of you receiving your own output as input. 1454 1455To fix this, make sure you have the other site's metadata 1456and make sure it parses and loads correctly. If that 1457does not resolve the problem, see if the metadata 1458has any binding for the operation you are trying. 1459No binding will result in no URL. 1460 146197.12 Certificates and Private Keys 1462----------------------------------- 1463 146497.12.1 Password is being asked for private key 1465~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1466 1467This is normal behaviour if your private key is encrypted. Either 1468you have to supply the password or you have to use unencrypted 1469private key. 1470 1471One way to remove password is 1472 1473 openssl rsa -in key.pem -out keyout-nopw.pem 1474 1475For this to work, key.pem must have only the private key. On the other 1476hand, for ZXID to work, the file must have both certificate and 1477private key. You will need to use your favorite text editor to 1478accomplish this. 1479 1480Scan OpenSSL.org for the FAQ for full explanation on how to 1481remove password from the private key. 1482 148397.12.2 Quick command for looking at certificate 1484~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1485 1486(*** also appears in zxid-cot.pd) 1487 1488Sometimes you get warning messages (in browser) or signature 1489validation errors (in IdP end) because the Subject field of the 1490certificate does not match your actual domain name. You can 1491check this with 1492 1493 openssl x509 -text </var/zxid/pem/ssl-nopw-cert.pem | grep Subject: 1494 1495If the domain name is different, then you need to obtain a certificate 1496with correct domain name, see next question. 1497 149897.12.3 Self signed certificate 1499~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1500 1501(*** also appears in zxid-cot.pd) 1502 1503ZXID ships with zxid.pem which gets by default copied to /var/zxid/pem 1504under various different names. This is fine for testing, but disastrous 1505for production or security sentitive use as the private key corresponding 1506to zxid.pem certificate is of public knowledge (it is distributed with 1507every copy of ZXID) - it offers no security and no non-repudiation 1508what-so-ever. 1509 1510For production or security sensitive install you need to either 1511 15121. Obtain certificates from an official certification authority, 1513 usually a commercial one. ZXID uses same certificate format as 1514 Apache (i.e. the pem format), so aquiring certificates is easi. Or, 1515 15162. Generate your own certificate. The simplest case is a self signed 1517 certificate: 1518 1519 openssl req -new -x509 -nodes -keyout pkey.pem -out cert.pem 1520 cat cert.pem pkey.pem >/var/zxid/pem/ssl-nopw-cert.pem 1521 1522The cat step is there because you need to supply both certificate 1523and the private key in same file for ZXID to understand it. 1524 1525> Warning: Although ZXID wants to see the private key in the same 1526> file as the certificate, you MUST NOT give this concatenated 1527> file to any outsider. Others have legitimate need to know your 1528> certificate, but they MUST NOT know your private key. If they 1529> ask, you should take special care to delete the private key from 1530> the file prior to giving it to them. Often those who need to 1531> get your certificate, actually need your metadata: just tell them 1532> to fetch it from the Well Known Location URL (i.e. the Entity ID 1533> of your SP). ZXID will never leak the private key to the metadata. 1534 153597.12.4 Installing CA Certificates 1536~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1537 1538Some versions of libcurl apparently do not respect setting 1539CURLOPT_SSL_VERIFYHOST to 0 and thus require a CA certificate to be 1540trusted. This may result SSL connection error messages like 1541 1542 CURLcode(35) CURLerr(SSL connect error) 1543 1544See: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl 1545 1546To fix this 1547 15481. Determine what is your OpenSSL library's directory ("OPENSSLDIR") 1549 1550 strace -e file openssl version 2>&1 | grep openssl.cnf 1551 1552 may result 1553 1554 open("/apps/openssl/0.9.8g/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3 1555 1556 Here the /apps/openssl/0.9.8g/ssl/ is the ~OPENSSLDIR~. 1557 15582. Download from the certificate authority their certificate 1559 in PEM format ("Apache" format) and save it in OPENSSLDIR/cert.pem 1560 1561 15623. Check 1563 1564 openssl verify -CApath OPENSSLDIR/certs/ OPENSSLDIR/cert.pem 1565 1566 which should in successful case print 1567 1568 /apps/openssl/0.9.8g/ssl/certs/the_ca.pem: OK 1569 1570 If the hash is not right, it will print something like 1571 1572 /apps/openssl/0.9.8g/ssl/certs/the_ca.pem: /C=US/O=TheCA/OU=TheCA 1573 error 18 at 0 depth lookup:self signed certificate 1574 OK 1575 15764. Alternative approach using certs/ directory with hashes. Save the 1577 certificate under OPENSSLDIR/certs with any name (say, the_ca.pem) 1578 15795. Create a hash 1580 1581 cd OPENSSLDIR 1582 ln -s the_ca.pem `openssl x509 -hash -noout -in the_ca.pem`.0 1583 15846. Check: see step 3, substituting cert.pem with the_ca.pem. 1585 158697.13 Author's Pet Peeves 1587------------------------- 1588 15891. What is Schema Grammar (.sg) and why are you using it? 1590 * Schema Grammar is a compact formal description of XML documents. It is 1591 mostly bidirectionally convertible to XML Schema (XSD) and captures 1592 the useful essence of most XML schemata. 1593 * Schema Grammars are intuitive and compact, often allowing the 1594 essence to be understood at glance, and even most complex cases 1595 being only about 50% of the volume of the corresponding XSD. 1596 * We use Schema Grammar descriptions because they are more human readable 1597 than XSD and still equally amenable to automated code generation. 1598 * Schema Grammar descriptions are usually converted using xsd2sg.pl, which is 1599 part of the PlainDoc distribution. 1600 * See http://mercnet.pt/plaindoc 1601 * N.B. You do not need xsd2sg.pl or PlainDoc if you just want to compile and use ZXID. 1602 16032. What is PlainDoc (.pd)? 1604 * PlainDoc is a document preparation system that uses intuitive plain text files 1605 with minimal markup to generate PDF and HTML outputs. 1606 * We use PlainDoc because it makes it easy to maintain documentation. 1607 * See http://mercnet.pt/plaindoc 1608 * N.B. You do not need PlainDoc if you just want to compile and use ZXID. 1609 16103. How come zxid is so heavy to compile? 1611 * SAML 2.0 and related specs have a lot of functionality and detail, even 1612 if you really only need 1% of it. We do not wish to arbitrate which 1613 functionality is best or most needed, so we simply provide it all. 1614 * A lot of the code is generated, thus the input for C compiler is well 1615 in excess of half a million lines of code (of which only about 6k 1616 were written by a human). 1617 * Some of the generated files are gigantic, e.g. Net/SAML/zxid_wrap.c 1618 is over 380k lines. Compiler has to process all of this as a single 1619 compilation unit. 1620 * gcc and gnu ld were, perhaps, not designed to process this large inputs 1621 efficiently. Often the implementation strategy of keeping 1622 everything in memory will cause a smaller machines to swap. 1623 * My 1GHz CPU, 256 MB RAM machine definitely swaps and thus 1624 takes about 45 minutes to compile all this stuff. 1625 * I recommend at least 1GB RAM and 3GHz CPU for development 1626 machine. On such machine, you should be able to build in about 10 min. 1627 16284. Why do you not use ./configure and GNU autoconf? 1629 * ~autoconf~ is not for everyone. World does not stop without 1630 ~autoconf~. Or indeed need ~autoconf~. It is Yet Another Dependency 1631 I Do Not Need (YADIDNN). 1632 * I find the GNU ~autoconf~ stuff much more difficult to understand than 1633 my own ~Makefile~. Why should I debug ~autoconf~ when I could 1634 spend the time debugging my ~Makefile~ or the actual code? 1635 * I find resolving problems much easier at source code and ~Makefile~ level 1636 than trying to debug a million line script generated by some system 1637 I do not understand (perhaps some hardcore ~autoconf~ advocate could 1638 try to convince me and educate me, but I doubt). 1639 * My policy is to only support systems I have first hand experience with, 1640 or I have trustworthy friends to rely on. It does not help me 1641 to have a system that tries to guess +gazillion irrelevant variables+ 1642 to an unpredictable state. It's much easier to stick to standards like 1643 POSIX and make sure you have predictable results from predictable inputs. 1644 * If the deterministic and predictable results are wrong, they can 1645 at least be debugged and fixed with a finite amount of work. 1646 * Supporting all relevant systems manually is not that much of work. The 1647 inhabitants of the irrelevant systems can support themselves, probably 1648 learning a great deal on the side. 1649 165097.13.1 What does ZXID aim at - an answer 1651~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1652 1653A recent (Sept 2006) conversation that touched on the aims of ZXID project: 1654 1655> Q: So just generally, what are your goals for it, are you interested in making 1656> it work well with what other people are producing (e.g. SAML -> WSF 1657> cross-over), etc? I'm certainly assuming the answer's yes to that. 1658 1659I aim at full stack client side implementation. ID-FF, SAML 2.0, WSF 1660(both versions). The generation technique I use will yield the 1661encoders and decoders for both WSP and WSC, but the hand written 1662higher level logic will at first be only written for SP and WSC. 1663Some WSP support has now been written as well (complete WSP support 1664was completed as of July 2007). 