[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [wsf-dev] Perl Net::SAML



Duncan Garland wrote:
> I've been struggling to decode a SAML XML document for most of the last
> week. I think I saw Net::SAML early on but decided to decode the XML
> directly. After a week of frustration I've returned to Net::SAML and ZXID
> and I'm wondering if I've been reinventing the wheel.

You may be able to decode directly, but it is highly unlikely you
will be able to verify the signature correctly.

> I've been posted an HTML form with two fields. The second is called
> SAMLResponse and contains a load of Base 64 characters. If I take it out
> of
> Base 64 I get a SAML XML document with various signatures and some fields
> which are needed for the user to log on.
>
> I need to do something along the following lines:
>
> my $cgi = CGI->new();
> my $saml = Net::SAML->new();

Above is hypothetical pseudocode, of course. The Net::SAML API
is not object oriented.

> my $SAMLResponseInBase64 = $cgi->param( "SAMLResponse" );
>
> # Remove Base 64 encoding here?
>
> my $xml = $saml->magically_verify_signature_and_decrypt(
> $SAMLResponseInBase64, $senders_public_key );
> die "Get lost." if ! $xml; # A better error message would help!
>
> login( $xml );
>
> Will Net::SAML do this? Are there some simple examples in Perl? The
> documentation is a bit confusing.

Accepted, the documentation is confusing.

You can do exactly what you want, and I'll come back to it in a moment,
but the design intent was that you would let Net::SAML::simple_cf()
do all the sig verifying and attribute extraction for you.

I encourage you to study zxidhlo.pl in the zxid-0.XX.tgz tar ball. In
essence, if give right input, consistent with the POST phase of the
SAML SSO cycle (e.g. the post happens to URL consistent with
the configuration and ending in o=P), then it will return you
an LDIF (or Query String or JSON, depending on the auto flags)
of the extracted attributes.

Now, to do exactly what you want, you would call

Net::SAML::sp_dispatch()

with cgi->qs set to the SAMLResponse input.

I recommend you stick to Net::SAML::simple_cf() as it is an officially
supported interface.

Another point to consider is what do you in the end want out of
the SSO transaction. If you do not need XML, but just the attributes,
then Net::SAML::simple_cf() will serve you well. Here is an example:

$url = "http://sp.tas3.pt:8082/zxidhlo.pl";;  # Edit to match your situation
$conf = "PATH=/var/zxid/&URL=$url";
$cf = Net::SAML::new_conf_to_cf($conf);
$qs = $ENV{'QUERY_STRING'};
$qs = <STDIN> if $qs =~ /o=P/;
$res = Net::SAML::simple_cf($cf, -1, $qs, undef, 0x1828);
$op = substr($res, 0, 1);
if ($op eq 'L' || $op eq 'C') { warn "res($res) len=".length($res); print
$res; exit; } # LOCATION (Redir) or CONTENT
if ($op eq 'n') { exit; } # already handled
if ($op eq 'e') { my_render_login_screen(); exit; }
if ($op ne 'd') { die "Unknown Net::SAML::simple() res($res)"; }

# At this point you are logged in. $res contains LDIF of the attributes.
# You would use these to start your application session.

> (Do you know that the zxid.org home page doesn't render in IE
> 8.0.6001.18702? Firefox is fine.)

I am aware of this. Thanks. In fact, the problem is that I should
pick up the newer OpenLiberty.org stylesheets and templates that
do render correctly on IE8. Will be looked into eventually.

Cheers,
--Sampo

> Regards
>
> Duncan