service provider: implement signed auth requests about saml HOT 7 CLOSED

This is stalled. My work in progress here is in the sp-authn-request-signing branch, but I can't testshib to accept the request. Ugh.

from saml.

@crewjam Hey Ross, I implemented this logic in my fork of this repo: https://github.com/edaniels/go-saml. The only thing is that I decided to gut out the libxmlsec1 stuff since it ended up working out better to just use the binary instead (less dynamic linking). Let me know if you want to actually get this all upstream instead.

from saml.

Eric,

So I'm not 1000% opposed to using the xmlsec1 binary, but I did put in quite a bit of effort to avoid it initially. If there is no rational & reasonably efficient way to get this implemented then I'm grudgingly cool with it.

OTOH, if you now have something that works which we can test against and compare, maybe that is what is needed to get it working with the libxmlsec wrapper -- when I was trying before testshib was just rejecting the requests and I couldn't figure out why.

I'm very open to other thoughts here. :)

-Ross

from saml.

Looking at your branch, I'm not sure why the signing isn't working exactly. In my version I'm using the embedded/enveloped signature in the XML AuthnRequest itself as opposed to the query string version you were attempting. If you wanted to follow that route but via libxmlsec, you could literally follow along the libxmlsec source code for the binary and see exactly what it does (that's how I made other parts work while porting).

My case for using the binary is that it makes for an easier time when using this on any platform where you just need to somehow get the binary. Installing the library itself typically installs the binary (at least on OSX). Plus the clang warnings on OSX are pretty gnarly ;)

I don't mind maintaining my own version of the repo but it would be nice to have it be in one place in case I ever make any more improvements. Alternatives would include somehow choosing the underlying xmlsec pkg you want at build time.

from saml.

I too am in a difficult situation here. I'm integrating my app with an IDP that requires signed authn requests. Is this still not working? @edaniels I might want to use your fork so I can get signed requests working. I would need to check diffs between your fork and mine. I've had to make several changes of my own to get this working with a Ping-federate IDP.

from saml.

@exedor, you should probably be fine then. Just keep in mind that if you have a high volume of requests, you're going to be creating a lot of out of process requests.

from saml.

@crewjam @edaniels any update on this? I don't think there's a sp-authn-request-signing branch anymore. Is it working?

from saml.