[OT] Working with SAML

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[OT] Working with SAML

Christopher Schultz-2
All,

I've got a system which is accepting one-legged, signed SAML responses
from trusted third parties and going all the right things. It's working
great.

It's time to look at doing the opposite: assembling our own SAML
responses, signing them, and sending them to another party.

I'm sure I could manually create a DOM document with all the right
namespaces, add the various values that I need, and then use XML DSIG
using the bits and pieces that are provided by Java directly, but
there's got to be a nice compact library that doesn't require me to
download the entire internet in order to use in my product.

Any recommendations?

Thanks,
-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

Robert Turner
Chris,

I'm not sure if it will do what you want, but when sourcing Java-based SAML
libraries for our use as an SP, I too found that most of the libraries were
much larger and more complicated that I thought necessary. We went with the
(limited but simple to use) OneLogin libraries for our use case. It doesn't
do everything by any means, but was considerably smaller and simpler than
most packages out there.

Robert



On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
[hidden email]> wrote:

> All,
>
> I've got a system which is accepting one-legged, signed SAML responses
> from trusted third parties and going all the right things. It's working
> great.
>
> It's time to look at doing the opposite: assembling our own SAML
> responses, signing them, and sending them to another party.
>
> I'm sure I could manually create a DOM document with all the right
> namespaces, add the various values that I need, and then use XML DSIG
> using the bits and pieces that are provided by Java directly, but
> there's got to be a nice compact library that doesn't require me to
> download the entire internet in order to use in my product.
>
> Any recommendations?
>
> Thanks,
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

Christopher Schultz-2
Robert,

On 3/16/21 14:33, Robert Turner wrote:
> Chris,
>
> I'm not sure if it will do what you want, but when sourcing Java-based SAML
> libraries for our use as an SP, I too found that most of the libraries were
> much larger and more complicated that I thought necessary. We went with the
> (limited but simple to use) OneLogin libraries for our use case. It doesn't
> do everything by any means, but was considerably smaller and simpler than
> most packages out there.

I did see the OneLogin library. You mean this one, right?
https://github.com/onelogin/java-saml

Is there anything tied to any particular service for that? Or do they
simply give-away their library for use anywhere?

Thanks,
-chris

> On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
> [hidden email]> wrote:
>
>> All,
>>
>> I've got a system which is accepting one-legged, signed SAML responses
>> from trusted third parties and going all the right things. It's working
>> great.
>>
>> It's time to look at doing the opposite: assembling our own SAML
>> responses, signing them, and sending them to another party.
>>
>> I'm sure I could manually create a DOM document with all the right
>> namespaces, add the various values that I need, and then use XML DSIG
>> using the bits and pieces that are provided by Java directly, but
>> there's got to be a nice compact library that doesn't require me to
>> download the entire internet in order to use in my product.
>>
>> Any recommendations?
>>
>> Thanks,
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

Robert Turner
Yes, that's the one. It's not tied to the OneLogin service or any other. We
are successfully using it against Google Workspace SAML authentication, and
against test servers running KeyCloak, and hoping to use it against
Microsoft Azure as well (but I haven't confirmed that it definitely works
yet). As far as I can tell it's free to use as it's an MIT-style License.
And at least, one can get at the code and "fix" things if needed.

On Tue, Mar 16, 2021 at 4:19 PM Christopher Schultz <
[hidden email]> wrote:

> Robert,
>
> On 3/16/21 14:33, Robert Turner wrote:
> > Chris,
> >
> > I'm not sure if it will do what you want, but when sourcing Java-based
> SAML
> > libraries for our use as an SP, I too found that most of the libraries
> were
> > much larger and more complicated that I thought necessary. We went with
> the
> > (limited but simple to use) OneLogin libraries for our use case. It
> doesn't
> > do everything by any means, but was considerably smaller and simpler than
> > most packages out there.
>
> I did see the OneLogin library. You mean this one, right?
> https://github.com/onelogin/java-saml
>
> Is there anything tied to any particular service for that? Or do they
> simply give-away their library for use anywhere?
>
> Thanks,
> -chris
>
> > On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
> > [hidden email]> wrote:
> >
> >> All,
> >>
> >> I've got a system which is accepting one-legged, signed SAML responses
> >> from trusted third parties and going all the right things. It's working
> >> great.
> >>
> >> It's time to look at doing the opposite: assembling our own SAML
> >> responses, signing them, and sending them to another party.
> >>
> >> I'm sure I could manually create a DOM document with all the right
> >> namespaces, add the various values that I need, and then use XML DSIG
> >> using the bits and pieces that are provided by Java directly, but
> >> there's got to be a nice compact library that doesn't require me to
> >> download the entire internet in order to use in my product.
> >>
> >> Any recommendations?
> >>
> >> Thanks,
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