1665 1666It is Apache licensed project, of course, so if someone contributes 1667the IdP and WSP capabilities, I'll merge them into the 1668distribution. (IdP and Discovery exist in the distribution as of 1669Janyary 2010.) 1670 1671I am interested to have it working with other people's code at 3 levels: 1672 16731. Over-the-wire interoperability 16742. I have split the functionality of the SP from the WSC such that 1675 zxid SP could probably be used with someone else's WSC and someone 1676 else's SP would reasonably easily be able to use zxid WSC. 16773. Interfaces to non IdM parts of the complete system, typically 1678 used to implement the application layer, shall be 1679 plentiful: C/C++ API, Net::SAML/mod_perl, php - whatever you 1680 can SWIGify. 1681 1682One thing I am NOT interested in is "layered" stack. I strongly 1683believe it's better each vertically integrated slice is implemented by 1684one mind. Thus, except for lowest HTTP, TLS, and TCP/IP layers, my SP, 1685or WSC, or WSP, handles the whole depth of the stack - SOAP, 1686signature, and app interface layers (of course the actual app should 1687be its own layer and probably user written). That is by design. 1688 1689I have found in practise that if you attempt a layered stack, you have 1690impedance mismatches between the modules at different layers because 1691they were designed and written by different minds. By having vertical 1692integration I avoid impedance mismatches. This is the reason why 1693monolithic TCP/IP implementations tend to be better than explicitly 1694layered, such as the streams approach. 1695 1696Now, if someone else wanted to take my generated encoders and 1697decoders and use them as a "layer" in their layered stack, I guess 1698I would not have any issue. If you do that, please let me know 1699because I would have to commit to API stability at that layer. 1700I am willing to do that once there are real projects that depend 1701on it, but until then I still may redesign those APIs, after 1702all, I am at revision 0.4 :-) 1703 1704In the end, it seems that ZXID is actually somewhat layered approach - 1705what I mean by "vertical integration" is that all the layers are 1706designed and controlled by the same mind. 1707 1708> Q: I gather that it's SAML 2.0 at the moment, which I can't offer any test 1709> capability for, but if you get to SAML 1.1, I'm happy to set up some kind of 1710> IdP test capability for that. 1711 1712In SSO world SAML 1.1 and ID-FF 1.2 capabilities are definitely on the 1713road map. In ID-WSF world, I'll probably start with 2.0 DS-WSC (don't 1714we all) followed by ID-DAP WSC and then tackle 1.1 after 1715that.<<footnote: As of version 0.18, July 2007, both WSC and WSP roles 1716of ID-DAP as well as ID-HR-XML have been implemented. Discovery client 1717was implemented as well. This means the generic WSC and WSP support is 1718there.>> 1719 172097.13.2 Annoyances and improvement ideas 1721~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1722 1723(*** http://systoilet.wordpress.com/2010/09/29/i-hate-saml/) 1724 1725There is a lot of commonality that is not leveraged, especially in the 1726way service end points are chosen given the metadata. The descriptors 1727are nearly identical so casting them to one should work. 1728 1729Many of the SAML2 responses are nearly identical. Rather than 1730construct them fully formally, we could have just one "SAML any 1731response" function. Perhaps this could be supported by some schema 1732grammar level aliasing feature: if an element derives from base type 1733without adding anything at all of its own, we might as well only 1734generate code for the base type. 1735 1736Namespace aliasing scheme would allow us to consider two versions of 1737schema the same. It seems to be fairly common that the schema 1738changes are so minor that there is no justification for two 1739different decoding engines. 1740 174197.13.3 Non-obvious SAML 1742~~~~~~~~~~~~~~~~~~~~~~~~ 1743 17441. Destination XML attribute is needed in redirect and POST bindings. 1745 17462. Assertion//SubjectConfirmationData/@InResponseTo XML attribute 1747 is needed in SSO assertions, unless the SSO was unsolicited. 1748 SAML is not very explicit about this, [SAML2core], ll.729-732 1749 describes it as optional, but [SAML2prof], ll.580-582 and 1750 ll.559-560 seem to imply this requirement. 1751 17523. Some deployments use POST binding for many more things than 1753 officially sanctioned by SAML [SAML2conf], Table 1 "Possible 1754 Implementations", p.6. None of the offical profiles, see 1755 [SAML2conf], Table 2 "Feature Matrix", p.9, require support 1756 for POST for sending or receiving Single Logout or Manage NameID 1757 requests. Nor is sending AuthnRequest using POST officially 1758 sanctioned. Using artifact profile for anything else than 1759 fetching the SSO assertion is not official. Never-the-less, 1760 some of these bindings are perfectly implementable and some 1761 deployments actually use them. ZXID may support some of them, 1762 especially the POST bindings, if it is easy to do so, but 1763 we make no commitment beyound official SAML conformance. 1764 17654. In SAML SOAP bindings it is bit unclear if the caller needs 1766 to be authenticated. Currently ZXID solves this by signing 1767 the SOAP requests (see SSO_SOAP_SIGN configuration options). 1768 Other approaches are using HTTP Basic authentication, 1769 using Client-TLS, or simply not authenticating the peer. 1770 17715. Interpretation of metadata KeyDescriptor/EncryptionMethod 1772 1773 Algos on [SAML2conf], section 4.2 "XML Encryption Algorithms", 1774 ll.252-253. 1775 1776 The interpretation in [SAML2meta], section 2.4.1.1 "Element 1777 <KeyDescriptor>", ll.621-624, p.16, and the example 1778 on l.1117. 1779 1780 Since the <EncryptionMethod> can appear several times, it 1781 would seem reasonable to specify it once for assymmetric crypto 1782 and once for symmetric crypto. If specified, then for each 1783 of the cases, only one of the allowed algos may be used. 1784 If not specified, then any algo authorized in [SAML2conf] 1785 is allowed. If specified, but the algo is not authorized 1786 by [SAML2conf], then implementation is nonconformant. 1787 17886. The selection of protocol binding for return path of 1789 SSO is non-trivial. The Authentication Request may 1790 specify any number of parameters like ProtocolBinding 1791 or Index. Generally it should not be specified at 1792 all, leaving the decision to the IdP, or it should 1793 be specified using the Index method. 1794 17957. When passing around Name IDs or storing them in database, 1796 remember to store all components, including NameQualifier 1797 and SPNameQualifier. 1798 17998. Single Logout: IdP should not call originator of SLO when 1800 it is logging out everybody. 1801 18029. SAML Redirect binding signs the base64 and URL encoded 1803 payload. This is problematic as there is no canonical 1804 way to URL encode, i.e. some implementations encode 1805 more than others. When signature needs to be verified, 1806 CGI or other layer of processing may already have 1807 removed the URL encoding, thus breaking the signature. 1808 Correct implementation requires capturing the URL encoded 1809 version of ~SAMLRequest~ or ~SAMLResponse~ field 1810 as it came from wire and using that for signature 1811 verification. This is what ZXID does, but historically 1812 some implementations have tried to URL reencode for 1813 signature verification, resulting "it depends" type 1814 bugs where sometimes it works when sender's URL 1815 encoding happens to match the URL encoding the receiver 1816 applies. Of course all of this could have been avoided 1817 had the design been to sign the base64 encoded form 1818 prior to URL encoding. And URL encoding would not 1819 have been needed at all if safebase64 ([RFC3548], sec 4) 1820 encoding had been used in the first place. 1821 182210. SAML SimpleSignPOST binding may superficially seem 1823 similar to Redirect binding in the signature area. Well, 1824 it is not. SimpleSign signs the payload data prior to 1825 base64 (and URL) encoding. This avoids the bug that 1826 easily creeps into Redirect signature verification, 1827 see above. Downside is that the payload can't really be 1828 binary, unless you base64 encode twice. 1829 183011. EncryptedAssertion and EncryptedID: how is the EncryptedKey 1831 found? 1832 1833 a. The EncryptedData/KeyInfo/RetrievalMethod references the Id attribute of 1834 the EncryptedKey element, which is sister of the EncryptedData. 1835 Shibboleth 2010 can be kludged to work with this method if 1836 EncryptedKey element has Recipient XML attribute equal to the 1837 EntityID of the SP. This is nowhere well documented, but appears 1838 to work. 1839 1840 b. EncryptedKey is child of EncryptedData/KeyInfo, i.e. 1841 EncryptedData/KeyInfo/EncryptedKey. Shibboleth SP appears to use 1842 this latter method as of 2010. Scott ackowledged method (a) as 1843 also valid and will fix Shibboleth SP. 1844 1845 See saml-core-2.0-os.pdf, sec 2.2.4 Element <EncryptedID>, p.14, l.495 1846 specifies that EncryptedData and EncryptedKey are sister elements. 1847 See also ll.515-521 for schema fragment. 1848 Sec 2.3.4 Element <EncryptedAssertion> on p.17 contains similar language. 1849 as does 2.7.3.2 Element <EncryptedAttribute> on p.31. 