[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

zxid-0.53 release available (Was: Re: Shibboleth 2 IdP compatibility)



Eric Rybski wrote:
> Hi Sampo,
>
>     I'm curious if you've been able to make progress handling Shibboleth
> metadata and namespaces?

I believe I am able to handle single units of Shibboleth metadata
and idp-discovery extention without warnings.

However, I still have problem in splitting Entities element containing
multiple Entity elements. If you need this feature, I recommend
you split it manually (or write your own perl program to split it)
and feed them to zxcot(1) tool one by one. Thus I would not classify
this as a show stopper.

I have verifiebly interopped now with several Shibboleth 2.0
implementations so confidence level is good.

New release, 0.53 is now available.

zxid-0.53:: 23.3.2010
    - Fixed case where last item (null return) of cached multi discovery
would trigger yet another discovery
    - Added logging of issued discovery messages
    - Feature improvements to zxidappdemo.java
    - Added ENA_PG and coverage targets to the Makefile (current coverage
47%)
    - Process session in validate
    - Added more Shibboleth metadata extensions. I claim Shibboleth
metadata parses w/o warnings.
    - Added SAML idp-discovery extention to metadata
    - Changed templating system for IdP an page (other pages may be
changed later to use the same)
    - Added zxidnewuser.pl and other IdP mangement web GUI scripts
    - Added zxid_wsc_prepare_call() and zxid_wsc_valid_resp() APIs, see
zxidwscprepdemo.java for usage

Cheers,
--Sampo

P.S. ZXIDP.org - a Free IdP -  has come online as well. You can create
both user and SP accounts using the online interface. SP accounts
support SAML 2.0 SSO and ID-WSF Discovery Registrations.

