This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU gsasl".
http://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=298bde65324cf4d4239774a97665f9e29000a6ed The branch, master has been updated via 298bde65324cf4d4239774a97665f9e29000a6ed (commit) from b346406b1056c4c0bf92d022c3fc9f0215a57eb8 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 298bde65324cf4d4239774a97665f9e29000a6ed Author: Simon Josefsson <[email protected]> Date: Wed Apr 18 11:02:27 2012 +0200 Add example flow. ----------------------------------------------------------------------- Summary of changes: examples/saml20/README | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 90 insertions(+), 0 deletions(-) diff --git a/examples/saml20/README b/examples/saml20/README index a2eb1e7..8cf7213 100644 --- a/examples/saml20/README +++ b/examples/saml20/README @@ -16,6 +16,29 @@ point of this example is just to proof that it works. This setup was tested with GNU SASL version 1.7.3. +There is one example SMTP server and some helper tools that implement +the actual SAML part: + + smtp-server-saml20.c: + + The actual SMTP server, based on ../smtp-server.c. It invokes + gsasl-saml20-request.c to generate the request, and then waits + for gsasl-saml20-sp.php to accept the SAML response. + + gsasl-saml20-request.c + + Given a Identity Provider identifier it generates a SAML Request + and prints a user redirect URL. This tool is invoked by + smtp-server-saml20.c. It uses Lasso as the SAML library. + + gsasl-saml20-sp.php: + + This is the SAML SP responsible for accepting SAML Responses. + Intended to be invoked via a webserver. + +These three tools communicate with each other using a simple +file-based IPC interface, normally placed below /tmp/gsasl-saml20/. + Install the SAML SP: The "gsasl-saml20-sp.php" script needs to be install so that it is @@ -99,6 +122,73 @@ Create SAML SP configuration: attributes use="signing" or use="encryption" respectively, so you need to modify the file slightly. +Here is the normal process: + +1) Start the example SMTP server "smtp-server-saml20", for example + when running it on the interop.josefsson.org server the following + is used: + + su -c "env LD_LIBRARY_PATH=/root/gsasl/lib/src/.libs PATH=$PATH:/root/gsasl/examples/saml20 nohup /root/gsasl/examples/saml20/smtp-server-saml20 2001 /etc/gsasl-saml20 /tmp/gsasl-saml20 /etc/gsasl-saml20/sp-metadata.xml /etc/gsasl-saml20/sp-key.pem /etc/gsasl-saml20/sp-crt.pem 2>&1 | logger -t saml20" www-data & + + For permission reasons, you should run the server under the same + user as the webserver runs gsasl-saml20-sp.php. + + The "gsasl-saml20" tool takes some parameters, the port, the + configuration directory, the IPC directory, and the metadata, key + and certificate for the SP. + +2) The smtp-server-saml20 receives incoming connections from clients. + The client sends the Identity Provider Identifier. You may use the + gsasl command line tool to act as a client. For example: + +jas@latte:~$ gsasl --smtp -m SAML20 interop.josefsson.org 2001Trying âinterop.josefsson.orgâ... +220 localhost ESMTP GNU SASL smtp-server +EHLO [127.0.0.1] +250-localhost +250 AUTH ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1 SAML20 OPENID20 +EHLO [127.0.0.1] +250-localhost +250 AUTH ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1 SAML20 OPENID20 +AUTH SAML20 +334 +Enter SAML authentication identifier (e.g. "http://example.org/";): + + At the prompt, you could type for example "openidp.feide.no". + +3) smtp-server-saml20 invokes "gsasl-saml20-request" to get the + redirect URL, which is also stored in this file: + + /tmp/gsasl-saml20/SESSIONID/redirect_url + + The SESSIONID will be unique for