1850 1851<<ignore: 1852 Oliver: 2010-09-06 08:06:29 DEBUG OpenSAML.MessageDecoder.SAML2 [30]: extracting issuer from SAML 2.0 protocol message 18532010-09-06 08:06:29 DEBUG OpenSAML.MessageDecoder.SAML2 [30]: message from (https://zxidp.org/idp) 18542010-09-06 08:06:29 DEBUG OpenSAML.MessageDecoder.SAML2 [30]: searching metadata for message issuer... 18552010-09-06 08:06:29 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [30]: evaluating message flow policy (replay checking on, expiration 60) 18562010-09-06 08:06:29 DEBUG XMLTooling.StorageService [30]: inserted record (R6AEwkbaM6nahxpvSNOyr0dTe) in context (MessageFlow) 18572010-09-06 08:06:29 DEBUG Shibboleth.SSO.SAML2 [30]: processing message against SAML 2.0 SSO profile 18582010-09-06 08:06:29 ERROR Shibboleth.SSO.SAML2 [30]: Unable to locate an encrypted key. 1859Sampo: Ok, looking for encrypted key. 1860? This is is what I sent on the wire. 1861Oliver: ok let me make a diff and see if that is what i received 1862Sampo: If we analyze this you can see that EncryptedKey is sister element of EncryptedData element. 1863Oliver: ok it is exactly identical to what i have in the log 1864Sampo: The KeyInfo of the EncryptedData references #EK39 and the EncryptedKey has Id attribute EK39 1865? That is the mechanism by which it is supposed to find the encrypted key. 1866? Now the next step is that EncryptedKey itself has KeyInfo that contains X509 certificate. 1867? That certificate is supposed to be your SP's encryption certificate, taken from your metadata. 1868? Do you follow me? 1869Oliver: yes 1870Sampo: Now, at cursory inspection the cert in the message matches the cert in your metadata. 1871? Can you spot any error here? 1872Oliver: let me do a diff to double check ... one sec 1873Sampo: Your metadata says you are using same certificate for encryption and signing. 1874? Next verification would be to see if your metadata matches the certificate actually used by SP at this step. 1875? I think the log messages that Scott provides are too terse to analyze this problem. Giving one blanket "Unable to locate an encrypted key" error message for all potential points of failure outlined thus far is not sufficient. 1876? I have to go eat now. I hope these ideas help. I'll be back in an hour. 1877? You do have credentials on zxidp.org so you can reproduce all this at will, right? 1878Oliver: i am checking ... but so far everything looks identical to what is in the log 1879? i have an account there yes 1880Sampo: Good. Talk to you in an hour. 1881Oliver: enjoy your lunch 1882Sampo: I'm back 1883Oliver: hey 1884? double checked the certs in fhe configuration and compared them to what you were sending and they are identical 1885Sampo: Next theory why it is not working? 1886Oliver: as you might have noticed ... i am not an saml expert ... so I don't really have a theory why it is not working 1887? the strange thing is that it seems to work fine with protectnetwork and the kantara idp 1888Sampo: Huh, I actually thought you were SAML knowledgeable or at least wanted to learn and become SAML expert? 1889Oliver: i am doing the system administration for kantara ... and very much interested in saml and learning more about it 1890? but still far from being an expert 1891Sampo: Can you capture the wire message from protect network? 1892? For example turn off JavaScript and perform the login. When it stops on the POST page, save that page so you can see what the IdP is sending to the SP. 1893Oliver: sure let me login via protect network and capture it ... once sec 1894? i can see the wire message in the logs 1895? just once sec 1896* Oliver posted file protect-network.debug to members of this chat 1897? here is what i got from them 1898Sampo: THe assertion is not encrypted at all! 1899? That leaves them open to attacks by infected web browsers. 1900? The so called active intemediary man in the middle attack. 1901? Can you make similar verification to see if Kantara IdP encrypts the assertion? 1902Oliver: oh you wanted the encrypted version? 1903Sampo: If encrypted version was passed on the wire, I want to see it. 1904? If https is used, the most reliable place to capture is stopthe POST flow just before the form with the assertion is posted to the SP. Give me the content of the SAMLResponse form field. 1905Oliver: ok let me try the turn off javascript thing then 1906* Oliver posted file encrypted.txt to members of this chat 1907? this is the enctypted version from protect network 1908Sampo: Analyzing... 1909? Ok, I see the difference: I use EncryptedData/KeyInfo/RetrievalMethod to designate the EncryptedKey where as protectednet uses EncryptedData/KeyInfo/EncryptedKey 1910? Schemawise both appear valid and I support both in my SP. 1911Oliver: ok 1912Sampo: Which code does protect-network use? 1913Oliver: so you think it is a bug in shibboleth? 1914Sampo: protected-network uses shibboleth? 1915Oliver: no that is our sp 1916? i don't know what they use 1917Sampo: Yes, I think it is bug in shibboleth SP. It should accept either way of doing it. 1918Oliver: ok so maybe we should forward that info to scott 1919Sampo: What software do you use for Kantara IdP? 1920Oliver: simplesamlphp 1921Sampo: Can you capture their output and see how they designate the EncryptedKey? 1922Oliver: sure you want the decrypted version only right? 1923Sampo: Meanwhile, I will add to my IdP an option to generate it the EncryptedData/KeyInfo/EncryptedKey way. 1924? Since the problem is with encryption, I want the encrypted version. 1925* Oliver posted file encrypted.txt to members of this chat 1926? oops sorry wrong file 1927? one sec 1928* Oliver posted file encrypted-simplesamlphp.txt to members of this chat 1929Sampo: Fundamentally this is a bug in xml-enc and saml specs in not specifying only one way of doing it. 1930Oliver: the second one is the correct file (the one that says simplesamlphp) the first one was the one from protecnetwork 1931Sampo: Yes, I am looking at it... 1932? The encrytped-simplesamlphp.txt does not contain encrypted assertion (or ancrypted anything). 1933? If this really is what you captured from the POST SAMLResponse field, then your IdP is vulnearable to the MITM attack. 1934? You are using the POST binding in all cases, right? 1935Oliver: yes 1936? one sec looking at the xml 1937Sampo: That is important because encrypting the assertion is not needed in artifact binding. 1938Oliver: yes i see the encrypted is missing 1939? i need to update the software on the ipd anyway. so i will try to get this to work right during that maintenance 1940? thanks for pointing that out 1941Sampo: See saml-bindings-2.0-os.pdf, sec 3.5.5.2 Security Considerations, p.24, ll.847-851 1942? After publication it was understood that the SHOULD NOT could be eliminated if EncryptedAssertion is used. 1943Oliver: noted 1944Sampo: See saml-core-2.0-os.pdf, sec 2.2.4 Element <EncryptedID>, p.14, l.495 specifies that EncryptedData and EncryptedKey are sister elements. Thus this really appears to be a bug in shibboleth SP. 1945? See also ll.515-521 for schema fragment. 1946Oliver: ok 1947Sampo: Sec 2.3.4 Element <EncryptedAssertion> on p.17 contains similar language. 1948Oliver: so what do we do? include scott in the loop? 1949Sampo: Please raise this issue with Scott. 1950Oliver: ok 1951? will do 1952Sampo: Meanwhile I will implement an option to be spec noncompliant so that it still works with his buggy code. 1953Oliver: ok sent him an email 1954? lets see what he says 1955Sampo: It is quite sad that sec 6 SAML and XML Encryption Syntax and Processing, p.73, does not provide any clarification on this matter either. The core spec does not provide a single example of EncryptedID or EncryptedAssertion. Seems OASIS SSTC was pretty sloppy when defining this part of the spec. 1956Oliver: yes that should be defined in detail 1957Sampo: Umm, it seems you did not Cc me in the mail. Please let me know what he replies. 1958Oliver: oops sorry 1959? yes will forward the answer as soon as i get it 1960Sampo: Little progress now: 1961? opensaml::FatalProfileException at (http://kantarainitiative.org/Shibboleth.sso/SAML2/POST) 1962 1963Unable to locate satisfiable bearer SubjectConfirmation in assertion. 1964? I guess that means it is at least able to decrypt. Can you paste there the corresponding log lines? 1965Oliver: oncesec 1966* Oliver posted file shibd.log to members of this chat 1967Sampo: 2010-09-06 12:13:16 ERROR OpenSAML.SecurityPolicyRule.BearerConfirmation [30]: bearer confirmation failed with recipient mismatch 1968? I have a hunch on this. I'll check the specs. 1969Oliver: ok 1970Sampo: Is there any way I could just use http request to a CGI to obtain a tail of your log? 1971Oliver: we don't have anything setup right now 1972Sampo: There may be a good policy reason why not to set up such log access, but if there is no rule against it, it would be pretty trivial php or perl CGI script to write. 1973? Think about that while I think about BearerConfirmation :-) 1974Oliver: yes would not be too hard to write a little php for that but I would have to check with joni if she is ok with it 1975? i think there have a national holiday there today though 1976? they 1977Sampo: Hope that means Scott has time to read mails :-) 1978Oliver: true 1979Sampo: One step further. 1980? shibsp::ConfigurationException at (http://kantarainitiative.org/Shibboleth.sso/SAML2/cookie:982a07ae) 1981 1982Shibboleth handler invoked at an unconfigured location. 1983Oliver: just sent you the responce from scott 1984? do you want the logs from the error� 1985? ? 