Monday Mar 03, 2008

Long Live simpleSAMLphp!

A somewhat bittersweet moment today as I sent this email to the OpenSSO lists:

Some time ago (October 2006), we released 'Lightbulb', a simple SAML 2.0 service provider/relying party implemented in PHP, as a proof-of-concept, to show that it was indeed possible to write a 'pure' (no custom modules required) SAML 2.0 implementation in PHP.

Later, Lightbulb became an OpenSSO Extension, and was used by Andreas Solberg at FEIDE as the inspiration for simpleSAMLphp - a much more complete SAML 2.0 implementation, again in PHP, but this time including identity provider functionality, Shibboleth 1.3 and more.

Andreas has done a great job, devoting considerable time and effort to simpleSAMLphp, to the great benefit of the wider SAML 2.0 community. Over the months, simpleSAMLphp has become widely deployed in the academic community, to the extent that there are now events such as simpleSAMLphp workshops.

Consequently, we have decided to mark the OpenSSO SAML2/PHP Extension as 'deprecated' in favor of simpleSAMLphp. The old code will be left in place in CVS, but there is now a prominent README directing people to simpleSAMLphp.

Long live simpleSAMLphp!

Kind of like seeing one of your kids moving out of the family home and starting their own life, I guess...

Tuesday Jun 19, 2007

Single Logout with SAML 2.0 and PHP

Back in February, Marina Sum and I co-wrote an article on the OpenSSO SAML 2.0 PHP Extension, or Lightbulb, as it was then known. The sequel to that article - Single Logout: A Demo just went live at Sun Developer Network: Marina and I provide an update on Project Lightbulb's evolution into an OpenSSO Extension as well as a look at circles of trust and single logout in SAML 2.0. As before, we look at a simple example message flow, then delve down into the PHP code to see how it all works. Click here for the article.

Monday Mar 12, 2007

Lightbulb is Dead; Long Live OpenSSO Extensions!

Last October, we released the first SAML 2.0 implementation in PHP, codenamed 'Project Lightbulb' (because Lightbulb fits into LAMP) and a sub-project of OpenSSO. In the few months since then, other folks have proposed similar extensions to OpenSSO, and the 'Lightbulb' name has looked increasingly anachronistic, particularly since the core OpenSSO project has always fully supported LAMP with its Apache HTTP Server and Tomcat policy agents.

Today, we launch OpenSSO Extensions, OpenSSO's code incubator, with three initial modules:

So - what is an OpenSSO Extension? Well, it's any piece of code that either

  • extends OpenSSO to provide new functionality, for example, the OpenID identity provider, or
  • interfaces with OpenSSO, extending other systems, such as the PHP Client SDK and SAML 2.0 relying party.

If you have an idea for extending OpenSSO in an interesting way, then click here to participate!

Tuesday Feb 06, 2007

Switch on SAML for PHP with Project Lightbulb

Marina Sum and I just published an article over on the Sun Developer Network (SDN) - Switch on SAML for PHP with Project Lightbulb. The article walks through some of the Project Lightbulb code, following the single sign-on process. If you want to work with the Lightbulb code, or you just want a better idea of how SAML 2.0 works, this article is for you.

As I mention in the conclusion, we'll look at SAML 2.0 single logout and the circle-of-trust in a future article.

Tuesday Dec 05, 2006

YADIS/XRI Identifier Resolution with SAML 2.0

This week at Internet Identity Workshop 2006b I've been demonstrating some work I've been doing to combine YADIS/XRI Identifier Resolution (as in OpenID) with SAML 2.0 Web Browser SSO Profile. The user experience is:

  1. I go to a service provider (relying party)
  2. I enter my identifier (URL or i-name)
  3. I authenticate at my identity provider
  4. I can access services at the service provider

The magic takes place between steps 2 and 3: the service provider resolves the user's identifier, which might be a URL or an i-name, to the location of a SAML 2.0 identity provider. The service provider can now do vanilla SAML 2.0 with the identity provider. The easiest way to see what's going on is via a demo, so, here you go:

Click to view Flash presentation

By the way - the service provider is implemented on top of Project Lightbulb. I need to do some tidying first, but I'll put the YADIS/XRI code there soon.

UPDATE - coverage of this demo at IIW2006b:

Wednesday Nov 29, 2006

Podcasting and Webcasting

It's been quite a week already and it's only Wednesday night! Yesterday, I was interviewed by Aldo Castañeda for 'The Story of Digital Identity' - Aldo's regular podcast. The conversation centered on Project Lightbulb (a sub-project of OpenSSO) - the PHP implementation of SAML 2.0. We covered a lot of ground, looking at the motivation behind Lightbulb and what I'm working on right now - figuring out how we can bring together some aspects of OpenID with SAML 2.0. There are some interesting synergies here, and I'm looking forward to talking about them at IIW2006b next week in Mountain View. If you're not too interested in digital identity, you can always skip to about 47"50' to hear all about single malt Scotch whisky

This was my first podcast experience and a lot of fun it was, much less intense than a webcast (no slides!). Aldo is doing a great job, and I felt quite honored to be a part of 'STODID'. This series of podcasts really is required listening if you want to keep up with what's going on in digital identity.