André Warnier (tomcat/perl)
In reply to this post by Christopher Schultz-2
Alternatively, see this : https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo

On 16.03.2021 21:18, Christopher Schultz wrote:

> Robert,
>
> On 3/16/21 14:33, Robert Turner wrote:
>> Chris,
>>
>> I'm not sure if it will do what you want, but when sourcing Java-based SAML
>> libraries for our use as an SP, I too found that most of the libraries were
>> much larger and more complicated that I thought necessary. We went with the
>> (limited but simple to use) OneLogin libraries for our use case. It doesn't
>> do everything by any means, but was considerably smaller and simpler than
>> most packages out there.
>
> I did see the OneLogin library. You mean this one, right?
> https://github.com/onelogin/java-saml
>
> Is there anything tied to any particular service for that? Or do they simply give-away
> their library for use anywhere?
>
> Thanks,
> -chris
>
>> On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
>> [hidden email]> wrote:
>>
>>> All,
>>>
>>> I've got a system which is accepting one-legged, signed SAML responses
>>> from trusted third parties and going all the right things. It's working
>>> great.
>>>
>>> It's time to look at doing the opposite: assembling our own SAML
>>> responses, signing them, and sending them to another party.
>>>
>>> I'm sure I could manually create a DOM document with all the right
>>> namespaces, add the various values that I need, and then use XML DSIG
>>> using the bits and pieces that are provided by Java directly, but
>>> there's got to be a nice compact library that doesn't require me to
>>> download the entire internet in order to use in my product.
>>>
>>> Any recommendations?
>>>
>>> Thanks,
>>> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

Luis Rodríguez Fernández
Hello Chris,

- Manually create DOM: agree with you, I would not go in that direction. I
did it years ago when I developed a logout servlet for weblogic. You can
have a look at the code here [1] and feel my pain :)
- Library: I remember testing opensaml [2], it was the most popular at that
time but  it is not supported anymore :(

I am not sure what's your scenario, perhaps it is very specific and you do
not have any other choice than get your hands dirty and implement something
on your own. However if what you have in mind fits in this diagram [3] and
you are running in tomcat :) I would use keycloak [4], for us is working
great.

Hope it helps,

Luis


[1] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo
[2] https://stackoverflow.com/a/9080912/637409
[3]
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline
[4]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter







El mar, 16 mar 2021 a las 23:22, André Warnier (tomcat/perl) (<[hidden email]>)
escribió:

> Alternatively, see this :
> https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo
>
> On 16.03.2021 21:18, Christopher Schultz wrote:
> > Robert,
> >
> > On 3/16/21 14:33, Robert Turner wrote:
> >> Chris,
> >>
> >> I'm not sure if it will do what you want, but when sourcing Java-based
> SAML
> >> libraries for our use as an SP, I too found that most of the libraries
> were
> >> much larger and more complicated that I thought necessary. We went with
> the
> >> (limited but simple to use) OneLogin libraries for our use case. It
> doesn't
> >> do everything by any means, but was considerably smaller and simpler
> than
> >> most packages out there.
> >
> > I did see the OneLogin library. You mean this one, right?
> > https://github.com/onelogin/java-saml
> >
> > Is there anything tied to any particular service for that? Or do they
> simply give-away
> > their library for use anywhere?
> >
> > Thanks,
> > -chris
> >
> >> On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
> >> [hidden email]> wrote:
> >>
> >>> All,
> >>>
> >>> I've got a system which is accepting one-legged, signed SAML responses
> >>> from trusted third parties and going all the right things. It's working
> >>> great.
> >>>
> >>> It's time to look at doing the opposite: assembling our own SAML
> >>> responses, signing them, and sending them to another party.
> >>>
> >>> I'm sure I could manually create a DOM document with all the right
> >>> namespaces, add the various values that I need, and then use XML DSIG
> >>> using the bits and pieces that are provided by Java directly, but
> >>> there's got to be a nice compact library that doesn't require me to
> >>> download the entire internet in order to use in my product.
> >>>
> >>> Any recommendations?
> >>>
> >>> Thanks,
> >>> -chris
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: [hidden email]
> >>> For additional commands, e-mail: [hidden email]
> >>>
> >>>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

Christopher Schultz-2
In reply to this post by André Warnier (tomcat/perl)
André,

On 3/16/21 18:21, André Warnier (tomcat/perl) wrote:
> Alternatively, see this :
> https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo

Thanks for mentioning this. I looked at Shibboleth.

