Auto-generated Metadata Signing Algorithms

18 views
Skip to first unread message

Michael Domingues

unread,
Jun 21, 2016, 11:18:20 AM6/21/16
to SimpleSAMLphp

Greetings All,

 

In helping a deployer on my campus configure automated metadata signing (per the documentation here: https://simplesamlphp.org/docs/1.14/simplesamlphp-advancedfeatures#section_6) we discovered that the metadata signing algorithm is not user configurable.

 

While SAML assertion signing preferences can be configured in config/authsources.php to use either SHA-1 or SHA-2, with the stated intent (as I understand it) being to change the default to SHA-2 in SimpleSAMLphp 2.0, metadata signing is currently hard-coded to use SHA-1.

 

As far as I can tell, this is set in a combination of the files “simplesamlphp-[version]/lib/SimpleSAML/XML/Signer.php” (around lines 99 and 249) and “simplesamlphp-[version]/lib/SimpleSAML/Metadata/Signer.php” (around lines 190 and 210).

 

Further, as I understand it (though apologies in advance, I could be wrong here – I’m more familiar with the Shibboleth products, but we have a handful of SimpleSAMLphp users on campus) the SimpleSAMLphp project uses PHP xmlseclibs (https://github.com/robrichards/xmlseclibs) under the hood, which ought to support the SHA-2 suite.

 

A PHP developer, I am not, so as a feature request, could this metadata signing algorithm either be updated to SHA-2, or made user configurable in some way?

 

Apologies in advance if I’m posting to the wrong list, and feel free to steer me toward the developers list if that would be more appropriate.

 

Best regards,

Michael Domingues

Directory and Authentication Services, AIS, ITS

University of Iowa

Peter Schober

unread,
Jun 21, 2016, 11:42:17 AM6/21/16
to SimpleSAMLphp
* Michael Domingues <michaeld...@gmail.com> [2016-06-21 17:18]:
> In helping a deployer on my campus configure automated metadata signing

Just curious: Why would be interested in doing that? What benefits to
you intend to derive from signatures corresponding to self-signed
certificates (i.e., it's all self-asserted) over just self-asserted
metadata?
Are you the IDP here and do you intend to automatically import/refresh
metadata from the SP directly? If so are you prepared for that SP to
impersonate any other SP you have metadata for (by suddenly claiming
someone else's entityID, for example)?
-peter

Michael Domingues

unread,
Jun 21, 2016, 12:27:50 PM6/21/16
to SimpleSAMLphp, peter....@univie.ac.at
Peter,

To describe the scenario briefly (even though it is not particularly germane to this list, nor remotely germane to the intent of my post) yes, we are the IdP operator, and will be automatically consuming metadata from a rather complicated SP environment which includes a multitude of endpoint locations.

This SP is operated by a trusted internal entity, and we have performed key exchange out-of-band with its operator to enable metadata integrity verification. Furthermore, we've taken all possible precautions on the IdP-side to mitigate the risks you've surfaced (and then some) -- chiefly, by filtering metadata on import to only consume the entityID we have agreed upon with the SP operator.

As you rightly point out, automated metadata consumption is typically inadvisable, particularly for the uninitiated, so there's value in bringing this all up, at least for the public record. That said, I wouldn't have dared to go down this road had I not taken all reasonable precautions in the first place.

My initial point (and the intent of my post) still stands. This appears to be a missing functionality in the SimpleSAMLphp package; I simply wanted to bring that to light.

Michael

Peter Schober

unread,
Jun 21, 2016, 1:03:54 PM6/21/16
to SimpleSAMLphp
* Michael Domingues <michaeld...@gmail.com> [2016-06-21 18:27]:
> My initial point (and the intent of my post) still stands. This appears to
> be a missing functionality in the SimpleSAMLphp package; I simply wanted to
> bring that to light.

I'd suggest using the issuer tracker for that, then.
-peter

Jaime Perez Crespo

unread,
Jun 28, 2016, 11:35:16 AM6/28/16
to simple...@googlegroups.com
Hi Michael,

Would you mind opening an issue with your request in our issue tracker?

https://github.com/simplesamlphp/simplesamlphp/issues

Thanks!

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Michael Domingues

unread,
Jun 30, 2016, 5:53:51 PM6/30/16
to simple...@googlegroups.com
Hi Jaime,

Of course. The issue has now been filed at https://github.com/simplesamlphp/simplesamlphp/issues/411.

Cheers,
Michael
--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/8YZ3louCROI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages