Home

Sun Access Manager

Sun Access Manager SAML 2.0 Authentication Response

Submitted by Andreas Åkre Solberg [1] on 27 May, 2008 - 09:04 
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="s2a504080855534e5ecb4fc00234670530e97b7dd2"
    InResponseTo="_64f9bc2dd1cd092b0d0660dbe3b7a5c1aca58d36e0" Version="2.0"
    IssueInstant="2008-05-27T08:02:21Z"
    Destination="https://foodle.feide.no/simplesaml/saml2/sp/AssertionConsumerService.php">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sam.feide.no</saml:Issuer>
    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
        ID="s2d1b5d94172a4ffb6a0acb5ff6a1f3725050178c7" IssueInstant="2008-05-27T08:02:21Z">
        <saml:Issuer>sam.feide.no</saml:Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

Service Provider's Guide to Feide Integration

Submitted by Andreas Åkre Solberg [1] on 28 October, 2007 - 17:59

This document is meant as a hand-out to new service providers who want to integrate their application with Feide authentication. This document is targeted to techincal people. It contains a large amount of links, so you will be able to find more documentation on what's unclear.

Download document

Shibboleth 2.0 SP interoperable with Feide

Submitted by Andreas Åkre Solberg [1] on 26 July, 2007 - 09:03

Today we tested Shibboleth 2.0 CPP SP alpha-2 on a Debian linux test box. Our goal was: to make it work with Feide.

The outcome of the test was very promosing. Single Sign-On was working both with Browser/POST and with Browser/Artifact. We did have some troubles with Single Log-Out, but we believe that is due to some bug in Shib that will be fixed before release.

The fact that SAML 2.0 software work with SAML 2.0 software should not be a surprise, but unfortuneatly there are a lot of choices, bindings and formats in SAML 2.0 that may differ among installations. (We also remember the experience with Google's SAML 2.0) Therefore we think this test is very good news.

Thank you, Internet2, for providing great software. We look forward to test the final release. Services that wants to integrate with Feide is welcome to choose to use Shibboleth 2.0 SP software as well as any other SAML 2.0 compliant SP.

Authorization in apache with a SAML 2.0 federation

Submitted by Andreas Åkre Solberg [1] on 16 July, 2007 - 06:16

Sun's Sun Access Manager Policy Agent for Apache is limited sucks because it is "impossible" to deploy on any other Linux than Red Hat Enterprise.

Having an apache module that works with Feide is important for us, so we are looking on alternatives. One idea is to use saml2php (OpenSSO PHP Extension) together with Auth MemCookie. Olav Morken helped us to setup a proof of concept demo site, and write a detailed document on how to setup saml2php with Auth MemCookie.

The document is checked-in to saml2php CVS repository, so you will also get this document when you download saml2php.

A new sessionhandler is also added to saml2php CVS, named authmemcookie, found under: openssophp/spi/sessionhandling/authmemcookie.php.

Google Apps and Sun Access Manager

Submitted by Andreas Åkre Solberg [1] on 1 June, 2007 - 07:45

I did some work on trying to configure Google Apps Education with Sun Access Manager. Both apps supports SAML 2.0, and should in theory work smooth together.

The general challenge with SAML 2.0 is that the standard is wide, leaving alot of options for the apps, and apps tends to support a subset of all possible configurations.

Some examples of things that may differ: NameID formats, SSO and SLO bindings (Browser/POST, Artifact, HTTP-REDIRECT etc), attribute push versus attribute profile, kind of PKI (POST simple bind versus xmldsig), management of PKI (selfsigned, own root, trusted root, revocation, etc), use of PKI (what to sign, response or assertion, require signed requests, etc), storage of certs (keystores versus metadata) and last but not less important attribute namespaces, syntax and semantics.

Demoing cross-technology cross-federation WebSSO in Europe

Submitted by Andreas Åkre Solberg [1] on 11 January, 2007 - 17:49

January 10th 2007, I demoed a set of logins across three different federations using different technologies in Europe.

I demoed both SPs and IdPs located in Spain (RedIRIS) using PAPI, Norway (Feide) using SUN Access Manager and SAML 2.0 and Switzerland (SWITCH) using Shibboleth.

architecture figure

Five different attributes were sent between the briding elements.

attribute viewer screenshot

The picture above is from the Feide attribute viewer showing attributes from a SWITCH test user account.