1986Sampo: At least the tail of the log from DEBUG Shibboleth.SSO.SAML2 [30]: extracting issuer from SAML 2.0 assertion onwards 1987? Hopefully that is so little you can just paste it here. 1988Oliver: one sec 1989Sampo: I'll check Scott's response... 1990Oliver: 2010-09-06 12:52:36 DEBUG Shibboleth.SSO.SAML2 [46]: extracting issuer from SAML 2.0 assertion 19912010-09-06 12:52:36 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [46]: evaluating message flow policy (replay checking on, expiration 60) 19922010-09-06 12:52:36 DEBUG XMLTooling.StorageService [46]: inserted record (Ajq-JsiQEM4thfqIZ4T911pUp) in context (MessageFlow) 19932010-09-06 12:52:36 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [46]: validating signature profile 19942010-09-06 12:52:36 DEBUG XMLTooling.TrustEngine.ExplicitKey [46]: attempting to validate signature with the peer's credentials 19952010-09-06 12:52:36 DEBUG XMLTooling.TrustEngine.ExplicitKey [46]: signature validated with credential 19962010-09-06 12:52:36 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [46]: signature verified against message issuer 19972010-09-06 12:52:36 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [46]: assertion satisfied bearer confirmation requirements 19982010-09-06 12:52:36 DEBUG Shibboleth.SSO.SAML2 [46]: decrypted NameID: <sa:NameID xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://zxidp.org/idp" SPNameQualifier="https://kantarainitiative.org/shibboleth-sp">TdDu9HPCRGB3cdEaRgVtdgmkD</sa:NameID> 19992010-09-06 12:52:36 DEBUG Shibboleth.SSO.SAML2 [46]: SSO profile processing completed successfully 20002010-09-06 12:52:36 DEBUG Shibboleth.SSO.SAML2 [46]: extracting pushed attributes... 20012010-09-06 12:52:36 DEBUG Shibboleth.AttributeExtractor.XML [46]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) 20022010-09-06 12:52:36 INFO Shibboleth.AttributeExtractor.XML [46]: skipping unmapped SAML 2.0 Attribute with Name: urn:liberty:disco:2006-08:DiscoveryEPR, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 20032010-09-06 12:52:36 INFO Shibboleth.AttributeExtractor.XML [46]: skipping unmapped SAML 2.0 Attribute with Name: idpinfo, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 20042010-09-06 12:52:36 INFO Shibboleth.AttributeExtractor.XML [46]: skipping unmapped SAML 2.0 Attribute with Name: cn, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 20052010-09-06 12:52:36 INFO Shibboleth.AttributeExtractor.XML [46]: skipping unmapped SAML 2.0 Attribute with Name: zxididp, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 20062010-09-06 12:52:36 DEBUG Shibboleth.SSO.SAML2 [46]: resolving attributes... 20072010-09-06 12:52:36 DEBUG Shibboleth.AttributeResolver.Query [46]: found AttributeStatement in input to new session, skipping query 20082010-09-06 12:52:36 DEBUG Shibboleth.SessionCache [46]: creating new session 20092010-09-06 12:52:36 DEBUG Shibboleth.SessionCache [46]: storing new session... 20102010-09-06 12:52:36 DEBUG XMLTooling.StorageService [46]: inserted record (session) in context (_a1e19c299c142bf732871dbff386f7d9) 20112010-09-06 12:52:36 DEBUG XMLTooling.StorageService [46]: inserted record (TdDu9HPCRGB3cdEaRgVtdgmkD) in context (NameID) 20122010-09-06 12:52:36 DEBUG XMLTooling.StorageService [46]: inserted record (Ajq-JsiQEM4thfqIZ4T911pUp) in context (_a1e19c299c142bf732871dbff386f7d9) 20132010-09-06 12:52:36 INFO Shibboleth.SessionCache [46]: new session created: ID (_a1e19c299c142bf732871dbff386f7d9) IdP (https://zxidp.org/idp) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (93.108.147.200) 20142010-09-06 12:52:36 DEBUG Shibboleth.SSO.SAML2 [46]: ACS returning via redirect to: cookie%3A982a07ae 2015Sampo: It appears SP side session was created all right. 2016? I think we are now at the point where SAML is no longer involved. 2017Oliver: yes I still need to map some attributes but looks allright 2018Sampo: Where did that cookie%3A982a07ae come from? 2019? It appears that the equals sign got URI escaped and perhaps that is throwing it off? 2020Oliver: is there maybe a ? missing? 2021Sampo: That could be, as well. 2022? Lets entertain the theory that cookie%3A982a07ae came from the RelayState field and investigate how it was passed in AuthnRequest and Response. 2023Oliver: but then the same thing should happen with the protect network 2024Sampo: If you look at the original HTTP redirect that is made to convey AuthnRequest, you can see QueryString argument RelayState=cookie%3A8cd0ff4c 2025? So clearly your SP (or WAYF service?) already passes it in that format. As far as I have understood the protocol, I am not supposed to decode it (nor reencode). 2026? If I intercept a POST, I can see the field <input name="RelayState" value="cookie%3A982a07ae" type="hidden"> 2027? Perhaps the field should have been <input name="RelayState" value="cookie=982a07ae" type="hidden"> 2028? I.e. the RelayState gets encoded twice because the browser, when posting the form will encode again. 2029Oliver: i think it needs to be a : 2030? this is what i am getting from protect network 2031? <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> 2032 2033 <body onload="document.forms[0].submit()"> 2034 <noscript> 2035 <p> 2036 <strong>Note:</strong> Since your browser does not support JavaScript, 2037 you must press the Continue button once to proceed. 2038 </p> 2039 </noscript> 2040 2041 <form action="http://kantarainitiative.org/Shibboleth.sso/SAML2/POST" method="post"> 2042 2043 <div> 2044 <input type="hidden" name="RelayState" value="cookie:109e37f6"/> 2045? ... 2046Sampo: Hex 3a is a colon? Not equals? 2047Oliver: i think so yes 2048? looked it up 2049Sampo: I'll try this and see if it fixes... 2050Oliver: ok 2051Sampo: It went through! 2052? But I landed back on the Current Members page where I had started by clicking the Log In. 2053? The Log In still appears. 2054Oliver: yes probably some attribute mapping missing hold on 2055Sampo: How do I know that I am logged in? 2056? Shouldn't Single Logout button of some sort appear (and Log In disappear)? 2057Oliver: yes your username appears 2058? hold one one second 2059? need to logout and login to try it 2060Sampo: But how can I logout? I do not see any logout button? 2061Oliver: no i do have to logout to try it here 2062Sampo: So zap cookies is the only way? 2063Oliver: 2010-09-06 13:34:04 DEBUG Shibboleth.AttributeDecoder.NameID [28]: decoding NameIDAttribute (persistent-id) from SAML 2 NameID with Format (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) 20642010-09-06 13:34:04 INFO Shibboleth.AttributeExtractor.XML [28]: skipping unmapped SAML 2.0 Attribute with Name: urn:liberty:disco:2006-08:DiscoveryEPR, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 20652010-09-06 13:34:04 INFO Shibboleth.AttributeExtractor.XML [28]: skipping unmapped SAML 2.0 Attribute with Name: idpinfo, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 20662010-09-06 13:34:04 INFO Shibboleth.AttributeExtractor.XML [28]: skipping unmapped SAML 2.0 Attribute with Name: zxididp, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 2067Sampo: FYI, the page I am using for these tests: http://kantarainitiative.org/confluence/display/GI/Current+Members 2068? Those attributes can be safely ignored for time being. 2069Oliver: where do you pass the username? 2070? what attribute? 2071? and format? 2072Sampo: No attribute. I pass pseudonymous NameID. 2073? That appears in Subject element of the SAML assertion. 2074? In your log 2010-09-06 13:34:04 DEBUG Shibboleth.AttributeDecoder.NameID [28]: decoding NameIDAttribute (persistent-id) from SAML 2 NameID with Format (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) 2075? would appear to correspond to that. 2076Oliver: ok so let me try to map NameID to our username 2077Sampo: But perhaps we need to take a step back at this point: assume a random user of zxidp.org wants to access kantara. How would kantara know that user (identified by persistent pseudonym) is in fact a user that is allowed to access Kantara? 2078? I vaguely recollect that last time I asked this question, the answer was that Kantara does not care. 2079Oliver: all end up in the standard user group first 2080? where you see the same as if you were not logged in 2081? and then you contact staff and ask to be assigned to another group 2082Sampo: But you should see at least the logout button or some indication that you are logged in. 2083Oliver: yes you see your username where it says login etc 2084? can edit your profile 2085? etc. 2086Sampo: "username"? Is that something Kantara assigns internally? 2087Oliver: it is something like omaerz@protectnetwork.com 2088Sampo: Are you expecting the IdP to pass you that? 2089Oliver: yes 2090Sampo: That looks like globally unique id, a correlation handle. 2091Oliver: that is why i was looking at the attributes 2092Sampo: That is privacy hostile. 2093Oliver: that is the way the shibboleth plugin for confluence works 2094Sampo: Liberty Alliance spent 8 years engineering relationshipwise pseudonymous privacy friendly protocols and now you want global correlation handle. 2095Oliver: we can map that username, name and email address if we get it from an idp 2096? i don't 2097? the people who implement the plugin do 2098? i was only asked to set that system up in that way 2099Sampo: Basically my IdP will give you persistent pseudonym. That allows you to keep your local database that knows some things about me. 2100? Towards some other SP the IdP will give a different pseudonym so that the other site can not correlate information with Kantara. 2101? This is very important for privacy. 