The conformance requirements for a SAML2 server are spelled out in http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf.
Ipsilon is initially targeting the IdP-Lite operational mode.
|Web SSO, <AuthnRequest>, HTTP redirect||MUST||Yes|
|Web SSO, <Response>, HTTP POST||MUST||Yes|
|Web SSO, <Response>, HTTP artifact||MUST||Yes|
|Artifact Resolution, SOAP||MUST||?|
|Enhanced Client/Proxy SSO, PAOS||MUST||WIP|
|Name Identifier Management, HTTP redirect (IdP-initiated)||MUST NOT||-|
|Name Identifier Management, SOAP (IdP-initiated)||MUST NOT||-|
|Name Identifier Management, HTTP redirect||MUST NOT||-|
|Name Identifier Management, SOAP (SP-initiated)||MUST NOT||-|
|Single Logout (IdP-initiated) – HTTP redirect||MUST||Yes|
|Single Logout (IdP-initiated) – SOAP||OPTIONAL||No|
|Single Logout (SP-initiated) – HTTP redirect||MUST||Yes|
|Single Logout (SP-initiated) – SOAP||OPTIONAL||No|
|Identity Provider Discovery (cookie)||MUST||No|
XML Signature Algorithms
Signature algorithms are provided via libxmlsec1 through lasso.
|XML Canonicalization: CanonicalXML (Without comments)||Yes|
XML Encryption Algorithms
Encryption algorithms are provided via libxmlsec1 through lasso.
Use of SSL 3.0 or TLS 1.0
SSL/TLS is used to protection communication between a client and the IdP. The Idp requires a secure connection and the client is expected to verify the trust of the certificate and validate that the hostname matches per RFC2618.
- Use of SSL 3.0 is not desirable due to POODLE and should be disabled by default.
- The required TLS 1.0 cipher, TLS_RSA_WITH_3DES_EDE_CBC_SHA, is vulnernable to BEAST in TLS 1.0. It is ok in TLS 1.1 and 1.2.
Tested with Service Providers
Test consists mostly of installing and configuring the SP, adding the metadata to Ipsilon and performing basic login and logout.
SimpleSAMLphp is a native PHP application which provides SAML2 authentication and can operate as both an IdP and a SP.
It has been tested as an SP and works for simple login and logout using the following configuration in metadata/saml20-idp-remote.php
$metadata['https://ipsilon.example.com/idp/saml2/metadata'] = array( 'name' => array( 'en' => 'Ipsilon', ), 'redirect.sign' => TRUE, 'description' => 'Ipsilon IdP.', 'SingleSignOnService' => 'https://ipsilon.example.com/idp/saml2/SSO/Redirect', 'SingleLogoutService' => 'https://ipsilon.example.com/idp/saml2/SLO/Redirect', 'certFingerprint' => '1B:74:51:D1:46:C0:29:E1:51:C7:82:F6:6B:29:00:4F:36:E4:12:28', );
The fingerprint of the IdP can be generated with:
# openssl x509 -fingerprint -in /var/lib/ipsilon/idp/saml2/idp.pem -noout
For the SP I generated a certificate using the sample and added it to default-sp in config/authsources.php
'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', ...
The metadata URL to use for this sample SP when adding it to Ipsilon is https://sptest.example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
If signature validation is required then set these in the IdP metadata entry in metadata/saml20-idp-remote.php:
redirect.validate => TRUE, certificate => idp.pem,
And get a copy of /var/lib/ipsilon/saml2/idp.pem from the IdP server and drop it into cert/idp.pem
Tested version 2.5.5.
I configured Apache like this:
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so <Location /secure> AuthType Shibboleth ShibRequireSession On require valid-user </Location>
I configured the IdP like this in shibboleth2.xml:
<SSO entityID="https://ipsilon.example.com/idp/saml2/metadata"> SAML2 </SSO> ... <MetadataProvider type="XML" uri="https://ipsilon.example.com/idp/saml2/metadata" backingFilePath="/etc/shibboleth/ipsilon.xml" reloadInterval="7200" > </MetadataProvider>
I only tested the auto-generated metadata. I did test when signing was both true and false.
I tested the 1.5.0 demo from http://keycloak.jboss.org/keycloak/downloads.html . The demo comes pre-configured and is the recommended way of kicking the tires by the keycloak team.
I followed the top-level instructions for the preconfigured-demo then went up a directly and deployed the saml examples.
The test user is bburke. I didn't bother to look up the default password and just reset it myself in the admin console.
The biggest problem is that the SP metadata lacked namespace information. I filed https://issues.jboss.org/browse/KEYCLOAK-1954 and it has been reported as fixed in 1.6. I was able to manually add the namespaces to continue testing. I had to disable signing for this to work.
Create the SP in Keycloak UI:
Configure -> Identity Providers -> Add Provider -> SAML 2.0
I used the importer, https://idp.example.com/idp/saml2/metadata
It didn't pick up the SLO uri so I provided that manually, https://idp.example.com/idp/saml2/SLO/POST
To get the SP Metadata view the provider and select the Export tab.
I was able to test login ok but was always shown a 403 Forbidden error from Wildfly. I'm chalking this up to my lack of knowledge of Java containers. As far as I can tell the SAML part is working just fine.