Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signing, decryption, and relay state HMAC-SHA1 for service providers #4

Merged
merged 7 commits into from
Feb 20, 2016
Merged

signing, decryption, and relay state HMAC-SHA1 for service providers #4

merged 7 commits into from
Feb 20, 2016

Conversation

sgsfak
Copy link
Contributor

@sgsfak sgsfak commented Nov 11, 2015

No description provided.

@sgsfak
add signing and decryption for Service Providers
37728bf 
A demo SP is provided in dev/demo_sp.clj. This version adds the
following:

- Validate the signature of the IdP responses
- Decryption of the IdP supplied assertions
- Creation of SAML Metadata
- SP related 'routes', check the saml20-clj/routes.clj file

Please keep in mind that in order to use it you need to create a private
and public key pair and store them in a Java keystore file (use the
'keytool').
@sgsfak
metadata now use the :app-name as entityID
2f16071 
the SP interoperates successfully with the testshib
(https://www.testshib.org) IdP (found at https://idp.testshib.org/)
@sgsfak
use the RelayState param for the 'continue-to' url
58e3245
@sgsfak
more friendly names for OIDs
4873547
@sgsfak
validate RelayState using HMAC-SHA1
93a0c0f 
According to the SAML Bindings specification "RelayState data MAY be
included with a SAML protocol message" transmitted with the
HTTP-Redirect binding. But "because the value is exposed to third-party
tampering, the entity SHOULD ensure that the value has not been tampered
with by using a checksum, a pseudo-random value, or similar means". In
the current implementation we create a "secret key" on starutp that is
later on used to create a keyed-hash message authentication code (HMAC)
using SHA-1 as the secure hash algorithm. What is currently hashed is the
"continue-url" information, to produce the following as relay state:
      <continue-url>:<hmac-sha1(continue-url, secret-key)>
On the arrival of the response the relay state data is again validated
and if the continue-url does not match its hashed value the response
is rejected.
@sgsfak sgsfak mentioned this pull request Nov 11, 2015
Closed
jrdoane added a commit that referenced this pull request Feb 20, 2016
@jrdoane
Merge pull request #4 from sgsfak/dev
3327d47 
signing, decryption, and relay state HMAC-SHA1 for service providers
@jrdoane jrdoane merged commit 3327d47 into vlacs:dev Feb 20, 2016
@jrdoane
Copy link
Member

jrdoane commented Feb 20, 2016

Sorry it took a while to get back to this, I haven't really been working on this library. I may be updating parts of this because this was one of my first Clojure projects and I think that a little bit of clean-up is in order.

@jrdoane
Copy link
Member

jrdoane commented Mar 25, 2016

@sgsfak This is in Clojars now with the version 0.1.5. I made some alterations but, kept most of the changes you made to use OpenSAML. I made some minor changes such as not requiring a keystore for encryption/decryption (since SSO doesn't require this,) and added a Helmsman route form and handlers as well.

I bumped versions and change some dep ordering to keep versions playing nicely as well.

@sgsfak
Copy link
Contributor Author

sgsfak commented Apr 2, 2016

Thanks Jon, I will test it when time permits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sgsfak @jrdoane @robert-stuttaford