2102? In the end it reduces to what is the minimum amount of information that Kantara needs to know about me. 2103Oliver: ok 2104Sampo: Perhaps some email is needed, but I would hope to use different email at each SP. 2105Oliver: email is optional and you can fill it in manually in confluence 2106Sampo: How tightly are the mailinglists integrated to the web site? 2107Oliver: same with name 2108? no mailman integration 2109Sampo: Ok, so I can SSO with IdP and then selectively supply the pieces of information and the versions of those pieces just for Kantara. 2110Oliver: do you know of a saml module for mailman? 2111Sampo: In that case, wouldn't it work well to just use the persistent pseudonym as username? 2112Oliver: the only thing i need to get this to work is a username 2113? yes let me try 2114? what does that pseudonym look like? 2115Sampo: Base64 encoded 128bit random number. 2116Oliver: i have to make sure they are unique ... so some other idp does not give us the same username 2117? i.e. you second ipd 2118? idp 2119Sampo: <sa:NameID xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://zxidp.org/idp" SPNameQualifier="https://kantarainitiative.org/shibboleth-sp">FRsLTG-ZdKuVJ-Pes_MiQ44cz</sa:NameID> 2120? In this XML snippet you see NameQualifier. 2121? That is essentially the namespace inside which the 128bit thing (FRsLTG-ZdKuVJ-Pes_MiQ44cz) is unique. 2122? So to form your username, you could concatenate the two. You could even use @ character as a separator, but that still would not make it workable email. 2123? BTW, the SPNameQualifier for you is always same. But for IdP serving multiple SPs that also forms important part of the namespace. 2124? Another approach you could take is simply do a sha1 hash over the canonical serialization of the whole NameID element. 2125? and use that as username. 2126? When SAML was designed, the choice was to identify IdP by a URL rather than just domain name. This makes it difficult to construct any meaningful email address that would include IdP identification. 2127? You can talk to Scott about that. May be he remembers why this design was adopted. 2128Oliver: hmm this is really ugly: https://zxidp.org/idp!https://kantarainitiative.org/shibboleth-sp!frsltg-zdkuvj-pes_miq44cz 2129? also this will break confluence 2130Sampo: That would be a bug in Confluence, IMNSHO. 2131Oliver: like when click on a user to see his profile 2132? is it really such a big deal if you passed some unique identifier that looks more like an email address? 2133? i mean you could stick the id in there 2134Sampo: How about this: FRsLTG-ZdKuVJ-Pes_MiQ44cz@yBeCTPt0NQ2vMuI-srKw5h4N2i8 2135Oliver: something like sp!frsltg-zdkuvj-pes_miq44cz@zxidp.org 2136? or that 2137Sampo: where the FR stuff is the persistent pseudonym and the yBe stuff is safe_base64 encoded sha1 hash of https://zxidp.org/idp 2138Oliver: sure 2139Sampo: Personally I would find FRsLTG-ZdKuVJ-Pes_MiQ44cz@zxidp.org ok as long as you do not make any assumption that you can actually send mail there :-0 2140Oliver: no 2141? it is not used as an email address 2142? the email address CAN be passed as an attribute but that is optional 2143? if it is passed then only to pre-populate the email field in confluence the very first time somebody logs in 2144Sampo: If you adopt that convention it would be really cool if you also documented it so that could become a widely adopted solution and convention to this problem in the confluence and even wider world. 2145? What attribute others are passing to you to pick the user name? 2146Oliver: you mean the FRsLTG-ZdKuVJ-Pes_MiQ44cz type usernames? 2147Sampo: Does anyone else try to pass you persistent pseudonym? 2148Oliver: protectnetwork is passing <protectnetwork username>@protectnetwork.com 2149? kantara idp is passing the username without the @... at the then 2150? end 2151Sampo: I guess what I am saying that if there is some industry convention (that I do not know about), I could pass the pseudonym the same way. 2152? So for kantaraidp you need to add the @idp.ki 2153? ? 2154Oliver: i guess i could add it 2155Sampo: What is the name of the attribute protectnetwork uses to pass this? 2156Oliver: hold on let me look it up 2157? http://www.protectnetwork.org/support/policies/attribute-release-policy 2158? we do not user firstname lastname though 2159? as the confluence plugin expects the whole name in one field 2160? so urn:oid:1.3.6.1.4.1.5923.1.1.1.6 is what we use for the username 2161? they do not pass the email 2162? to us 2163Sampo: That is, urn:mace:dir:attribute-def:eduPersonPrincipalName . 2164Oliver: but they do not pass it to us 2165? for whatever reason 2166? they pass it to others 2167Sampo: In urn:oid:1.3.6.1.4.1.5923.1.1.1.6 they the pass the email like thing. 2168Oliver: yes 2169Sampo: So they do not pass email attribute, but pass in eduPersonPrincipalName something that most of the time is the email. 2170Oliver: they do not pass either one 2171? neither the real email nor the first + lastname in one field 2172Sampo: Ok, decision now: do I reconfig my IdP to pass in urn:oid:1.3.6.1.4.1.5923.1.1.1.6 something like FRsLTG-ZdKuVJ-Pes_MiQ44cz@zxidp.org 2173Oliver: sure that looks good 2174Sampo: or do you just add the @zxidp.org to the persistent pseudonym I pass to you (i.e. no change for me)? 2175? I take it that you pick the first option. Very well. It will take me perhaps 20min or so. 2176Oliver: ok that would really be the best solution 2177? i am looking at a way how i could put the name together on my side 2178Sampo: I suspect there are other sysadmins who would appreciate this as well. 2179Oliver: but it would probably take longer that 20 mins 2180? this is the config for shib + confluence 2181? https://studio.plugins.atlassian.com/wiki/display/SHBL/How+to+Shibbolize+Confluence 2182? ok gotta run to the store will be back in 30 mins 2183Sampo: Ok, I'll do the same. Back in 30 min. 2184? Back. 2185Oliver: oral exam 2186? oops wrong window 2187Sampo Kellom�ki: I am now sending urn:oid:1.3.6.1.4.1.5923.1.1.1.6 but I still am not considered logged in. 2188Oliver: let me look at the log one sec 2189? was the format 2190? you are sending it as urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 2191? added it to the attribute map and now it works 2192Sampo Kellom�ki: Should I tweak my code to send something other than unspec? 2193Oliver: no it is fine i added it to the attribute map 2194Sampo Kellom�ki: I see protectednetwork sent urn:oasis:names:tc:SAML:2.0:attrname-format:uri 2195? Perhaps I do the same. 2196Oliver: ok 2197Sampo Kellom�ki: Ok, now I see my login succeed. 2198? I'll implement the Recipient work around Scott suggests. 2199Oliver: just forwarded you another mail from scott that i have received 2200Sampo Kellom�ki: In the Recipient case it is not clear what should go to that field. 2201Oliver: i don't know either 2202? :( 2203Sampo Kellom�ki: I'll put the EntotyID URL and we will see. 2204? Works with the Recipient workaround. 2205? On the Kantara site, where can I edit my test user's profile? 2206? I notice you lowercase the persistent pseudonym when you form the username. You realize that my uniqueness guarantee assumes full 64 character characterset. By lowercasing you loose nearly one bit of search space :-) 2207? Out of 128. 2208? I guess you are still ok, statistically speaking. 2209Oliver: that is an intersting point 2210? i wonder if confluence does that or the shib plugin 2211? you can edit your userprofile when you click on your name 2212? and then there should be a dropdown menu with the item profile 2213? once on your profile you need to click on the edit link 2214Sampo Kellom�ki: No doubt this needs JavaScript... 2215? The user name appears in the "Full Name" field. Is there no provision for human readable nick name? 2216Oliver: you can just overwrite that 2217? click on the edit link 2218? it is put in there if no name is passed from the idp 2219? confluence probably needs something in there 2220Sampo Kellom�ki: The internal federated username is just initial value for Full Name - I see. 2221Oliver: yup 2222Sampo Kellom�ki: Ok, appears to work. 2223? I'll make a new release of zxid and upgrade idp.tas3.eu to the latest and greatest. Then we can consider this issue closed for time being. 2224Oliver: cool 2225>> 2226 222797.13.4 Non-obvious ID-WSF 2228~~~~~~~~~~~~~~~~~~~~~~~~~~ 2229 22301. Should you include Sender SOAP header? Conor says usually 2231 not. But how do you then know SOAP request issuer? Perhaps 2232 from some field of the signature? 2233 22342. In case bearer token is <EncryptedAssertion>, how is 2235 env->Header->Security->SecurityTokenReference->KeyIdentifier 2236 populated (normally it would be populated from Assertion->ID)? 2237 223897.13.5 Non-obvious XML Exclusive Canonicalization (XML-EXC-C14N) 2239~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2240 2241XML Exclusive Canonicalization bugs cause vast majority of signature 2242failures (once trivial configuration issues like using wrong 2243certificates are taken care of). Here are some gotchas: 2244 22451. XML namespace prefixes must be tracked correctly and they 2246 can alter at every layer, even reusing already used 2247 prefixes. 2248 22492. InclusiveNamespaces/@PrefixList namespaces must always be 2250 rendered. However, if the list inclides a prefix that in 2251 fact has not been declared in parent node of the canonicalization, 2252 then this prefix is supposed to be ignored (says Scott Cantor, 20101005). 