Their web site says "version 3 is deprecated" and "version 4 is
undocumented".

:(

That's not exactly encouraging.

Thanks,
-chris

> On 16.03.2021 21:18, Christopher Schultz wrote:
>> Robert,
>>
>> On 3/16/21 14:33, Robert Turner wrote:
>>> Chris,
>>>
>>> I'm not sure if it will do what you want, but when sourcing
>>> Java-based SAML
>>> libraries for our use as an SP, I too found that most of the
>>> libraries were
>>> much larger and more complicated that I thought necessary. We went
>>> with the
>>> (limited but simple to use) OneLogin libraries for our use case. It
>>> doesn't
>>> do everything by any means, but was considerably smaller and simpler
>>> than
>>> most packages out there.
>>
>> I did see the OneLogin library. You mean this one, right?
>> https://github.com/onelogin/java-saml
>>
>> Is there anything tied to any particular service for that? Or do they
>> simply give-away their library for use anywhere?
>>
>> Thanks,
>> -chris
>>
>>> On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
>>> [hidden email]> wrote:
>>>
>>>> All,
>>>>
>>>> I've got a system which is accepting one-legged, signed SAML responses
>>>> from trusted third parties and going all the right things. It's working
>>>> great.
>>>>
>>>> It's time to look at doing the opposite: assembling our own SAML
>>>> responses, signing them, and sending them to another party.
>>>>
>>>> I'm sure I could manually create a DOM document with all the right
>>>> namespaces, add the various values that I need, and then use XML DSIG
>>>> using the bits and pieces that are provided by Java directly, but
>>>> there's got to be a nice compact library that doesn't require me to
>>>> download the entire internet in order to use in my product.
>>>>
>>>> Any recommendations?
>>>>
>>>> Thanks,
>>>> -chris
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

Christopher Schultz-2
In reply to this post by Luis Rodríguez Fernández
Luis,

On 3/17/21 09:39, Luis Rodríguez Fernández wrote:

> Hello Chris,
>
> - Manually create DOM: agree with you, I would not go in that direction. I
> did it years ago when I developed a logout servlet for weblogic. You can
> have a look at the code here [1] and feel my pain :)
> - Library: I remember testing opensaml [2], it was the most popular at that
> time but  it is not supported anymore :(
>
> I am not sure what's your scenario, perhaps it is very specific and you do
> not have any other choice than get your hands dirty and implement something
> on your own. However if what you have in mind fits in this diagram [3] and
> you are running in tomcat :) I would use keycloak [4], for us is working
> great.

In the diagram, I want to perform step #5 and then have the UA perform
step 6 (well, I'll arrange for the UA to redirect, of course).

I'm not performing the authentication; I'm performing the signing and
another system is doing the authentication.

I've already implemented my own SP receiver for step #6, manually.
Key-selection sucks BTW when the SAML response doesn't contain any KeyInfo.

