simplesamlphp icon indicating copy to clipboard operation
simplesamlphp copied to clipboard
verified publisher icon simplesamlphp

SAML V2.0 Metadata Profile for Algorithm Support

Open indigoxela opened this issue 9 years ago • 9 comments

Is there support in simplesamlphp for Metadata Profile for Algorithm Support?

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html#__RefHeading__13608_557150731

If not, is there a trick to make it work with current versions of simplesamlphp for a SP? Is there any available information, how to implement that?

I need both, "alg:DigestMethod Algorithm" and "alg:SigningMethod Algorithm" for "SPSSODescriptor" metadata.

indigoxela avatar Dec 19 '16 13:12 indigoxela

Hi @indigoxela!

No, unfortunately, it's supported neither by SimpleSAMLphp nor the SAML2 library.

However, adding support for it in the SAML2 library is easy enough, so I just did. It still needs to be ported to the 2.0 branch so that we can have a release of the SAML2 library with it, but it's a start at least.

On the other hand, SimpleSAMLphp itself would need to bump the dependency on the SAML2 library to start using these two new classes, and then it will be possible to add configuration options to switch this on and specify the supported algorithms.

Would you be able to provide a pull request when there's a release of the SAML2 library with this?

jaimeperez avatar Jan 09 '17 14:01 jaimeperez

Hi,

However, adding support for it in the SAML2 library is easy enough

Wow, so that's what you call "easy"? That's a bunch of code. Many thanks for providing it.

Would you be able to provide a pull request when there's a release of the SAML2 library with this?

Actually I don't quite understand, why you need my pull request. Probably I don't understand the relation between saml2 repo and simplesamlphp repo and who is responsible for releases... Or is this about me enhancing simplesamlphp to make use of the new classes as soon as there's the next release for saml2? That might be beyond my skills. I'm not too familiar with simplesamlphp code.

indigoxela avatar Jan 09 '17 14:01 indigoxela

Hi!

Wow, so that's what you call "easy"? That's a bunch of code. Many thanks for providing it.

If you look at other files in neighboring directories, it was basically a copy & paste 😄

Actually I don't quite understand, why you need my pull request.

We don't need you to provide a PR. However, that would help a lot in speeding this up. We are very low in resources and it's difficult to cope with all the tasks we have, plus providing support, plus fixing bugs, plus adding new features. This means something with low priority like this could take a long time to be addressed, so having a PR that provides an implementation we can review instead of doing it ourselves is definitely much faster.

Probably I don't understand the relation between saml2 repo and simplesamlphp repo and who is responsible for releases...

SimpleSAMLphp depends on the SAML2 library. The library provides a basic SAML2 implementation, while SimpleSAMLphp itself is an implementation of the most used SAML protocols and profiles, as well as other protocols. Application developers would use SimpleSAMLphp directly as that saves a lot of trouble, while the SAML2 library could be more interesting for existing SAML products. To put it simple: SimpleSAMLphp is a high level library providing support for SAML and other protocols, while the SAML2 library is (very) low level.

In any case, if we want to support something new in SimpleSAMLphp and that's related to the SAML standard (i.e. adding a new extension like this), an update to the SAML2 library is subsequently needed.

We are responsible for both SimpleSAMLphp and the SAML2 library. However, porting the changes I just committed to the 2.x branch so that we can have a new release with them is not as straightforward as the changes themselves, and will take a bit more time.

Or is this about me enhancing simplesamlphp to make use of the new classes as soon as there's the next release for saml2? That might be beyond my skills. I'm not too familiar with simplesamlphp code.

Don't worry. Take a look at the code if you want and if you would like to try, feel free to ask us for directions on how to do an implementation. If you don't think you have the ability to provide a PR yourself, you'll just have to wait until we can implement it ourselves.

jaimeperez avatar Jan 09 '17 15:01 jaimeperez

Hi, many thanks for your clarification. I think, now I got it. ;)

I'll try my best as soon as I find the time.

indigoxela avatar Jan 09 '17 15:01 indigoxela

Great, thanks a lot! Let us know if you have any doubts 😄

jaimeperez avatar Jan 10 '17 08:01 jaimeperez

Hi, sorry to jump on this old issue but hoping you can confirm something - think I may have been chasing a red herring this afternoon, I found the classes for DigestMethod and SigningMethod but haven't been able to work out how to actually use them - is it still the case that further work needs to be done in order to use them?

andykisaragi avatar Jan 05 '18 16:01 andykisaragi

The status is that since SSP 1.15 the necessary library functions that Jaime created are available in simpleSAMLphp. What's missing is in simpleSAMLphp code to provide necessary configuration options so you can actually configure it. If you can help out with creating that code, that would be great.

thijskh avatar Jan 05 '18 18:01 thijskh

Thanks for confirming :)

I would love to help out, however at this stage would be out of my depth with SAML. Having to get up to speed quite quickly due to current project though, and this would be a welcome addition from my point of view, so we'll see how things go :)

andykisaragi avatar Jan 15 '18 16:01 andykisaragi

v5 of the library has support for this, so let's add support for it

tvdijen avatar May 20 '23 20:05 tvdijen