2253 I have not found any specification references saying this to be 2254 the case. In fact [XML-EXC-C14N] section 3, bullet 2, and section 2255 3.1, bullet 3.2.1, seem to imply otherwise. However if the prefix 2256 has not been declared, it is not easy to see how the spec could 2257 be satisfied (unless a bug leaks the declaration from inside 2258 the canonicalized element, such as ~ds~ from embedded signature). 2259 22603. Pay attention to line end canonicalization ([XML-C14N], section 1.1 2261 "Terminology", 3rd bullet): CRLF to LF. Many implementations 2262 only ever produce NL, or avoid producing any superfluous whitespace at 2263 all (best strategy to avoid interop problems), and therefore work fine 2264 until the day when CRLF emitting implementation appears. 2265 22664. Namespace declarations are ordered by namespace prefix, while 2267 namespaced attributes are ordered by namespace URI. Gotcha! 2268 2269<<ignore: 2270 2271Seems this thread is vendors (even if some are open 2272source) galore, so here goes my blurb... 2273 2274I'm sorry ZXID.org documentation is seen 2275as "disgusting". At least it was found. 2276 2277The criticism is bit unconstructive as it does not give 2278me any idea about what the gaps were or why it was not 2279palatable. 2280 2281At any rate, I recommend starting from top level 2282of the documentation (left hand column of zxid.org web site) 2283before drilling to the low level reference sections that 2284were linked in the article. 2285 2286If you find a gap, just mail zxid.user@lists.unh.edu 2287or me: sampo@zxidp.org 2288 2289Regarding the claimed segfault: I would love to receive 2290a bug report on this (and any claims should cite version 2291number). As of zxid-0.76 I challenge the critiquer 2292to reproduce the problem. Only that way things get 2293fixed. 2294 2295Re SAML not open: I find SAML itself is fully open, albeit 2296complex and with too much alternative/optional behaviour 2297opening scope for bugs. 2298 2299The real evil comes from XML (agree with critiquer), 2300especially its namespace mechanism and the underspecified 2301canonicalization mechanism. It does not help that the 2302committee overseeing XML-DSIG and canonicalization 2303are not open to clarifications. You can report to them 2304any number of bugs in their specs and they will find 2305a reason to not publish errata. 2306 2307The interested reader should check my <a href="http://zxid.org/html/zxid-faq.html#-ZXIDFAQ-AuthorsPetPeeves-NonobviousXMLExclusiveCanonicalizationXMLEXCC14N">FAQ</a>. 2308 2309Cheers, 2310--Sampo 2311 2312>> 2313 231497.13.6 I do not want to know service type, but I want to call the service 2315~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2316 2317Q:: Can I create a new ~struct zx_a_EndpointReference_s~ (~zxid_epr~ since 0.69) 2318 from scratch where i can set the url that can be get from\\ 2319 zxidjni.get_epr_address(cf, epr)? 2320 2321A:: EPRs are complex objects. Even if you created a blank EPR with just 2322 URL in it, it would not be all that useful without the <Metadata> and 2323 especially <SecurityContext> with token within. 2324 2325Gulyx:: Ok i see, however as we discussed the statement: 2326 2327 zxid_epr epr = zxidjni.get_epr(cf, zxses, "x-recurs", null, null, null, 1); 2328 2329 may be moven from the axis2 zxid module to the application level 2330 in this way the developer can choose. 2331 2332 What i am saying is that a developer of a web service client 2333 can explicitely define a url, or may use your disco in order to look 2334 for the most appropriate one 2335 2336Sampo:: Explicitly defining URL is inadequate unless you also define 2337 the security token to access the service. Generally creating security 2338 token without consulting discovery (or ID Mapper service in more 2339 general context) is not feasible. Therefore having a simple 2340 constructor for EPR accomplishes very little. 2341 2342Gulyx:: What i am saying is that is due to the developer of a web service client choose 2343 2344Sampo:: If you know the URL (and the service has been registered to 2345 discovery), then you can get the EPR with 2346 zxidjni.get_epr(cf, ses, svc_type, URL, null, null, 1). 2347 2348Gulyx:: an explicit url or look for one from a disco 2349 thus this part of the zxidapi should be used (in case) at the application layer 2350 2351Sampo:: Rather than look for URL from disco, why not just get the EPR 2352 from disco, i.e. call get_epr()? 2353 2354Gulyx:: and not in the zxid security module 2355 2356Sampo:: What would you do with the EPR created by the constructor? 2357 2358Gulyx:: well it is ok to use zxidjni.get_epr(cf, ses, svc_type, URL, 2359 null, null, 1). However is not always given that "svc_type" 2360 is known/available what happen if it is not provided? that it may be 2361 possible i understand that is important from a discovery point of view 2362 but the coould be the case in which the developer of a web service 2363 client do not want to use it or does not know it he would only contat 2364 that URL 2365 2366Sampo:: If you do not know service type, how do you know what kind of 2367 SOAP body you are supposed to send to the service? Developer of the 2368 web service ultimately is the authority that decides what the service 2369 type URI. If he does not know it, he can just invent it. 2370 2371Gulyx:: for example because i am executing a RPC and i got all the information from the wsdl 2372 in this case i simply need a URL 2373 isn't it ? 2374 2375Sampo:: As a general rule, if web service developer has poor 2376 imagination in inventing a service type URI, I recommend using the 2377 namespace URI of the top level element in the SOAP body. 2378 2379Gulyx:: sampo i am not saying that what you are proposing is wrong 2380 i am just sayin that in some cases people do not use the service type. 2381 2382Sampo:: To speak RPC, you do need to know how to format the SOAP body 2383 according to the RPC marshalling conventions. Clearly you need to 2384 know what the body looks like, therefore you should know its 2385 namespace. 2386 2387Gulyx:: and the zxid module in axis shuould support both 2388 2389Sampo:: If people do not use service type, then they can not get registered in discovery. 2390 2391Gulyx:: so the case in which the developer (at the application level) 2392 specified the service type and the case when he does not 2393 2394Sampo:: If they are not registered in discovery, how do you propose to 2395 generate the token for accessing the web service? 2396 2397Gulyx:: Recap 2398 2399 * service MUST have a service type 2400 * service MUST register to a disco with a service type 2401 * clients SHOULD know the service type and MAY use it in order to look for a service 2402 * client MAY contact directly a service without knowing a service type 2403 2404Sampo:: I claim that client can not contact the service without 2405 knowing what the SOAP body looks like. 2406 2407Gulyx:: Of course, but they can also do it from the wsdl as i said above 2408 2409Sampo:: Yes, knowing WSDL constitutes knowing what the SOAP body is. 2410 If you know WSDL, you know what the namespace URI of the top level 2411 element of the SOAP body is. Now if you follow the convention that 2412 the namespace is the service-type, then you are done. 2413 2414Gulyx:: So a client may not know the service type 2415 2416Sampo:: If the service developer chose a service type different from 2417 the namespace, then you have to find out from the documentation the 2418 service developer provided. 2419 2420Gulyx:: I am only proposing to include into the zxid axis2 module both 2421 the possibility possibilities with and without service type 2422 2423Sampo:: If you want to support the without service type case, then you 2424 should program in the axis2 module automatic derivation of the service 2425 type using the rule that the namespace of the top level element is the 2426 service type. 2427 2428Gulyx:: Well if is it possible to forge from the service url an 2429 "appropriate" epr that i can pass to the zxidjni.wsc_prepare_call I 2430 would prefere what do you think? 2431 2432Sampo:: If you "forge" wrong, then things will not work. 2433 2434Gulyx:: if the automatic derivation is wrong , then things will not work too :-D 2435 2436Sampo:: Having a default rule like using top level namespace as service 2437 type will work if that indeed was the convention everybody uses. But 2438 there is no universal agreement that this is always the convention. 2439 2440Gulyx:: exactely 2441 2442Sampo:: In practise in Liberty it has been the convention, but there is no guarantee. 2443 2444Gulyx:: so having something like zxidjni.get_defaultEpr(URL) 2445 2446Sampo:: Why are you so hell bent in not wanting to know the service type? 2447 2448Gulyx:: would be useful 2449 2450Sampo:: What service type do you not know? 2451 2452Gulyx:: i want service type and i am almost supporting it into the 2453 module i am just saying that people that i hope would use the module 2454 may not use service type 2455 2456Sampo:: If the people want to play in TAS3, they need to know the 2457 service type. Knowing it is a requirement to join TAS3. 2458 2459Gulyx:: so i would that the module supports both the cases. I was 2460 referring people out of TAS3. I mean if we realese the zxid module for 2461 apache, I assume that axis2 users may prefer zxid module instead of 2462 rampart so i would include this feature into the module too. 2463 2464Sampo:: Ok, if you do not want to make TAS3 web service calls and do 2465 not want to use identities or security tokens, then plain EPR with 2466 just URL would be good enough. 