making SP support both SAML 1.0 (and 1.x) and SAML 2.0
223 views
Skip to first unread message
Gonen Radai
Jul 16, 2013, 8:52:08 AM7/16/13
to simple...@googlegroups.com
Hi,
I'm wondering if there's a way to support both versions in a single SP.
essentially - is it possible to ask the library somehow what version the assertion is, to know whether to parse the request to SAML2_HTTPArtifact or through other classes that know to handle SAML 1.0
currently I'm getting an exception here:
if ($xml->namespaceURI !== SAML2_Const::NS_SAMLP) {
throw new Exception('Unknown namespace of SAML message: ' . var_export($xml->namespaceURI, TRUE));
}
because the SAML assertion I'm getting from the IdP has:
urn:oasis:names:tc:SAML:1.0:protocol
I'm assuming simplesamlphp supports SAML 1.0, since I could not find any information that clearly claims otherwise and also because I could find in the code references to "urn:oasis:names:tc:SAML:1.0:protocol"
thanks,
Gonen
Peter Schober
Jul 16, 2013, 9:06:19 AM7/16/13
to simple...@googlegroups.com
* Gonen Radai <gon...@gmail.com> [2013-07-16 14:52]:
specs please create one. That would definitvely help.
-peter
> I'm assuming simplesamlphp supports SAML 1.0, since I could not find
> any information that clearly claims otherwise
If there is no entry in the issue tracker for a list of supported
> any information that clearly claims otherwise
specs please create one. That would definitvely help.
-peter
Gonen Radai
Jul 16, 2013, 10:47:58 AM7/16/13
to simple...@googlegroups.com, peter....@univie.ac.at
let me re-phrase my post:
Thanks,
1. does simplesamlphp support working as SP against a SAML1.0 IdP?
2. if it does, how in the code should one determine the version of the IdP in order to know how to parse/receive/process the SAML response?
2.1. can it be done on the fly by looking at the XML?
2.2. or should it be a static configuration per metadata set?
my current code is doing the following:
$b = SAML2_Binding::getCurrentBinding();
if ($b instanceof SAML2_HTTPArtifact) {
$b->setSPMetadata($spMetadata);
}
$response = $b->receive();
if (!($response instanceof SAML2_Response)) {
throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');
}
So this is a hard-coded assumption that I'm working with a SAML2 IdP.
Gonen
Jaime Pérez Crespo
Jul 16, 2013, 11:48:51 AM7/16/13
to simple...@googlegroups.com
Hi Gonen,
On Jul 16, 2013, at 16:47 PM, Gonen Radai <gon...@gmail.com> wrote:
let me re-phrase my post:1. does simplesamlphp support working as SP against a SAML1.0 IdP?
Definitely.
2. if it does, how in the code should one determine the version of the IdP in order to know how to parse/receive/process the SAML response?2.1. can it be done on the fly by looking at the XML?2.2. or should it be a static configuration per metadata set?
It's all done by configuration. You have the metadata directory, where you have different metadata sets. Depending on which of them you configure your IdPs, they are considered to be shibboleth-compatible (1.1) or 2.0. Basically:
- shib13-idp-remote.php
- saml20-idp-remote.php
my current code is doing the following:$b = SAML2_Binding::getCurrentBinding();if ($b instanceof SAML2_HTTPArtifact) {$b->setSPMetadata($spMetadata);}$response = $b->receive();if (!($response instanceof SAML2_Response)) {throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');}So this is a hard-coded assumption that I'm working with a SAML2 IdP.
You shouldn't be doing that. Please take a glimpse at the the documentation on how to use SSP from your application:
Regards,
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
- Robert Frost
Tom Scavo
Jul 16, 2013, 12:04:06 PM7/16/13
to simpleSAMLphp
On Tue, Jul 16, 2013 at 11:48 AM, Jaime Pérez Crespo
<jaime...@uninett.no> wrote:
> On Jul 16, 2013, at 16:47 PM, Gonen Radai <gon...@gmail.com> wrote:
>
> let me re-phrase my post:
> 1. does simplesamlphp support working as SP against a SAML1.0 IdP?
>
> Definitely.
Really? I thought there was support for SAML V1.1 + Shibboleth
<jaime...@uninett.no> wrote:
> On Jul 16, 2013, at 16:47 PM, Gonen Radai <gon...@gmail.com> wrote:
>
> let me re-phrase my post:
> 1. does simplesamlphp support working as SP against a SAML1.0 IdP?
>
> Definitely.
AuthnRequest but that's not the same as SAML V1.0. (Sorry, I don't
know the difference between SAML V1.0 and V1.1.)
Tom
Jaime Pérez Crespo
Jul 17, 2013, 10:32:21 AM7/17/13
to simple...@googlegroups.com
Hi,
That's what happens when you are doing several things at the same time :-)
You are right, I read SAML 1, but officially SSP supports 1.1 (shib 1.3) and 2.0. Can't recall trying it with an 1.0 IdP. Honestly, I even doubt there's still any 1.0 IdPs/SPs out there...
Thanks for pointing out my mistake!
Peter Schober
Jul 17, 2013, 10:49:24 AM7/17/13
to simpleSAMLphp
* Tom Scavo <trs...@gmail.com> [2013-07-16 18:04]:
http://www.oasis-open.org/committees/download.php/3412/sstc-saml-diff-1.1-draft-01.pdf
in case anyone really wanted to know the details.
Here's hoping we can finally move on to 2005 (SAML2.0), 8 years in the
past.
-peter
> Sorry, I don't know the difference between SAML V1.0 and V1.1.
Jfyi, http://saml.xml.org/saml-specifications#samlv10 has a link to
http://www.oasis-open.org/committees/download.php/3412/sstc-saml-diff-1.1-draft-01.pdf
in case anyone really wanted to know the details.
Here's hoping we can finally move on to 2005 (SAML2.0), 8 years in the
past.
-peter
Gonen Radai
Jul 18, 2013, 7:48:23 AM7/18/13
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks everyone.
The reason i asked is because I came across one IdP which is SAML1.0.
Gonen
Reply all
Reply to author
Forward
0 new messages