SimpleSAMLphp version 1.9

UNINETT have now made version 1.9.0 of simpleSAMLphp available for download.

There have been some bugfixes since the previous release candidate. We have also made a larger fix to session expiration handling, which means that we now honor the session lifetime as set by the SAML 2.0 IdP. This may in some cases mean that users session will have a shorter lifetime than before.

The changelog is available from:

The upgrade notes have been updated:

The new release can be downloaded from:

sha1sum:

d9904da80c4990b2fec6ab054c9779d4ee885326 simplesamlphp-1.9.0.tar.gz

Identity Federations Status Report – January 2012

GÉANT Identity Federations currently have a lot of ongoing activities. Here is a summary of what we are working on, and the current status.

Federation Lab › Test Federation

Goal:

allow new SPs and IdPs to easily connect to a set of available entities that are available with no contract neccessary. Self-maintained.

Activity expected to be done April 2012.

Miro: Nothing to update.

Federation Lab › Monitoring and statistics

Miro: As I promised we’ve done preparations for using f-ticks with SSP in production in our federation. I’ll be able to report on that next month.

Federation Lab › SAMLtracer

A significant patch reveiced from Mark Dubrovnic. Some of the patches incorporated, some left. Including UI updates, and support for import export.

Some planned features: Notifications of SAML artifacts, support for IdP Discovery protocol.

Federation Lab › OpenID Connect

We’re making progress. In Februrary we’ll be able to connect the front-end test run UI with the backend test tool, and present to visible results.

There is an interop event in San Fransisco, then a new OpenID Connect meeting in Paris next to IETF. Roland is attending to IETF + Kantara meeting. Andreas might as well. We will have some demo available before that.

The backend test tool is able to produce test results for the initial simple test cases, it is tested against several OpenID Connect Provider implementations.

We’re planning on preparing test fascility for OAuth 2.0 in addition to OpenID Connect. That tool might be very useful for the VOOT work.

RedIRIS will perform an implementation of OpenID Connect that will be coordinated with the test fascility. RedIRIS already have experience and a library for Oauth 2.0, and will make use of that. They will also make an simpleSAMLphp module to make it very easy for enabling OpenID Connect support in an existing IdP or SP running SSP.

VOOT

Leif: Setup http://openvoot.org and prepared a drafted IETF templated spec.

Foodle: no updates.

UNINETT has implemented OAuth 2.0, and tested against Leifs implementation. Some problems, but we made it work. OAuth 2.0 support will be integrated into Foodle, this spring.

SurfNet: Ready to exchange OAuth keys with Foodle, is ready to also consume groups from Foodle as a client. Will implement OAuth 2.0 in second half of 2012.

Renater: Has already completed sympa VOOT OAuth 1.0 based implementation. OAuth 1.0 based implementation is made publicly available. Prepared to test against Foodle and SurfNet. Working on OAuth 2.0. Exepcted to be ready March 2012.

SAML2int

The SAML2int profile is being transferred to Kantara Initiative: Federation Interoperability WG.

Scot is will apply some minimal changes contribued by Ian Young.

Federated Provisioning

Mads Freek have been hired by Wayf to work on – mostly – Stinus.

Stinus is the ‘Federated provisioning and de-­provisioning’ project originally proposed by WAYF, SURFnet & JANET as per the enclosed pdf.

A description – one month old – of the architecture is available here: http://code.google.com/p/stinus/wiki/StinusOverview?show=content

I expect to have a pre-poc up an running in week 6 and expect to update the description to reflect some recent changes – mostly the use of Gearman both inside core and as the protocol between Stinus components.

Working prototype within 2 weeks.

Wayf will ensure comatibility with connectors used from the Sun provisioning Framework, that also used in Netherlands. Wayf and SurfNet is in dialogue.

Remco has already done some work on Federated Provisioning, will also do much work in the year to come, but it will be funded by another project. Remco will share a deliverable related to the work on the mailinglist.

DiscoJuice

No updates.

Moonshot

Technology is settling down, more mature, and spec.

Most activity on supporting customers on piloting activities.

Piloting activities around these areas:

  1. Classic e-Science fascilities. SSH access, visitors with physical access to console.
  2. UK National Grid Services.
  3. Cancer Research UK: for microsoft exchange, file sharing, etc. Large organization, divded into 5 institutes.
  4. UK National Health Services. Interested in starting piloting.

Likely initial most important use case: federated login to regular desktops (between different, unrelated MS Active Directory domains), not just applications

Other topics

  • Hot topic: GEANT 3+
  • Convention in Madrid for activity leaders, 27th February.
    • Trained on methodology for GN3+ methodology.

Next meeting in the beginning of March

SimpleSAMLphp and EIFL

EIFL works with libraries worldwide to enable access to digital information in developing and transition countries. EIFL is an international not-for-profit organisation based in Europe with a global network of partners.

In November 2011, EIFL-FOSS held a regional training seminar in Dar es salaam, Tanzania, with the support of UNESCO. SimpleSAMLphp was covered there.

As a follow up to the very popular session at the EIFL-FOSS Regional Seminar 2011, EIFL-FOSS and EIFL-Licensing held a Themed Week on the SimpleSAMLphp software.

