SAML 1.1 doesn't have good library support (you're correct that most libraries are 2.0). I was really just referencing the XMLDSIG part, which is the hardest part to handle "correctly" Looks like CPAN has a good module for just that : http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm That should get you past the signature verification so you can focus on the SAML assertion and associated protocol.
On 12/28/2012 07:56 PM, Kevin Brown wrote: > The heart of the site that I'm maintaining and adding to is a mod_perl based > system, so any perl modules are possible. I tried to find some on CPAN, but > the few I read through were either not well documented or were meant for SAML > 2.0 which seems to store stuff in different ways (still XML, but not the same > structure). The client documentation says this is a SAML 1.1 implementation, > not a SAML 2.0. >> Sounds like you're trying to do the XMLDSIG[1] verification part of the >> SAML[2] authentication protocol. >> Most languages and platforms have a library mechanism to do this as it's not >> as simple as computing the hash (the content is hashed in a particular form >> for consistency, and there are a few specific transformations required). >> >> What language and/or platform are you using? >> >> [1] XMLDSIG : http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/ >> [2] SAML 2.0 : >> https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security >> >> On 12/28/2012 02:48 PM, Kevin Brown wrote: >>> So, new job... I've been tasked with implementing SSO using SAML 1.1. The >>> client provided a document that gives an example of the Response object >>> that will be forwarded into our site when a user goes to login. I'm trying >>> to figure out how to validate the XML that I'm given so that I don't >>> blindly trust that the document hasn't been modified in some way or just >>> faked. >>> I have the keys (DigestValue and SignatureValue), but when I try to do a >>> sha1 of the xml (minus all the parts in the<Signature></Signature> >>> section, the hash doesn't match. >>> Does anyone have any experience with this that they might be able to point >>> me in the right direction? >>> >>> >>> >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - [email protected] >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - [email protected] >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > --------------------------------------------------- > PLUG-discuss mailing list - [email protected] > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >
signature.asc
Description: OpenPGP digital signature
--------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