2467 2468Gulyx:: right 2469 247097.14 Best Practises 2471-------------------- 2472 24731. Each entity chooses its own Entity ID. When you are setting 2474 up a SP, you choose your Entity ID and the IdP(s) MUST be 2475 able to adapt to your choice. Similarily, an IdP decides 2476 its own Entity ID and all SPs MUST be able to adapt to it. 2477 24782. Entity IDs MUST be unique within a Circle of Trust (CoT). Given 2479 that CoT relationships may change from time to time, its best 2480 to choose Entity ID so that it is globally unique. If Entity ID 2481 contains a domain name as a component, then the +globally unique+ 2482 property tends to be enforced by the domain name allocation 2483 system. 2484 24853. Entity ID SHOULD be the Well Known Location (WKL), i.e. the 2486 URL from which the metadata can be fetched. 2487 24884. Providing metadata by URL, ideally by the Entity ID, SHOULD 2489 always be enabled. This greatly facilitates configuration. 2490 24915. <KeyDescriptor> elements should have ~use~ XML attribute 2492 24936. After you get an installation to work, be sure to review whether 2494 the default configuration is appropriate for production use 2495 2496 a. Decide whether you want to run open federation, see MD_FETCH 2497 config option (default: 1=open federation) 2498 b. Prune your Circle of Trust. Use zxcot(8) tool to list who you 2499 trust and delete the misfits. 2500 c. Check validity time tolerances you accept: BEFORE_SLOP 2501 and AFTER_SLOP. The defaults are rather generous for 2502 production use. 2503 d. Review that you did not turn off any signature 2504 validation just to get it to work (SIG_FATAL=0, NOSIG_FATAL=0 2505 and similar config options). All signature 2506 validations are there for reason and you should not 2507 go to production if any of them fail. 2508 e. Check permissions on /var/zxid/pem and think whether 2509 your private keys, including web server SSL one, 2510 are protected. Could they have been compromised 2511 during trial period? 2512 f. Check that your public image is conveyed right in your metadata, 2513 e.g. NICE_NAME, ORG_NAME, ORG_URL, and FEDUSERNAME_SUFFIX (if 2514 used, generally only on IdP). However, be forewarned 2515 that changing these on last minute changes your metadata and you may 2516 need to engage in an additional round of metadata exchanges 2517 when you go to production. 2518 g. Make sure you have a solution in place to keep your audit trail 2519 in case you ever have to go to court. See zxid-log.pd for 2520 details. You may also want to think about encrypting or deleting some 2521 items after a while to reduce your liability for breaches. 2522 252397.15 Cardspace / Infocard / DigitalMe Tutorial 2524----------------------------------------------- 2525 2526N.B. zxid.org does not yet support Infocard, but since we 2527are starting the investigation, we thought to share 2528some of it in next sections... 2529 253097.15.1 Installing DigitalMe and Firefox plugin 2531~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2532 2533DigitalMe by Bandit project is an open source Infocard 2534implementation, providing functionality roughly similar to 2535CardSpace. You can download it from 2536 2537 http://www.bandit-project.org/index.php/Digital_Me 2538 2539rpm2cpio digitalme-0.4.1238-2.1.i586.rpm | cpio -di 2540 254197.15.2 Setting up IdP account 2542~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2543 2544For one InfoCard aware IdP, please see: http://www.cdatazone.org/index.php?/archives/27-Managed-Infocard-Demo.html 2545 25461. Register at the IdP site (e.g. https://www.ctindustries.net/icard/index.php) 25472. Download the card ("Retrieve Managed Card" link (savea as "cdatamanaged.crd" by default). 25483. Install the card to DigitalMe 2549 255097.15.3 Yubikey Support 2551~~~~~~~~~~~~~~~~~~~~~~~ 2552 2553ZXID supports the yubikey USB One Time Password (OTP) tokens from yubico.com. 2554The token should be personalized such that the prefix of the ticket is the 2555UID and the remainder is the ticket proper. The AES128 shared secret in hex is 2556populated in UID/.yk directory. See also zxid-log.pd for description. 2557 2558You would typically plan the user names, taking in account the yubikey modhex 2559restrictions, and then use ykpersonalize to create thephysical tokens. At the 2560same time you would generate and record the AES128 shared secrets to the .yk 2561files (and inside the yubikey USB tokens themselves, of course). 2562 2563The contents of the .yk file is 32 hexadecimal digits (ascii 0-9a-f) 2564representing 128 bits of key information. 2565 2566The value is not hashed, salted, or nonced, so it needs to be carefully 2567protected by the filesystem permissions. 2568 256997.16.9 Legal 2570~~~~~~~~~~~~~ 2571 2572Microsoft promises to not sue you: http://www.microsoft.com/interop/osp/default.mspx 2573 257497.17 Attributes 2575---------------- 2576 2577Q:: I want to read the attributes that come in the assertion. How do I do that? 2578 2579A:: You get attributes back as an LDIF entry as return value of zxid_simple() 2580 The attributes are also available by reparsing the assertion, which gets 2581 stored in /var/zxid/rely hierarchy. 2582 2583 /var/zxid/ses/SuzZQS5Ub/.ses file contains the path to the assertion file. 2584 2585Q:: In the zxid directory you store some users. What does the extension .mni stand for? 2586 Why is the info stored? I assume it is some sort of local cache. I would like 2587 to store the attributes there too. How do I do that? 2588 2589A:: The .mni file is used to support Manage NameID requests. In normal operation of ZXID 2590 it really is not needed, but to support some of the SAML conformance test requests 2591 it is needed. 2592 2593 Rather than store attributes in that directory, I'd suggest reparsing 2594 the assertion when you need them. But if you must, you could create a 2595 file of your own in that directory. We of course need a naming 2596 convention that prevents naming conflicts with future versions of 2597 ZXID: Your file extension should start by ".x-", for example: 2598 "attributes.x-attr" 2599 2600Q:: The ldif returned by zxid_simple() is perfect for my needs, but 2601 nothing is being stored in log/rely directory. Could be some 2602 configuration issue? Also, can I have zxid automatically store the 2603 ldif file returned zxid_simple()? 2604 2605A:: The log/rely should be populated by default, but if the directory 2606 structure itself is missing, may be it does not work. Try make dirs. 2607 Or check that web server user's permissions allow writing there. 2608 2609A:: Re ldif cached: the logic is supposed to be that the zxid_simple() will 2610 be called to protect every page, therefore its return value is available 2611 on every page. 2612 2613 If you do not call it every time, but instead bootstrap some sort of 2614 app specific session, then you would store the LDIF (or the attributes 2615 parsed out of it) to that app specific session. 2616 261797.17 SOAP Binding 2618------------------ 2619 262097.17.1 Axis2 wants wsa:Action header 2621~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2622 2623The recommended course of action is to change Axis2 config such that it does not 2624require wsa:Action header. All the necessary information for dispatch of 2625the SOAP message is already available on the top child element of SOAP Body element. 2626 2627HTTP Action header and the wsa:Action SOAP header are historical design errors 2628as they effectively duplicate information from the top child of the Body. Exactly 2629how this duplication is to be done is poorly specified and great source of 2630interoperability problems. 2631 2632Please point me to a specification document (with line number or section reference) 2633where wsa:Action is specified as mandatory. Remember that Axis2 is just an implementation 2634and just because Axis2 happens to want it, does not make it required by any standard. 2635If you can show it to be mandatory, then point me to document that specifies what 2636the proper value would be. 2637 2638Historically many web service specs have been silent on the value of wsa:Action as 2639they were designed not to use wsa:Action. When people the try to use wsa:Action, 2640they end up inventing the value themselves and, voila, you have an interoperability 2641mess. 2642 2643If you really want to have a wsa:Action header, you can generate one yourself: 2644 2645 zxid_call(...,"<e:Envelope><e:Header><a:Action>...</a:Action></e:Header> 2646 <e:Body>...</e:Body></e:Envelope>", ...) 2647 2648In other words, the zxid_call() family of functions will accept full SOAP envelope if 2649you give it one. It will then add the TAS3 specific headers to it, but it will preserve 2650the headers you supplied as long as there is no conflict. 2651 265298 Support 2653========== 2654 265598.1 Mailing list and forums 2656---------------------------- 2657 2658* Official ZXID mailing list is zxid.user@lists.unh.edu 2659* The archives can be seen at http://listproc.unh.edu/archives/zxid.user 2660 266198.2 Bugs 2662--------- 2663 2664Mail the author or mailing list until we get bug tracking set up. Or volunteer. 2665 266698.3 Developer access 2667--------------------- 2668 2669We use +git+ for source code. Anonymous access is available 2670 2671 git clone git://zxid.org/zxid # Main ZXID source 2672 git clone git://zxid.org/pd # Plaindoc (pd2tex) and xsd2sg.pl tools 2673 2674Commit access needs to be manually configured and is not 2675anonymous. If you contribute significantly, please write the author. Others 2676can send patches (good way to show you are worthy of git commit access) 2677to me. I've heard some mixed experiences about open source 2678sites like sourceforge. If you run such site and want to 2679host ZXID Project, please contact me. 2680 2681If you just always want the latest source: get the tar ball from 2682the downloads section of the web site (zxid.org). 