Drupal SimpleSAMLphp Module Updated

The Drupal SimpleSAMLphp that I wrote long time ago, has been through updates from a large set of contributors. Now, I am happy to announce that the module has a dedicated maintainer, that have put great effort into updated the module for the latest version of both SimpleSAMLphp and Drupal.

He has made available two new packages for download: One for drupal 6.x and one for drupal 7.x.

The project is likely to move to drupal.org soon.

Thank you Steve Moitozo II for maintaining this open source project from now on…

If you are interested in the project there is an active community (mailinglist) with currently 24 members.

About Taiwanese Mandarin

The Mandarin used in Mainland China and the Mandarin used in Taiwan diverged from a common stem before the advent of the computer age, so although, as your quote states, they’re almost identical apart from the simplified/traditional characters used when writing, a lot of (perhaps even most) technical vocabulary is quite different. For example, even the standard word for ‘computer’ is different. A separate zh-cn translation is therefore usually desirable, if possible.

(Thanks to Simon for this useful information about Chinese)

Traditional Chinese translation of SimpleSAMLphp

We’re very happy to anonunce that we just committed a complete translation of SimpleSAMLphp to taiwanese mandarin, using traditional chinese characters (zh-tw).

From Wikipedia:

Taiwanese Mandarin is a variant of Mandarin derived from the official Standard Mandarin spoken in Taiwan Area of the Republic of China (Taiwan). The latter’s standard lect is known in Taiwan as 國語 (Guóyǔ, Kuo-yü), based on the phonology of the Beijing dialect together with the grammar of Vernacular Chinese. Taiwanese Mandarin is almost identical except for the writing systems with the official Standard Mandarin used in the People’s Republic of China, which is called Pǔtōnghuà (普通话).

simpleSAMLphp-1.7.0 released

simpleSAMLphp version 1.7.0 is now available for download. Changes from the release candidate were a couple of bugfixes, and some documentation updates.

sha1sum of the archive:

28ce5813848fa9090875831faebc3a7c7068ecd2  simplesamlphp-1.7.0.tar.gz

The details from the announcement of the release candidate are still applicable for the final release:

Most of the changes for this release is internal to the code, with several cleanups and reorganizations.

We have made several changes to the session handler, which enables several new features:

  • Support for storing sessions in SQL databases.
  • Support for having multiple SPs on a single virtual host.
    • Can also run one or more SPs in combination with an IdP on a single virtual host. (But not yet multiple IdPs.)
  • The SP supports SOAP logout when using SQL or Memcache to store the sessions.

Support has also been added for proper key rollover – both at the SP and the IdP. We now support SPs and IdPs with multiple keys in their metadata, and we can generate metadata with multiple keys.

We have also made a lot of changes to make us more compatible with the more rarely used parts of the SAML 2 specifications.

One thing to note is that we have done a lot of refactoring of the internal code in simpleSAMLphp. This should not normally affect external code, but if that code uses APIs that have been removed, such as the SimpleSAML_Utilities::fatalError() function, that code will fail.

Commercial SimpleSAMLphp support from Yaco

Yaco logo

Yaco offers commercial support for SimpleSAMLphp. Yaco is a company located in Spain. The developers over there have been active on the simpleSAMLphp mailinglist, which we appreciate.

With their own words:

Yaco is a company with great experience in the interoperability, open standards and free software fields. We have a motivated team working on identity federation related topics, where CONFIA is our leading flag project. It has been implemented using simpleSAMLphp and a Hub & Spoke architecture model and it has 10 Andalusian universities involved in it. We have done small contributions to simpleSAMLphp and also developed custom modules, which are released with free software licenses. We also participate and contribute to related projects as Janus and selfregister.

simpleSAMLphp-1.7.0-rc1 available

In more plesant news, simpleSAMLphp version 1.7.0-rc1 is now available for download. Most of the changes for this release is internal to the code, with several cleanups and reorganizations.

We have made several changes to the session handler, which enables several new features:

  • Support for storing sessions in SQL databases.
  • Support for having multiple SPs on a single virtual host.
    • Can also run one or more SPs in combination with an IdP on a single virtual host. (But not yet multiple IdPs.)
  • The SP supports SOAP logout when using SQL or Memcache to store the sessions.

Support has also been added for proper key rollover – both at the SP and the IdP. We now support SPs and IdPs with multiple keys in their metadata, and we can generate metadata with multiple keys.

We have also made a lot of changes to make us more compatible with the more rarely used parts of the SAML 2 specifications.

One thing to note is that we have done a lot of refactoring of the internal code in simpleSAMLphp. This should not normally affect external code, but if that code uses APIs that have been removed, such as the SimpleSAML_Utilities::fatalError() function, that code will fail.

sha1sum:

0e0a7ec4cc0510402c54792dc1192d2ad8d71165  simplesamlphp-1.7.0-rc1.tar.gz

simpleSAMLphp-1.6.3 is available, with a security fix

It has come to our attention that simpleSAMLphp suffers from a user-assisted cross site scripting bug with certain browsers. Version 1.6.3 fixes this vulnerability.

The new version can be downloaded from:

sha1sum:

bb4d0307547d3a50a756d4525ef0aee704046160  simplesamlphp-1.6.3.tar.gz

Technical details:

Many pages in simpleSAMLphp takes an URL from a query string to determine which URL we should redirect the user to. Unfortunately, we did not check the type of URL that we redirect the user to, which makes it easy to make an simpleSAMLphp installation redirect the user to an javascript:-URI. Most browsers will then display an error page, but Firefox displays the redirect page instead.

The redirect-page then contains a clickable javascript:-URI, which an user is likely to try to click. Since this javascript:-URI comes from the request URL, but is executed in the context of the site doing the redirect, this may allow a remote attacker to trick users into running arbitrary javascript on a site running simpleSAMLphp.

Credit to Alessandro Armando, Roberto Carbone, Matteo Grasso and Alessandro Sorniotti (AVANTSSAR Project) for reporting this issue.