> Thanks,
> Eric
>
> On Wed, Feb 24, 2010 at 8:36 AM, <sampo@xxxxxxxxxxx> wrote:
>
>> Eric Rybski wrote:
>> >    Regarding Shibboleth support, I can't even parse the testshib IdP
>> > metadata right now with 0.32.  The metadata (
>> > https://idp.testshib.org/idp/shibboleth), which I've added to my COT
>> as
>> > the
>> > file hash name "0D5XlTNF5XoaggdNLUd8nKON-XY", returns the following
>> > parsing
>> > error:
>> >
>> > t c/zx-dec.c:589 zx_DEC_wrong_elem zx E Mismatching close
>> > tag(shibmd:Scope)
>> > tok=-2 context=-2
>> > t    zxlib.c:877 zx_xml_parse_err zx E zx_DEC_wrong_elem: Mismatching
>> > close
>> > tag: char(-) pos=573 (ib.org</shibmd:Scope></Extensions><KeyDe)
>>
>> Ok, I got the metadata from https://idp.testshib.org/idp/shibboleth
>> and will be debugging this. THere will still probably be warnings,
>> but I promise to fix the errors.
>>
>> > This is where last left off and began to try to import the shibboleth
>> xsd
>> > into zxid.  Theoretically, you are correct in that I can probably
>> ignore
>> > most (all?) of the extensions, at least in a practical sense.  But
>> zxid
>> > does
>> > need to be able to handle these cases without error.
>>
>> Agreed.
>>
>> > And it seems like namespace (data type) support for these extensions
>> is
>> > the
>> > primary piece I'm missing to at least get basic Shib<->zxid
>> > interoperability
>> > working.  (Please correct me if I'm wrong here.)
>> >
>> > In terms of unknown namespace support, are there other (not in release
>> > notes) changes that have occurred between 0.32 and 0.52?  I've been
>> > following the release notifications, and it seemed like 0.49-0.50 was
>> the
>> > primary update on this subject so far since 0.32.
>>
>> Right. THer thread safety fixes of 0.51 also affected namespaces
>> if context was shared from multiple threads. I would imagine this
>> to be a real possibility in the mod_perl environment.
>>
>> I'll try to squeeze 0.53 out later this week.
>>
>> Cheers,
>> --Sampo
>>
>> > Thanks,
>> > Eric
>> >
>> > On Fri, Feb 19, 2010 at 7:08 PM, <sampo@xxxxxxxxxxx> wrote:
>> >
>> >> Eric Rybski wrote:
>> >> > Hi Sampo,
>> >> >
>> >> >    I see that you added shibboleth namespaces in the 0.42 release.
>> >> > Thanks!
>> >>
>> >> Just adding namespace is not enought, unfortunately.
>> >>
>> >> > But I'm currently locked into the 0.32 release in my environment (a
>> >> > production stable integration), so I'm planning to back-port the
>> >> namespace
>> >> > support into 0.32.
>> >>
>> >> In current releases, like 0.52, the unknown namespace support has
>> >> improved a lot. So you are facing a situation where by adopting a
>> >> newer release your namespace would be supported, and even if it was
>> >> not, it would be generically supported much better than it ever
>> was/will
>> >> be in 0.32. To this backdrop, backporting support to 0.32 does
>> >> not make much sense.
>> >>
>> >> I understand that you may have external reason why it must be 0.32,
>> but
>> >> porting these features to 0.32 is about as risky (or even more risky)
>> >> as simply upgrading to 0.52.
>> >>
>> >> > Is there any easy way to determine what needs patching and what
>> >> doesn't
>> >> to
>> >> > import support for these namespaces?  I did a grep and saw many
>> files
>> >> > involved.  I was considering a diff of 0.41 to 0.42 as a starting
>> >> point.
>> >>
>> >> Namespace support is generally achieved throught code generation
>> >> methods,
>> >> mostly by xsd2sg.pl, which in standard distribution is not invoked.
>> >> A given namespace articulates with the rest of the system through
>> >> c/zx-ns.h and c/zx-ns.c, plus the namespace dependent files, which
>> >> may be many. Additionally, a namespace is relevant only if it
>> >> is referenced somewhere else. The most common place to reference
>> >> is in c/zx-e-data.h and other files of the SOAP Envelope namespace.
>> >>
>> >> > Or perhaps it's a better idea to rebuild my 0.32 distribution with
>> the
>> >> > Shibboleth *.sg files?  Is this generally as simple as altering the
>> >> > Makefile
>> >> > to be aware of the new SG files?
>> >>
>> >> Not sure. Certainly altering the Makefile is possible, but I am not
>> >> sure if that is sufficient to achieve what you want to achieve.
>> >>
>> >> I need more feedback about Shibboleth. So far my experience has been
>> >> that Shibboleth metadata can be processed successfully by simply
>> >> ignoring the Shibboleth extentions to the metadata. In many practical
>> >> situations the Shibboleth extentions seem irrelevant (or may be I
>> have
>> >> failed to grasp their significance from their documentation).
>> >>
>> >> Cheers,
>> >> --Sampo
>> >>
>> >> > Thanks,
>> >> > Eric
>> >> >
>> >> > zxid-0.50]$ grep -ril shib *
>> >> > Changes
>> >> > Makefile
>> >> > Manifest
>> >> > README.zxid
>> >> > c/zx-elems.c
