Tuesday, September 9, 2014

OpenSAML book release!

After many late nights and tedious editing, I have finished my book on OpenSAML,  based on my experiences working with the OpenSAML library. A Guide to OpenSAML is a short book that introduces SAML, the SAML Web Browser Profile and the use of OpenSAML.

The book has three parts, the first of which introduces SAML, SAML Web Browser Profile and OpenSAML. The next part goes deeper into explaining the Web Browser Profile more in detail and shows an example on how to implement it using OpenSAML. The last part explains and shows examples on how to use some of the security functions in OpenSAML, like signatures and encryption.

The SAML Web Browser Profile is flexible and can be used in many different ways. The book shows the SAML Web Browser Profile with the following configurations:

  • SP initiated Single Sign-On
  • Authentication request using HTTP Redirect Binding
  • Assertion transported using HTTP Artifact Binding
  • SAML Artifact transported using HTTP Redirect Binding
  • Artifact resolution using SOAP Binding

The book explains the interaction from the Service Provider’s point of view. The implementation of the Identity Provider is not covered in this book.

The package contains the book in PDF format, three different e-reader formats(EPUB, MOBI, AZW3) and a sample project showing OpenSAML in action.

Wednesday, May 14, 2014

Exception: "Apache xmlsec IdResolver could not resolve the Element for id reference" while decrypting

org.opensaml.xml.validation.ValidationException: Apache xmlsec IdResolver could not resolve the Element for id reference:

This is an example of a common exception that can be thrown when verifying a signature after decryption an object.

To avoid this, it is often enough to configure your Decryptor using the following setting before decrypting.


Monday, May 5, 2014

Nullpointer exception in OpenSAML

This is a common exception to beginners in using OpenSAML. A common mistake when starting to use the OpenSAML library is to not initialise the library.
OpenSAML needs a couple of configuration files in order to work. The library is provided with a default set of these files that is sufficient for mot uses. Before starting the use the library the configurations must be loaded. This is done using the bootstrap function.

try {
} catch (ConfigurationException e) {
   throw new RuntimeException("Bootstrapping failed");

If you do not do this before you start using the library, you might run into exceptions like.

Exception in thread "main" java.lang.NullPointerException
 at no.steras.opensaml.Main.main(Main.java:25)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:601)
 at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)

Monday, November 12, 2012

Verifying signatures with OpenSAML

As the post about signing SAML messages discussed, it is very important to properly sign and verify messages in a SAML federation.

When verifying a signature of a message it is recommended to first validate the message with a SAML profile validator. This to ensure that the signature follows the standard for XML signatures. Afterwords the cryptography validation of the signatureis done by a SignatureValidator.

PS. This validation only performs a cryptographic validation of the signature. This means that it validates that the message has not been changed since it was signed. It does however not check that the certificate used for signing is trusted. To confirm the trust of the certificate in OpenSAML, a trust engine must be used in the validation.

The most common method to confirm the trust of a key is to compare it to the key recieved in SAML Metadata. This is generally done as a configuration step when setting up a SAML federation. This post gives more information on SAML Metadata

Here is a full example of the crytographic validation.

SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();


SignatureValidator sigValidator = new SignatureValidator(cred);

SignatureValidator is instansiated with a credenial. in this case the credential basically contains the public key for the private key that was used to sign the message.
The credetial object can be obtained in a number of different ways. This post shows some methods in OpenSAML.
If the public key was sent in the message, it is very important to validate that you trust the key.

Further reading

My book, A Guide to OpenSAML, explains in detail how to use the security features of SAML.

A Guide to OpenSAML

This is not a book specifically on OpenSAML but I do recommend it as i does have some chapters on how XML signatures work. This is the same standard as the one used by SAML and OpenSAML.

This is a very good book for those that want get an introduction to cryptography. Helped me alot in understanding public key cryptography.

Signing with OpenSAML

When exchanging information with SAML it is highly recomended to sign and verify signatures on all messages. This to ensure the the sender really is how he says he is and that the information sent has not been manipulated during transport.

Every SAML object that implements the SignableXMLObject interface can be signed.

The signing of a SAML message is done in three steps. First, all the properties for the signature is put in a Signature object. Properties that can be set include singing credentials, algorithm and optionally a KeyInfo object. The KeyInfo object identifies what key should be used to verify the signature.
The Signature object is then added to the SAML object using the setSignature method.
entityDescriptor.setSignature(signature); The second step is to marchal the object. This must be done before signing or else you will get a message like this.

SEVERE: Unable to compute signature, Signature XMLObject does not have the XMLSignature created during marshalling.

Element element = Configuration.getMarshallerFactory().getMarshaller(entityDescriptor).marshall(entityDescriptor);
The third step is to perform the actual signing to produce a cryptographic signature, this is done with the Signer class.
Here is how the signed object might look after signing and marshalling.


Further reading

My book, A Guide to OpenSAML, explains in detail how to use the security features of SAML.

A Guide to OpenSAML

This is not a book specifically on OpenSAML but I do recommend it as i does have some chapters on how XML signatures work. This is the same standard as the one used by SAML and OpenSAML.

This is a very good book for those that want get an intro to cryptography. Helped me alot in understanding public key cryptography.

Wednesday, November 7, 2012

OpenSAML sample code

One of my visitor found this public source code. The project a Danish project that implements a service provider using OpenSAML.


Thanks to Rholdan Ortiz!

There is also the Norwegian electronic voting system. This also implements a service provider.


Friday, May 11, 2012

SAML Web Profile

What is it?

SAML Web Profile is a subset of the SAML specification. It specifies the authentication process of a user using a web browser.

How does it work?
In this post I will show a usual case using the web profile with HTTP redirect. The flow in the authentication process is illustrated in the figure below.

The SAML Browser Profile with Artifact binding

The authentication process could be said to involve five steps
  1. User tries to get access - The process begins with a not authenticated user trying to get access to a protected part of the application (SP). Some form of filter is put in place to catch the user.
  2. The user is redirected to the Identity provider(IDP) -When the filter detects a user who is not authenticated, the user is sent to the IDP using HTTP redirect.
  3. The user is authenticated - This step does not involve any interaction with the SP. The IDP has full responsibility for authenticating the user in a secure way.
  4. Authenticated user is sent back to the SP - When the authentication is successfully completed the user is sent back to the SP together with a SAML artifact. The artifact is more or less a pointer to the user information at the IDP. This information could contain sensitive user information and is therefore not sent via the browser.
  5. Request user information - When the SP receives the artifact it is sent to a web service at the IDP. The web service returns the user information in a SAML Assertion, this is the actual proof of authentication

Usually the IPD also returns a security level, specifying how safe the authentication was. This can later be used by the SP to regulate what is showed the the user.

This is how the federeation with SAML web profile works on a low level. This can be good to know when working with identity federation and especially when debugging.

Usually when you set up a identity federation this is done with some of the many tools available.
These tools helps with the low lever communication.

Here is a subset of the software available to work with SAML

OpenAM former OpenSSO is an open source system access control and authentication and supports SAML.

OpenSAML is an open source framework that helps in using SAML on a low level.

OIF is Oracles solution for identity federation.