Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for embedded signatures in LogoutRequest #153

Closed
sbc100 opened this issue Jul 19, 2016 · 4 comments
Closed

Support for embedded signatures in LogoutRequest #153

sbc100 opened this issue Jul 19, 2016 · 4 comments

Comments

@sbc100
Copy link
Contributor

sbc100 commented Jul 19, 2016

As far as I can tell there is no support for embedded signature.

In the ruby-saml library there is an embed_sign option that does this.
@pitbulk
Copy link
Contributor

pitbulk commented Jul 19, 2016
edited

There is no official support for embedded signatures on LogoutRequest used by HTTP-POST binding at this toolkit.

You can extend the classes on the toolkit and implement it using the add_sign method on the generated Logoutrequest retrieved from the get_request and executing a POST instead a redirect.

Related threads: #146 and #78

@sbc100
Copy link
Contributor Author

sbc100 commented Jul 19, 2016

Thanks for the response. I will try using add_sign to implement this.

As you you saying the embedding signatures is related to the POST vs redirect? From my brief inspection of ruby-saml it looks like embed_sign can be used with either redirect or POST. i.e. are you sure these two choices are not orthogonal?

In my particular case I'm trying to write a python SP that talks to an IdP based on https://github.com/sportngin/saml_idp which seems to require embedded signatures even when logout is sent via redirect.

@pitbulk
Copy link
Contributor

pitbulk commented Jul 19, 2016

When using the Redirect binding you put the signature in the URL query parameters

3.4.4.1 DEFLATE Encoding

SAML protocol messages can be encoded into a URL via the DEFLATE compression method 
(see[RFC1951]). In such an encoding, the following procedure should be applied to the original SAML protocol message's XML serialization:
1.
Any signature on the SAML protocol message, including the <ds:Signature> XML element itself,
MUST be removed. Note that if the content of the message includes another signature, such as a
signed SAML assertion, this embedded signature is not removed. However, the length of such a
message after encoding essentially precludes using this mechanism. Thus SAML protocol messages that contain signed content SHOULD NOT be encoded using this mechanism.

Reference:
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

@pitbulk
Copy link
Contributor

pitbulk commented Jul 19, 2016
edited

I'm also the current maintainer of the ruby-saml gem, but the embed_sign was something implemented before I arrived and is only a trick to let the developers support in an easy way the HTTP-POST binding.

Notice that ruby-saml does not have the "auth" class that manage the SAML flow (At python-saml and php-saml using HTTP-Redirect binding for all messages different than AuthN SAMLResponses, expected on HTTP-POST binding). At ruby-saml the developer may take care of that flow.

@pkarman pkarman mentioned this issue Jul 20, 2016
Closed
@pitbulk pitbulk closed this as completed Sep 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbc100 @pitbulk