By the way, you'll need iTunes or Quicktime to play the podcast. I didn't have any luck with Windows Media Player or RealPlayer. Other players might also work - feel free to leave a comment.

Today's event was a webcast for the Liberty Alliance, again focusing on Project Lightbulb, but this time with slides and a demo. In the demo I show how to SAML 2.0 enable a simple PHP application by dragging in the Lightbulb files and editing 4 PHP scripts. I fall off the high wire one time , but recover quite gracefully

The webcast is archived (you might need to scroll down a bit - look for 'Open Source Identity for the Web 2.0 Era'), but you have to download the Webex player to watch it.

I wonder what the rest of the week will bring...

Tuesday Nov 21, 2006

Open Source Identity for the Web 2.0 Era

Regular readers might recall I gave a presentation in Japan last month titled 'Open Source Identity for the Web 2.0 Era'. The Liberty Alliance folks liked it so much, they've asked me to repeat it as a webcast next Wednesday - 11/29/2006 - details here (if you're interested, better sign up fast, places are limited!).

The presentation focuses on OpenSSO and Project Lightbulb - the OpenSSO sub-project that implements a SAML 2.0 service provider in straight PHP - no custom extensions required. I'm planning to SAML 2.0-enable a simple PHP application, live on-the-air, no safety net

Johannes has already picked up on the webcast announcement and wonders what the Web 2.0 angle is. Let me explain...

Web 2.0 is a difficult term; it means something different to almost everyone you ask. Some focus on particular technologies - Ajax (just pasted that link in - do you realize, that essay, that coined the term 'Ajax', is only 21 months old!) being the most common example. Others focus on particular companies - Flickr, YouTube, any number of social networking sites - or business models - for example, combining your users' individual efforts to create something bigger than the sum of their parts.

For me, 'Web 2.0' is simply a shorthand for 'the Web today is very different from the Web of 5 years ago'. It's a whole world of change wrapped into a somewhat glib phrase. The Tokyo Liberty Alliance Day took Web 2.0 as its theme - my angle on it with this presentation is that a large part of Web 2.0 is participation - notably open source and lightweight languages - look at any 'Web 2.0 company' and you'll find lots of LAMP. It's this aspect that I focus on in 'Open Source Identity for the Web 2.0 Era' - bridging the gap between the enterprise/telco/square world of SAML 2.0 and the bloggy/scripty/hip world of PHP.

Having said all that, Johannes is spot on that "putting control in the hands of the end user — the essence of Web 2.0 — is not typically compatible with the way SAML projects tend to end up". There is much work to do in figuring out how the core of SAML 2.0 can be leveraged in wider settings than the typical (but no less important for that) enterprise/telco use cases. We're seeing some great thinking in this area from the likes of Paul and Eve. I suspect that this will be a key topic of the upcoming Internet Identity Workshop 2006b.

Thursday Nov 02, 2006

Added Single Logout to Lightbulb - SAML 2.0 in PHP

I just finished adding single logout to the 'Lightbulb' OpenSSO SAML 2.0 PHP implementation. I'll take this opportunity to reiterate: THIS IS BY NO MEANS PRODUCTION CODE. There are probably bugs, there are certainly shortcuts. This is development out in the open.

Please do feel free to pick this up, play with it, suggest improvements - even contribute code. As I mentioned before, there is a bit of process to this, but I think it's more than worth it.

The next step for me now is to write a how-to on getting an IdP up to play with...

Friday Oct 20, 2006

Q&A on the OpenSSO SAML 2.0 PHP work

Yesterday I announced the first drop of my SAML 2.0 PHP code. I've had a few questions since then - here they are, with answers:

  • Q: Can I contribute to this?
    A: Of course! This was the whole point of releasing this code as open source. I know a little about SAML 2.0, but I'm no PHP expert. I'd welcome PHP folks to take a look and suggest/make improvements. See the OpenSSO governance for more information on contributing.
  • Q: Is this 'pure' PHP?
    A: That depends on your definition of 'pure'. No custom modules are required. It does use openssl, mysql, dom and xml, but support for these is pretty standard. The default PHP5 in my Ubuntu 6.06 had everything I needed.

Please do leave comments with any further questions - I'll update this entry with the answers.

Thursday Oct 19, 2006

Switching on the Lightbulb

Over the past few months I've had a side project - implementing a SAML 2.0 service provider (SP) in PHP. I originally set out using PHP/Java Bridge and got something working (I even presented it [pdf] at Identity Open Space in Vancouver), but I was inspired by Kim Cameron's success in implementing InfoCard in PHP to try a more direct approach.

Rob Richard's XML Security implementation provided the impetus I needed to get a 'pure' PHP SAML 2.0 SP working. Rob kindly allowed me to adopt the XML Security code into OpenSSO (note that the base XML security code is still, and will continue to be, available, in its original public domain form, at Rob's page) and I set forth hacking away.

Well - I'm done with an initial version. SAML 2.0 POST profile works. There is no artifact profile, no single log out, no bells or whistles. It does verify the assertion signature (via PHP's integration with openssl) and checks that the certificate fingerprint matches what it expects from that identity provider.

There is some general documentation on SAML-enabling PHP [odt], and some specific documentation on this code [odt]. I'll write a step-by-step guide to getting it up and running next...

UPDATE - some FAQs here.




« April 2014