>> >> > c/zx-md-aux.c
>> >> > c/zx-md-dec.c
>> >> > c/zx-md-enc.c
>> >> > c/zx-shibmd-aux.c
>> >> > c/zx-shibmd-dec.c
>> >> > c/zx-shibmd-enc.c
>> >> > c/zx-data.h
>> >> > c/zx-md-getput.c
>> >> > c/zx-ns.c
>> >> > c/zx-ns.h
>> >> > c/zx-ds-data.h
>> >> > c/zx-md-data.h
>> >> > c/zx-enc.c
>> >> > c/zx-shibmd-data.h
>> >> > c/zx-shibmd-getput.c
>> >> > c/zx-const.h
>> >> > csharp/zxid.cs
>> >> > csharp/zxidPINVOKE.cs
>> >> > sg/shibboleth-metadata-1.0.sg
>> >> > sg/saml-schema-metadata-2.0.sg
>> >> > zx/c/zx-elems.c
>> >> > zx/c/zx-md-aux.c
>> >> > zx/c/zx-md-dec.c
>> >> > zx/c/zx-md-enc.c
>> >> > zx/c/zx-shibmd-aux.c
>> >> > zx/c/zx-shibmd-dec.c
>> >> > zx/c/zx-shibmd-enc.c
>> >> > zx/c/zx-data.h
>> >> > zx/c/zx-md-getput.c
>> >> > zx/c/zx-ns.c
>> >> > zx/c/zx-ns.h
>> >> > zx/c/zx-ds-data.h
>> >> > zx/c/zx-md-data.h
>> >> > zx/c/zx-enc.c
>> >> > zx/c/zx-shibmd-data.h
>> >> > zx/c/zx-shibmd-getput.c
>> >> > zx/c/zx-const.h
>> >> > zx/sg/shibboleth-metadata-1.0.sg
>> >> > zx/sg/saml-schema-metadata-2.0.sg
>> >> > grep: warning: zx/zx: recursive directory loop
>> >> >
>> >> > zx/zxid-idp.pd
>> >> > zx/Makefile
>> >> > zx/Manifest
>> >> > zx/zxid-ref.pd
>> >> > zx/Changes
>> >> > zx/csharp/zxid.cs
>> >> > zx/csharp/zxidPINVOKE.cs
>> >> > zx/zxidjava/zxidjniConstants.java
>> >> > zx/zxidjava/zxidjniJNI.java
>> >> > zx/zxidjava/zxid_wrap.c
>> >> > zx/README.zxid
>> >> > zxid-idp.pd
>> >> > zxid-ref.pd
>> >> > zxidjava/zxidjniConstants.java
>> >> > zxidjava/zxidjniJNI.java
>> >> > zxidjava/zxid_wrap.c
>> >> >
>> >> >
>> >> > On Tue, Oct 13, 2009 at 7:41 AM, <sampo@xxxxxxxxxxx> wrote:
>> >> >
>> >> >> Unless you already integrated, can you send me the schema and I'll
>> >> >> integrate it.
>> >> >>
>> >> >> Cheers,
>> >> >> --Sampo
>> >> >>
>> >> >> Eric Rybski wrote:
>> >> >> > Hi,
>> >> >> >    I'm trying to connect a zxid 0.32-based SP to to a Shibboleth
>> >> 2.1
>> >> >> IdP
>> >> >> (
>> >> >> > https://www.testshib.org).  The metadata (
>> >> >> > https://idp.testshib.org/idp/shibboleth) for this instance
>> >> implements
>> >> >> > namespaces which zxid does not currently support, like
>> >> >> > "urn:mace:shibboleth:metadata:1.0".
>> >> >> >
>> >> >> > I've been following documentation for adding new namespaces:
>> >> >> >
>> >> >> >
>> >> >>
>> >>
>> http://www.zxid.org/html/README.zxid-17README_zxid-CreatingNewInterfacesUsingZXIDMethodology.html
>> >> >> >
>> >> >> > I'm now at step 2: manual tweaking of SG files.  I'm not sure
>> I'm
>> >> >> > modifying
>> >> >> > files correctly, as I don't have clear examples as to how the SG
>> >> >> results
>> >> >> > should look given different XML cases (primarily steps 2.2 and
>> >> 2.3).
>> >> >> It's
>> >> >> > also unclear whether I need to make any changes specific to step
>> >> 2.1.
>> >> >> >
>> >> >> > For example:
>> >> >> >    - As per step 2.3, I changed one occurence of
>> >> >> > @xml:lang?
>> >> >> >
>> >> >> > to:
>> >> >> > @xml:lang? -> %xs:string  #@xml:lang vs. @lang   ***".
>> >> >> >
>> >> >> >    - As per step 2.2, I changed:
>> >> >> > %SiteGroupType:
>> >> >> >     shib:OriginSite
>> >> >> >  |   shib:DestinationSite
>> >> >> >  |   shib:SiteGroup
>> >> >> >
>> >> >> > to:
>> >> >> > %SiteGroupType:
>> >> >> >     shib:OriginSite
>> >> >> >     shib:DestinationSite*
>> >> >> >     shib:SiteGroup*
>> >> >> >
>> >> >> > given XML definition:
>> >> >> >         <sequence>
>> >> >> >             <choice maxOccurs="unbounded">
>> >> >> >                 <element ref="shib:OriginSite"/>
>> >> >> >                 <element ref="shib:DestinationSite"/>
>> >> >> >                 <element ref="shib:SiteGroup"/>
>> >> >> >             </choice>
>> >> >> >             <element ref="ds:Signature" minOccurs="0"/>
>> >> >> >         </sequence>
>> >> >> >
>> >> >> >
>> >> >> > Are these accurate modifications?  I've attached copies of the
>> >> >> unmodified
>> >> >> > (no manual tweaks) .sg files I generated, as well as the
>> original
>> >> XSD
>> >> >> > files,
>> >> >> > for reference.
>> >> >> >
>> >> >> >    If anyone has more experience building "correct" .sg files,
>> I'd
>> >> >> greatly
>> >> >> > appreciate help getting these SG files updated.  Once correctly
>> >> >> modified,
>> >> >> > perhaps these could also be included in the zxid distribution
>> for
>> >> >> > out-of-the-box compatibility with Shibboleth 2 identity
>> providers.
>> >> >> >
>> >> >> > Note: The archive also includes my modified xsd2sg.pl, as there
>> >> were
>> >> a
>> >> >> few
>> >> >> > elements, attributes, and syntax constructs implemented in the
>> >> >> Shibboleth
>> >> >> > XSD files that were not being handled.
>> >> >> >
>> >> >> > Regards,
>> >> >> > Eric
>> >> >> >
>> >> >> > [demime 1.01d removed an attachment of type application/zip
>> which
>> >> had
>> >> >> a
>> >> >> > name of shib_2.2.1_sg.zip]