2683 268498.9 Commercial Support 2685----------------------- 2686 2687Following companies provide consultancy and support contracts for 2688ZXID: 2689 2690* symlabs.com 2691* Mercnet, Lda. 2692* Levelview, Lda. 2693 2694 2695<<ignore: 2696 2697Tutorial: http://simplesamlphp.org/docs/1.6/simplesamlphp-sp 2698 2699https://openidp.feide.no/simplesaml/module.php/core/loginuserpass.php?AuthState=_d165e5c0c137e655159f87fae7ea8223462b087b45 2700 2701 2702Kantara Initiative project web site (confluence) accepts TAS3 IdP authentication. 2703 2704This means that you can use your Yubikey or other credentials you may have 2705at idp.tas3.eu to login. Here's how it works: 2706 27071. Start from http://kantarainitiative.org/confluence/dashboard.action 2708 27092. Click "Log In" link in the top right of that page. 2710 27113. On the "Select Your Home Organization" screen choose "TAS3 IdP" from 2712the popup and click Select. 2713 27144. You will now land on TAS3 IdP authentication screen. Use your Yubikey or 2715username and password to login. 2716 27175. You will see a post screen taking you back to KI web site. You are now 2718logged in. Your pseudonymous username will appear in top right 2719of that page. It something like this 2720 2721fc5y3apqom8upyicon7g6qztx@idp.tas3.eu 2722 27236. Click on the username and choose "Profile" to edit the screen name 2724to be nicer to users (in the internal database the pseudonym 2725continues to be used so you do not need to worry about the 2726screen name being acceptable, e.g. duplicate). 2727 27287. Once you have your federation enabled Kantara account, you can use 2729it to join Kantara Work Groups. Their policy is that you do not have 2730to be Kantara member to login to the site and see the public part 2731of their work. However, to contribute to their work you need to 2732be a member (mainly for IPR reasons - to ensure free to implement and use). 2733This is done by "elevating" the status of your federated login. It is 2734done by Kantara, not by idp.tas3.eu 2735 2736Cheers, 2737--Sampo 2738 2739 2740 2741Shawn O'Connor <soconnor@falconknight.com> said: 2742> Any ideas? Thanks! 2743 2744What was being attempted? 2745 2746What was the ZXID version and what was the counter part 2747software and version? 2748 2749If this was SSO attempt, then I would 2750be inclined to belive the error message, more below. 2751 2752> -Shawn 2753> 2754> Begin forwarded message: 2755> 2756> > From: Denis Shaposhnikov <dsh@falconknight.com> 2757> > Date: May 25, 2012 11:05:52 AM PDT 2758> > To: Shawn O'Connor <soconnor@falconknight.com> 2759> > Subject: Re: Fwd: Test 2760> > 2761> > On 25/05/12 20:01, Shawn O'Connor wrote: 2762> > 2763> >> Did it work? 2764> > 2765> > I see next error messages: 2766> > 2767> > p79064 zxidmeta.c:127 zxid_mk_ent zx E ssof: Metadata did not have any certificates! Incomplete metadata? 0 2768> > 2769 2770Have you checked 2771 2772A. Is there metadata for the IdP in the /var/zxid/cot directory? (Directory 2773 may vary due to your configuration.) 2774 - If not: perhaps some firewalling or name resolution problem is 2775 preventing the metadata from being fetched - or perhaps the IdP 2776 in remote end does not support metadata fetch using Well Known 2777 Location method? 2778 - If you suspect any of the above, please attempt manual metadata 2779 exchange (try running zxcot -h for brief summary) 2780B. If the metadata is there, does it actually have certs? If not, ask 2781 remote IdP to produce metadata that has certs. It may well be 2782 configuration error in their end. 2783C. If the metadata fetching is working OK, but the permissions in 2784 /var/zxid/cot are not allowing the SP to write the metadata (or more 2785 rarely read metadata that was already written), you could get error 2786 messages of this nature. 2787 2788> > p79064 zxsig.c:317 zxsig_validate zx E ssof: No certificate supplied. Only hashes (and hence canonicalization) verified. 0 2789> > p79064 zxidsso.c:400 zxid_sigres_map zx E ssof: Bad cert. 5 2790> > p79064 zxidsso.c:677 zxid_sp_sso_finalize zx E ssof: Fail SSO due to failed signature sigres=5 2791 2792Presumably the message was signed, but if there is no certificate 2793to validate signature against, it will fail. There are ways to configure 2794ZXID to ignore this problem, but they should not be used in a production 2795deployment. 2796 2797> > p79064 zxidsso.c:732 zxid_sp_sso_finalize zx E ssof: SSO fail (P) 2798> > p79064 zxidspx.c:110 zxid_sp_dispatch zx d ret=0 ses=0x7fffffffe200 2799> > p79064 zxidspx.c:117 zxid_sp_dispatch zx d *** FAIL, should send back to IdP select 0 2800> > 2801> > I don't know what does it mean. Should I ask on the zxid's forum? 2802 2803I think it means what it says, but before you ask ZXID forum, you should 2804make more complete investigation on the IdP metadata. 2805 2806Cheers, 2807--Sampo 2808 2809 2810>> 2811 2812<<ignore: 2813 2814Karthik Sudarshan <ksudarshan@xtivia.com> said: 2815> Hi all, 2816> I have downloaded the latest version of zxid (1.16) and compiled 2817 2818Rest of the list: sorry folks, I did not announce it, but there is a 2819new release available :-) 2820 2821There will be another before christmas. 2822 2823> against Apache 2.2 on Ubuntu to get the mod_auth_saml.so. I have 2824> registered an IDP in my COT using the zxcot utility. I can see that in my 2825> dropdown list on the IDP selection page as well. 2826> 2827> I want to be able to bypass the IDP selection page and directly go to the 2828> IDP login page. For that I used the DEFAULTQS configuration option and it 2829> does not seem to work. 2830> 2831> My option in the apache conf file for the <Location> is as below: 2832> 2833> DEFAULTQS=10https://<hostname>/<path>/metadata.xml 2834 2835The correct syntax is the query string syntax as if a form 2836had been submitted. Try the following 2837 2838DEFAULTQS=l0https://<host>/<path>/idp.xml=1%26fp=1 2839 2840Please note 2841 28421. The l0... stuff must end with "=1" 2843 28442. If there are any other fields you would like to pass, you need 2845 to include them in the query string, but you need to URI escape 2846 characters, such as ampersand ("&") with %26 (percent 26). 2847 28483. One other field in particular that you may want to pass is 2849 fr (aka RelayState) which will control the redirection 2850 after SSO if you have configured REDIR_TO_CONTENT=1 2851 2852Cheers, 2853--Sampo 2854 2855> I tried to give this in the zxid.conf file as well, and that didn't work 2856> either. 2857> 2858> Can someone please suggest how to set this configuration correctly? 2859> 2860> Regards, 2861> Karthik 2862 2863>> 2864 2865<<ignore: 2866 2867From: <sampo@hig.no> 2868To: <kyfranke@hig.no> 2869Cc: <sampo@hig.no>, <luk@synergetics.be>, <kgreene@cellmail.com> 2870Date: Tue, 3 Dec 2013 20:34:18 +0000 -- arrived: Ti 3.12. 20h34 -- 5.98K 2871Subject: Re: Fwd: Multi-use SSL certificates: More flexibility with Internet security 2872Katrin Franke <katrin.franke@hig.no> said: 2873> You know this all? 2874 2875What is there to know (do not expect me to read the links - I do not do 2876this for Luk and I do not do it for you unless it seems exceptionally 2877relevant)? 2878 2879The wildcard certs are a technique where several web sites share 2880a certificate, and consequently the private key. 2881 2882Sharing private key increases exposure and chances of private key 2883compromise. As a very minor additional threat, if private key 2884is compromised, any number of bogus domains can be generated 2885under the compromised wildcard cert (subject to DNS level safeguards). 2886 2887The increased exposure may not be as bad as it sounds as 2888many or even all of the sites that are wildcarded, may be 2889virtualhosted off single server, thus rendering the private 2890key compromise threat equivalent to single server cert compromise. 2891 2892Or even if not single server, the servers may be under competent 2893administration by same authority. For example, if I choose to 2894put two sites, that I otherwise might virtualhost, on different 2895servers, but I continue to apply same security and sysadmin 2896regime on both servers, then the security has not significantly 2897deteriorated when compared to virtualhosting on single server case. 2898 2899Depending on competence of sysadmin on virtualhosting provider, 2900I would assess that CA compromise is bigger threat. Diginotar of Belgium 2901even got caught pants down on this, but the problem is much 2902more widespread. 2903 2904The Snowden revelations confirmed what I had been preaching for 2905years: NSA will compromise the CAs. Thus the matter of wildcard certs 2906has to be put in the perspective of the CA providers themselves 2907being compromised. 2908 2909Net/net: no security hole that was not previously known 2910and not need to chage ZXID (or Syn e2eTA) code. Additional mention 2911of this threat in the manuals my be warranted, but is not urgent. 2912 2913Nothing new under the sun. 2914 2915Cheers, 2916--Sampo 2917 2918P.S. On second reading it seems they try to sell multiuse 2919certs: IMHO, all certs should be multiuse, and technically 2920they can be if parties agree to ignore the restriction 2921attribute fields in the certs. They are just trying to 2922sell as a feature the fact that savy people have already 2923bypassed their business model. 2924 2925>> 2926 2927<<ignore: 2928 2929 2930 2931>>