Wednesday, June 26, 2013

SAML : SAML connectivity / toolkit

This is an update to try and categorise this in terms of SAML stacks.

Note that this concerns the SAML protocol not to be confused with SAML tokens or SAML products.

The links in the original article are still valid.

SAML is complicated. Getting the security right is difficult. My advice is not to roll your own.

Note: I personally haven't tried all of these. This is just a list that may be of use.

C#

The WIF Extension for SAML 2.0 is now deprecated and the links have been removed. It is only applicable for .NET 3.5 and is buggy.

There is NO official Microsoft C# client-side SAML protocol stack.

OneLogin's Open-Source SAML Toolkits and Github.

(Libraries for .NET, Python, Ruby, PHP, Java, node and others).

The Kentor stack is now deprecated.
Use Sustainsys - for .Net Core 2 use this version.

Owin.Security.Saml

Using Fedlets in .NET Applications

OIOSAML

SAML2

Safewhere SAML 2 for WIF

Owin.Security.Saml

Java

OpenSAML

Good book on this - Guide to OpenSAML V3.0 and an earlier version Guide to OpenSAML v2.0

Using Fedlets in Java Web Applications 

OneLogin's Open-Source SAML Toolkits

Spring security SAML

OIOSAML

auth10-java

MITREid Connect

PHP

simpleSAMLphp

LightSAML

OneLogin as above.

Ruby

OneLogin as above.

Python

OneLogin as above.

Commercial

Componentspace

Ultimate .NET SAML

Rock Solid Knowledge
This is for .NET Core 2 and is a plugin for Indentityserver 4. 

Identity aaS (as a service)

Auth0 - They do some really neat stuff. Lots of documentation e.g. SAML configuration. See the article at the end of this post

Other

nugetmusthaves for SAML

SAML articles in this blog

Disclaimer

I do not work for any of the above commercial companies.
------------------------------------------------------------------------------------------

There are two previous posts concerning SAML and libraries:

SAML : A SAML stack

WIF : Is there a Java Equivalent?

which are very much focused around the Microsoft / ADFS / WIF scenario.

But there’s tons of stuff out there concerning this so this is just a collection of links – for me as much as for everyone else!

OpenSAML - C++ / Java – open source

Performing a SAML Post with C#

Single Signon with SAML

SAML Single Sign-On (SSO) Component Suite for .NET – commercial

.NET SAML Component - Single Sign-On for C#, VB.NET & ASP.NET – commercial

onelogin SAML Toolkit – C#, ASP.NET, Java, PHP, Python, Ruby

Libraries and toolkits to develop SAML actors and SAML-enabled services

Working with SAML Assertions

Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview!

Collection of Useful SAML Tools

authNauthZ  - A Swiss army knife for Graph API / SAML / OAuth

SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices

Auth0 - This is essentially Identity aaS. They do some really neat stuff. Lots of documentation e.g. SAML configuration.

(I wrote up an example here using Auth0 -SAML : ASP.NET MVC application talking to SAML IDP.
The service is free until you go into Production and it's not locked down in any way - you have access to all the features).

Enjoy!

Tuesday, June 18, 2013

ADFS : “Problem” with “Token-Groups–Unqualified Names”

 

ADFS has this clever feature where if you select this mapping in the claims rules and map it to Roles, you will get a set of roles claims that contain all the groups for the authenticated user e.g.

http://schemas.microsoft.com/ws/2008/06/identity/claims/role  Role1

That’s well and good when the groups are “flat” i.e. the groups are not memberOf other groups.

If they are, then this mapping will work it’s way up the hierarchy and display ALL the groups.

So if Joe is a memberOf Role1 and if Role1 is a memberOf Role2, then ADFS will construct:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role1

http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role2

Now that’s fine if that’s what you want but if Joe has 20 roles and all these roles are at the bottom of a whole pile of other roles you end up with many, many claims and a complete mess!

So what to do if you only want the bottom layer i.e. the actual memberOf.

If you go have a look via ADUC, guess what? memberOf is not displayed as an attribute!

WTF!

To see it as an attribute in the attribute list, you need to click the “Filter” box (bottom right) in “Attribute Editor” and then select “Backlinks”.

OK – so what if we set up a claims rule mapping memberOf to Roles?

So we type memberOf into the LDAP attribute field (it is actually editable) and note that it displays as “Is-Member-Of-DL”.

Problem!

What we get back is the whole CN e.g.

CN=Role1,OU=Sales,OU=company,DC=com

when what we got before was just Role1.

Enter stage left Joji Oshima. He da man!

Refer: AD FS 2.0 Claims Rule Language Part 2.

and have a look at “Problem 1” which is exactly the scenario described above.

Problem solved!

Enjoy!

Friday, June 07, 2013

WIF : Is there a Java Equivalent?


Been asked this question a million times and now I have an answer of sorts.

If by WIF, you mean WS-Federation, then mosey on over to:

Apache CXF Fediz: An Open-Source Web Security Framework
 
This supports:
  • WS-Federation 1.0/1.1/1.2
  • SAML 1.1/2.0 Tokens
  • Custom token support
  • Publish WS-Federation Metadata document
  • Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens
  • Claims information provided by FederationPrincipal interface
However, if by WIF by mean the FAM / SAM / CAM functionality then the jury is still out.

There is no direct Java replacement library for WIF.

Update:

Came across  auth10-java.
  • This library speaks the WS-Federation protocol and SAML 1.1 and 2.0 tokens. It interops fine with Microsoft-related products like ADFS, Windows Azure Active Directory and Windows Identity Foundation. 
Update:

Also  OIOSAML.

Enjoy!

Tuesday, June 04, 2013

SAML : A SAML stack


I answer this question so many times, I’m writing it up as a blog entry.

You have an application – .NET, JAVA whatever.

You want this to be a SP and need to connect to an IDP – ADFS, OpenAM, simpleSAMLPHP …

Look at Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview! (.NET).

Warning: This has not been updated in a while.

Warning: This is based on WIF 3.5. It is not compatible with WIF 4.5.

Also the OpenSSO Fedlet – this has components for both .NET and Java.

Or the OpenAM equivalents:

Using Fedlets in Java Web Applications and
Using Fedlets in .NET Applications

Or the Spring Security - SAML Extension (Java).

Or   OIOSAML. (.Net and Java).

Or auth10-java.
  • This library speaks the WS-Federation protocol and SAML 1.1 and 2.0 tokens. It interops fine with Microsoft-related products like ADFS, Windows Azure Active Directory and Windows Identity Foundation.
Or Kentor.AuthServices

  • A SAML2 Service Provider for ASP.NET. Built to mimic the WSFederationAuthenticationModule in .NET 4.5, but using SAML2 instead. The module works with the claims model of .NET 4.5 and uses the present infrastructure for claims translation, session authentication cookies etc.
Or SAML2

  • NuGet package - A .NET implementation of the SAML 2.0 specification for SP integrations. 
  • "Install-Package SAML2" from the Package Manager Console  
Or Safewhere SAML 2 for WIF

  • SAML 2.0 for WIF is a new DLL component that extends the WIF with native support for the SAML 2.0 protocol. (.NET)
Or take your pick from this list:

SAML-based products and services
Enjoy!