EIFL also provides a separate page with information on SimpleSAMLphp:

DiscoJuice 2.0

I’m preparing a new release of DiscoJuice, version 2.0. This is centrally hosted version, at discojuice.org, and it should be ready today, to start playing with it. All the neccessary components are available, and the documentation should be more or less up to date.

The DiscoJuice engine, is available in to two tracks, stable and dev. These will automatically point to the appropriate version of DiscoJuice. The script is minified, compressed and the hosting supports caching well.

We are automatically generating feeds for most existing Identity Federations, using various techniques for getting the best data quality to feed into DiscoJuice. We support most of the MDUI extension and will make use of information in there. DiscoJuice is now multilingual, and extracts translated names of institutions from the metadata.

Thanks to all of you that helped us get DiscoJuice translated into 15 different languages.

Feel free to have a look at the available generated metadata feeds:

To get started, you probably would like to start here:

Setting up a central IdP Discovery Service for a federation

DiscoJuice also contains an implementation of the IdP Discovery Protocol in javascript, and setting up a full fledged IdP Discovery Service for your federation, is now as easy as copying and pasting a static HTML page to a location of your choice; given that your federation metadata is already available as one of the prepared feeds at discojuice.org.

DiscoJuice and SimpleSAMLphp

There has been a discojuice module in simpleSAMLphp for quite some time, although it has never been part of a stable release. The early version has included a selfcontained version of DiscoJuice. The new version now instead refers to the central hosted discojuice.org.

If you earlier installed simpleSAMLphp just to get DiscoJuice working more easy, that should no longer be necessary. It should be far more easy to setup DiscoJuice now without SimpleSAMLphp.

For those of you that are already using the discojuice module in simplesamlphp, you probably need to carefully consider how to proceed. Feel free to join the mailinglist for discussion the options.

Please give feedback

If things does not work as you expect it to, if you have feature requests, or if you have any questions, please use the discojuice mailinglist.

Presentation at FAM11

DiscoJuice will be presented at eduServ FAM11 http://www.eduserv.org.uk/newsandevents/events/fam11

If you are there, feel free to comment or ask about DiscoJuice.

SimpleSAMLphp 1.8.1 Security Fix

This is a security fix for two vulnerabilities with XML encryption in simpleSAMLphp. The two vulnerabilities are:

  • It may be possible to use an SP as a oracle to decrypt encrypted messages sent to that SP. This is the attack described in the paper “How to break XML encryption”:

    http://dx.doi.org/10.1145/2046707.2046756

  • It may be possible to use the SP as a key oracle which can be used to forge messages from that SP by issuing 300000-2000000 queries to the SP. This mainly affects SPs that use signed authentication requests. The attack is described in “Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.”:

    http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037

    Thanks to Ian Young for alerting us of this problem.

Version 1.8.1 of simpleSAMLphp or significantly complicates these attacks by two changes:

  1. No longer display detailed exceptions for decryption failures.
  2. We perform “extra” work to combat timing attacks for the second attack.

Version 1.8.1 can be downloaded from:

http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.1.tar.gz

SHA1SUM:

eb152e76374e07010de7b3b9c0bf9c1d9cabe8fa simplesamlphp-1.8.1.tar.gz

Workaround:

By disabling the display of detailed error messages, both attacks become significantly more difficult. Display of detailed errors can be disabled by setting the ‘showerrors’ option in config.php to ‘FALSE’. Note that error messages are still displayed, but not exception information.

Older releases:

We have only released an update for version 1.8. If there is interest, we can also create updates / patches for older releases. Please let us know if you are interested in this.

SimpleSAMLphp 1.8 passes Kantara Interoperability Matrix Testing

UNINETT was lucky to get the opportunity to participate in the Kantara Interoperability Matrix Testing of SAML 2.0 products. UNINETT participated together with CA Technologies, IBM Corporation and SAP AG.

This is the first SAML full-matrix interoperability test event sponsored by the Kantara Initiative, continuing the program it inherited from the Liberty Alliance. Full-matrix testing is the best means to verify product group interoperability as it verifies that every product can successfully interact and interoperate with the other products in the test group using the test criteria.

SimpleSAMLphp did successfully pass the testing of the SP Lite and IdP Lite conformance profiles.

SimpleSAMLphp 1.8

We are pleased to announce that version 1.8.0 of simpleSAMLphp is now available for download. Except for updates to the translations, this release is identical to the release candidate.

The focus of this release has been fixes in preparation for the Kantara Initiative SAML 2.0 Interoperability Test, e.g. getting full support for both encrypting and decrypting NameIDs in LogoutRequest messages.

There have also been the addition of several new authentication modules, and support for better customization of error handling for a site.

JANUS 1.9.0

JANUS is a fully features metadata registrary administration module build on top of SimpleSAMLphp and is focused around selfservice of registering SAML entities.

JANUS key features are:

  • Full workflow support
  • Highly configurable UI
  • Highly configurable metadata interface
  • Full support for notifications on state changes, entity edit and user updates
  • Highly customizable export functionality

JANUS Project page – JANUS is a WAYF project.