every SAML Request, it looks for + example like "_B6F098F6D17C63796A9DF3BB63EF58AA". + +4) The server continue with the SMTP authentication process, the + output from the gsasl client looks like: + +biwsb3BlbmlkcC5mZWlkZS5ubw== +334 aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vL3NpbXBsZXNhbWwvc2FtbDIvaWRwL1NTT1NlcnZpY2UucGhwP1NBTUxSZXF1ZXN0PWZaRlBiNE13RE1XJTJGQ3NvZFFzdEthUVJJdEF5cDB2NVVZOXBobHltaXBzMFVraXdPM2ZidEIxU2R0a3N2UGp6N0p6OCUyRnA4ZzdhVmpSdTZONmdvOGUwSGxmblZUSXBrWkdlcXVZNWlpUUtkNEJNdGV3dXJpJTJGWSUyRk1nWk1acXB4c3R5UiUyRmtPc0VSd1RxaEZmRzJaVWJlMW5FVnJwSXFMbWZMVFJ3dFYzR3hLcXRvdlk2ajIycVJGQVh4WHNEaU1KJTJCUkFSOGd4QjYyQ2gxWGJwREMyZHdQYiUyRnhaOGh3bWJMRmcwZXlWZU9Wd2cxRGNUZFRST1lPTVVtMUFpYjBKV2hCN0NKU21LRG9qWVhSTXh6S25RNWZXOVdNTjlpUWFDTXpSRUslMkZTdG9FcG00eTBYQ0tNRG5iREVlSUVGeVZQUjU1TnpteCUyQjJTZVVBNnROOEs0UldrU3RBbTBQOUlBY3BUJTJGdEMzMDBLZjJMcHVkWFBBeWhiY3VkbHFMNUhnMTAzRjNQZEZURTNtJTJCblVlWXNWeWhBT2VJVlV1clBqUVh1ZnMzUyUyRkx6eiUyRjhmekh3JTNEJTNEJlNpZ0FsZz1odHRwJTNBJTJGJTJGd3d3LnczLm9yZyUyRjIwMDAlMkYwOSUyRnhtbGRzaWclMjNyc2Etc2hhMSZTaWduYXR1cmU9RU1hR3JERWZFZUlXeGJSUFREazZNUXllJTJGalF1cVVsY1p0bE9Ob0VnMkVSOUxwckU4UWhSbXdpMU02QzliMnNJbEU1b01PZXUzeCUyRlM1aWJiTlV3Y1ZwMk1lRTRlWnFWdm5xQThGZzklMkJhc2FHQTY4QVpRWWxxelNGZXJqdWljWkwwN2NWVkElMkZGRWsyWmJPcGdUdGZKbWg1dWtiUXY5VUROeHUwazlkWHY4ejQwVldsVDVSRUJHYjFkUVRFMEFFczNrQyUyQlZxR0ZkUVpHYmtJeGt3MVBZblVHTkQzJTJCUnZ1OFcyTENRTGE5ZDN1RGlTUllMekhvJTJGSGZKTnhuTVFjTVliMHV0dFNQNnp2bktqJTJCSGJRTGxERUNMemxpJTJCRkFuWUYxTDBpOXo0cFFSQUthVmRNYmNHaWFBZSUyRnVoZDAlMkJUQVVRZlJraGpDRWFoS1dYeXN5OEtualIlMkY5TThDZWNUMU4lMkJ1NFV4emhVM1BDcG1zVnNUVW9ZekxYUGxWRnBod2owb0l4S2JGQUd0bnF3TktieENTV2JaUk5RJTNEJTNE +Visit this URL to proceed with authentication: +https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fZFPb4MwDMW%2FCsodQstKaQRItAyp0v5UY9phlymips0UkiwO3fbtB1SdtksvPjz7Jz8%2Fp8g7aVjRu6N6go8e0HlfnVTIpkZGequY5iiQKd4BMtewuri%2FY%2FMgZMZqpxstyR%2FkOsERwTqhFfG2ZUbe1nEVrpIqLmfLTRwtV3GxKqtovY6j22qRFAXxXsDiMJ%2BRAR8gxB62Ch1XbpDC2dwPb%2FxZ8hwmbLFg0eyVeOVwg1DcTdTROYOMUm1Aib0JWhB7CJSmKDojYXRMxzKnQ5fW9WMN9iQaCMzREK%2FStoEpm4y0XCKMDnbDEeIEFyVPR55Nzmx%2B2SeUA6tN8K4RWkStAm0P9IAcpT%2FtC300Kf2LpudXPAyhbcudlqL5Hg103F3PdFTE3m%2BnUeYsVyhAOeIVUurPjQXufs3S%2FLzz%2F8fzHw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=EMaGrDEfEeIWxbRPTDk6MQye%2FjQuqUlcZtlONoEg2ER9LprE8QhRmwi1M6C9b2sIlE5oMOeu3x%2FS5ibbNUwcVp2MeE4eZqVvnqA8Fg9%2BasaGA68AZQYlqzSFerjuicZL07cVVA%2FFEk2ZbOpgTtfJmh5ukbQv9UDNxu0k9dXv8z40VWlT5REBGb1dQTE0AEs3kC%2BVqGFdQZGbkIxkw1PYnUGND3%2BRvu8W2LCQLa9d3uDiSRYLzHo%2FHfJNxnMQcMYb0uttSP6zvnKj%2BHbQLlDECLzli%2BFAnYF1L0i9z4pQRAKaVdMbcGiaAe%2Fuhd0%2BTAUQfRkhjCEahKWXysy8KnjR%2F9M8CecT1N%2Bu4UxzhU3PCpmsVsTUoYzLXPlVFphwj0oIxKbFAGtnqwNKbxCSWbZRNQ%3D%3D +PQ== + +5) smtp-server-saml20 waits for one of the following files to appear: + + /tmp/gsasl-saml20/_B6F098F6D17C63796A9DF3BB63EF58AA/success + /tmp/gsasl-saml20/_B6F098F6D17C63796A9DF3BB63EF58AA/fail + +6) Meanwhile the user will receive the redirect URL over the SMTP + connection and will access the URL in his browser. Eventually, + after IdP approval, the browser will be redirected to the SP with + the SAML response. + +7) The gsasl-saml20-sp.php verify the SAML Response (using Lasso as + the SAML library) and writes files to the IPC store. + +8) smtp-server-saml20 notice that one of the IPC files is present and + proceeds by reading the files and returning success/fail to the + client as appropriate. + ---------------------------------------------------------------------- Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright hooks/post-receive -- GNU gsasl
_______________________________________________ Gsasl-commit mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gsasl-commit
