wiki:SAML2_Conformance
Last modified 16 months ago Last modified on 11/23/15 18:51:46

The conformance requirements for a SAML2 server are spelled out in http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf.

Ipsilon is initially targeting the IdP-Lite operational mode.

IdP-Lite conformance

Feature IdP Lite Ipsilon
Web SSO, <AuthnRequest>, HTTP redirectMUSTYes
Web SSO, <Response>, HTTP POSTMUSTYes
Web SSO, <Response>, HTTP artifactMUSTYes
Artifact Resolution, SOAPMUST?
Enhanced Client/Proxy SSO, PAOSMUSTWIP
Name Identifier Management, HTTP redirect (IdP-initiated)MUST NOT-
Name Identifier Management, SOAP (IdP-initiated)MUST NOT-
Name Identifier Management, HTTP redirectMUST NOT-
Name Identifier Management, SOAP (SP-initiated)MUST NOT-
Single Logout (IdP-initiated) – HTTP redirectMUSTYes
Single Logout (IdP-initiated) – SOAPOPTIONALNo
Single Logout (SP-initiated) – HTTP redirectMUSTYes
Single Logout (SP-initiated) – SOAPOPTIONALNo
Identity Provider Discovery (cookie)MUSTNo

XML Signature Algorithms

Signature algorithms are provided via libxmlsec1 through lasso.

Type Supported
Digest: SHA1Yes
MAC: HMAC-SHA1Yes
XML Canonicalization: CanonicalXML (Without comments)Yes
TransformYes
Signature: RSAwithSHA1Yes

XML Encryption Algorithms

Encryption algorithms are provided via libxmlsec1 through lasso.

Type Supported
TRIPLE DESYes
AES-128Yes
AES-256Yes
RSA-v1.5Yes
RSA-OAEPYes

https://www.aleksey.com/xmlsec/xmlenc.html

Use of SSL 3.0 or TLS 1.0

SSL/TLS is used to protection communication between a client and the IdP. The Idp requires a secure connection and the client is expected to verify the trust of the certificate and validate that the hostname matches per RFC2618.

  • Use of SSL 3.0 is not desirable due to POODLE and should be disabled by default.
  • The required TLS 1.0 cipher, TLS_RSA_WITH_3DES_EDE_CBC_SHA, is vulnernable to BEAST in TLS 1.0. It is ok in TLS 1.1 and 1.2.

Tested with Service Providers

Test consists mostly of installing and configuring the SP, adding the metadata to Ipsilon and performing basic login and logout.

SimpleSAMLphp

SimpleSAMLphp is a native PHP application which provides SAML2 authentication and can operate as both an IdP and a SP.

It has been tested as an SP and works for simple login and logout using the following configuration in metadata/saml20-idp-remote.php

$metadata['https://ipsilon.example.com/idp/saml2/metadata'] = array(
        'name' => array(
                'en' => 'Ipsilon',
        ),
        'redirect.sign'        => TRUE,
        'description'          => 'Ipsilon IdP.',
        'SingleSignOnService'  => 'https://ipsilon.example.com/idp/saml2/SSO/Redirect',
        'SingleLogoutService'  => 'https://ipsilon.example.com/idp/saml2/SLO/Redirect',
        'certFingerprint'      => '1B:74:51:D1:46:C0:29:E1:51:C7:82:F6:6B:29:00:4F:36:E4:12:28',
);

The fingerprint of the IdP can be generated with:

# openssl x509 -fingerprint -in /var/lib/ipsilon/idp/saml2/idp.pem -noout

For the SP I generated a certificate using the sample and added it to default-sp in config/authsources.php

    'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',
    ...

The metadata URL to use for this sample SP when adding it to Ipsilon is https://sptest.example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp

If signature validation is required then set these in the IdP metadata entry in metadata/saml20-idp-remote.php:

redirect.validate  => TRUE,
certificate => idp.pem,

And get a copy of /var/lib/ipsilon/saml2/idp.pem from the IdP server and drop it into cert/idp.pem

Shibboleth

Tested version 2.5.5.

I configured Apache like this:

LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so

<Location /secure>
  AuthType Shibboleth
  ShibRequireSession On
  require valid-user
</Location>

I configured the IdP like this in shibboleth2.xml:

<SSO entityID="https://ipsilon.example.com/idp/saml2/metadata">
     SAML2
</SSO>
...
<MetadataProvider type="XML" uri="https://ipsilon.example.com/idp/saml2/metadata"
     backingFilePath="/etc/shibboleth/ipsilon.xml"
     reloadInterval="7200" >
</MetadataProvider>

I only tested the auto-generated metadata. I did test when signing was both true and false.

Keycloak

I tested the 1.5.0 demo from http://keycloak.jboss.org/keycloak/downloads.html . The demo comes pre-configured and is the recommended way of kicking the tires by the keycloak team.

I followed the top-level instructions for the preconfigured-demo then went up a directly and deployed the saml examples.

The test user is bburke. I didn't bother to look up the default password and just reset it myself in the admin console.

The biggest problem is that the SP metadata lacked namespace information. I filed https://issues.jboss.org/browse/KEYCLOAK-1954 and it has been reported as fixed in 1.6. I was able to manually add the namespaces to continue testing. I had to disable signing for this to work.

Create the SP in Keycloak UI:

Configure -> Identity Providers -> Add Provider -> SAML 2.0

I used the importer, https://idp.example.com/idp/saml2/metadata

It didn't pick up the SLO uri so I provided that manually, https://idp.example.com/idp/saml2/SLO/POST

To get the SP Metadata view the provider and select the Export tab.

I was able to test login ok but was always shown a 403 Forbidden error from Wildfly. I'm chalking this up to my lack of knowledge of Java containers. As far as I can tell the SAML part is working just fine.