Thanks,
-chris

> [1] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo
> [2] https://stackoverflow.com/a/9080912/637409
> [3]
> http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline
> [4]
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter
>
>
>
>
>
>
>
> El mar, 16 mar 2021 a las 23:22, André Warnier (tomcat/perl) (<[hidden email]>)
> escribió:
>
>> Alternatively, see this :
>> https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo
>>
>> On 16.03.2021 21:18, Christopher Schultz wrote:
>>> Robert,
>>>
>>> On 3/16/21 14:33, Robert Turner wrote:
>>>> Chris,
>>>>
>>>> I'm not sure if it will do what you want, but when sourcing Java-based
>> SAML
>>>> libraries for our use as an SP, I too found that most of the libraries
>> were
>>>> much larger and more complicated that I thought necessary. We went with
>> the
>>>> (limited but simple to use) OneLogin libraries for our use case. It
>> doesn't
>>>> do everything by any means, but was considerably smaller and simpler
>> than
>>>> most packages out there.
>>>
>>> I did see the OneLogin library. You mean this one, right?
>>> https://github.com/onelogin/java-saml
>>>
>>> Is there anything tied to any particular service for that? Or do they
>> simply give-away
>>> their library for use anywhere?
>>>
>>> Thanks,
>>> -chris
>>>
>>>> On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
>>>> [hidden email]> wrote:
>>>>
>>>>> All,
>>>>>
>>>>> I've got a system which is accepting one-legged, signed SAML responses
>>>>> from trusted third parties and going all the right things. It's working
>>>>> great.
>>>>>
>>>>> It's time to look at doing the opposite: assembling our own SAML
>>>>> responses, signing them, and sending them to another party.
>>>>>
>>>>> I'm sure I could manually create a DOM document with all the right
>>>>> namespaces, add the various values that I need, and then use XML DSIG
>>>>> using the bits and pieces that are provided by Java directly, but
>>>>> there's got to be a nice compact library that doesn't require me to
>>>>> download the entire internet in order to use in my product.
>>>>>
>>>>> Any recommendations?
>>>>>
>>>>> Thanks,
>>>>> -chris
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [hidden email]
>>>>> For additional commands, e-mail: [hidden email]
>>>>>
>>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Working with SAML

André Warnier (tomcat/perl)
In reply to this post by Christopher Schultz-2
On 17.03.2021 17:49, Christopher Schultz wrote:
> André,
>
> On 3/16/21 18:21, André Warnier (tomcat/perl) wrote:
>> Alternatively, see this : https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo
>
> Thanks for mentioning this. I looked at Shibboleth.
>
> Their web site says "version 3 is deprecated" and "version 4 is undocumented".

We've been using versions 2 and 3 without problems. I don't know what version 4 brings,
that is not in the others but nevertheless helpful.

We've set up one (our own) IdP (the SAML "identity provider", where the clients really
login), and several SP (Service Provider), which interact with our own IdP or with other
people's IdP's (of various brands/makes/types).
It's all a bit of work to set up, but once set up it hasn't given us any more hassle.
The documentation for versions 2 and 3 is very extensive, and quite complex, which I
believe is kind of unavoidable considering that SAML itself is one of these things
designed by a committee.

(We also have our own summarised installation and setup documentation, so if you want any
tips, just ask)

>
> :(
>
> That's not exactly encouraging.
>
> Thanks,
> -chris
>
>> On 16.03.2021 21:18, Christopher Schultz wrote:
>>> Robert,
>>>
>>> On 3/16/21 14:33, Robert Turner wrote:
>>>> Chris,
>>>>
>>>> I'm not sure if it will do what you want, but when sourcing Java-based SAML
>>>> libraries for our use as an SP, I too found that most of the libraries were
>>>> much larger and more complicated that I thought necessary. We went with the
>>>> (limited but simple to use) OneLogin libraries for our use case. It doesn't
>>>> do everything by any means, but was considerably smaller and simpler than
>>>> most packages out there.
>>>
>>> I did see the OneLogin library. You mean this one, right?
>>> https://github.com/onelogin/java-saml
>>>
>>> Is there anything tied to any particular service for that? Or do they simply give-away
>>> their library for use anywhere?
>>>
>>> Thanks,
>>> -chris
>>>
>>>> On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz <
>>>> [hidden email]> wrote:
>>>>
>>>>> All,
>>>>>
>>>>> I've got a system which is accepting one-legged, signed SAML responses
>>>>> from trusted third parties and going all the right things. It's working
>>>>> great.
>>>>>
>>>>> It's time to look at doing the opposite: assembling our own SAML
>>>>> responses, signing them, and sending them to another party.
>>>>>
>>>>> I'm sure I could manually create a DOM document with all the right
>>>>> namespaces, add the various values that I need, and then use XML DSIG
>>>>> using the bits and pieces that are provided by Java directly, but
>>>>> there's got to be a nice compact library that doesn't require me to
>>>>> download the entire internet in order to use in my product.
>>>>>
>>>>> Any recommendations?
>>>>>
>>>>> Thanks,
>>>>> -chris
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [hidden email]
>>>>> For additional commands, e-mail: [hidden email]
>>>>>
>>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]