Tuesday Aug 11, 2009

OpenSSO Single Sign-on Extension for MediaWiki

Following the recent trio of OpenSSO Extensions targeting PHP CMS applications (see my previous entries covering the extensions for Drupal, WordPress and Joomla), I decided to look at MediaWiki, the PHP application powering Wikipedia and many other wikis across the web.

In common with the CMS apps, MediaWiki has a very pluggable architecture, making implementation of a single sign-on extension very straightforward, and I was able to get an initial implementation done in a few hours. The user interface is very like the WordPress plugin: just click on the regular 'log in' link to be sent to OpenSSO to authenticate; on returning to MediaWiki, the extension validates the OpenSSO cookie and uses it to retrieve the username from OpenSSO, setting up the MediaWiki session.

There is a README and source code - also available via CVS, and I've added the new provider plugin to the list on the OpenSSO Extensions page. As always, note that none of these extensions are supported by Sun, and all should be considered 'proof of concept' quality - they likely need a bit more polish (and lots more testing!) before being deployed into production.

I think that about wraps up the PHP extension story for the time being - we now have plugins for the four most common PHP web apps. Do leave a comment if you think there is another we should cover.

Saturday Aug 01, 2009

OpenSSO Single Sign-on Plugin for Joomla

I was lucky enough to be able to spend some time at Burton Catalyst this last week with Pamela Dingle, looking at how to get started writing an OpenSSO plugin for Joomla to complement the plugins I recently wrote for Drupal and Wordpress. Pamela, well known for her work on PHP Information Card plugins at The Pamela Project, quickly pointed me in the right direction, and it didn't take me long after that to get something working - thanks, Pam!

The Joomla plugin alters the standard process so that, on clicking the 'Login' button, users are redirected first to OpenSSO to authenticate, then back to Joomla for the plugin to retrieve the user's name from OpenSSO and create a session. I got a little bit more creative this time round; there's JavaScript to alter the Joomla login form - see the screen cap next to this paragraph.

As always, there is a README and source code - also available via CVS, and I've added the new provider plugin to the list on the OpenSSO Extensions page. Note that none of these plugins are supported by Sun, and all should be considered 'proof of concept' quality - they likely need a bit more polish (and lots more testing!) before being deployed into production.

So, that's the Drupal/Wordpress/Joomla open source PHP CMS trifecta covered... I see Pam has a MediaWiki plugin too - maybe I'll look at that next...

Monday Jul 27, 2009

OpenSSO Single Sign-on Plugin for WordPress

Encouraged by a comment on my post about the OpenSSO module for Drupal, and the amount of OpenSSO/Drupal buzz on Twitter, I decided to attack WordPress next. Although WordPress has a very different plugin model from Drupal, I was able to reuse much of the code from the Drupal module and get a basic single sign-on plugin working quite quickly. As with the Drupal module, there are certainly bugs in the WordPress plugin - in particular, I just noticed that, if you log in to OpenSSO as a user without a corresponding WordPress account, you can get into a redirect loop if you try to go to a protected page at WordPress.

As usual, there is a README and source code - also available via CVS, and I've added the new provider plugin to the list on the OpenSSO Extensions page.

So... That's two thirds of the Drupal/Joomla/Wordpress CMS trifecta covered... A competent Joomla hacker should be able to take the Drupal/WordPress work and adapt it pretty easily... Anyone want to try while I'm at Catalyst this week?

Saturday Jul 25, 2009

OpenSSO Single Sign-on Module for Drupal

Drupal is one of the leading open source content management systems - some would say the leading open source CMS. We've had a few requests over the years for OpenSSO/Drupal integration, but no one has hitherto stepped forward. Finding myself with a few spare hours over the last few days, I decided to investigate.

It turns out that, thanks to Drupal's extensibility through modules and OpenSSO's identity services, it's pretty straightforward to get something working. So I did. There is now an OpenSSO module for Drupal [ README | Source - also available via CVS]. I'm no expert in either PHP or Drupal, so there may well be bugs, but it seems to work well, checking for the OpenSSO cookie when users attempt to access Drupal, redirecting them to OpenSSO to authenticate if necessary, and retrieving a Drupal username from the user's OpenSSO profile before setting up the user's Drupal session.

If there's sufficient demand, I'll look at going through the process to contribute this to Drupal under GPL, until then, it's available under CDDL as an OpenSSO Extension.

Monday Mar 03, 2008

Long Live simpleSAMLphp!

A somewhat bittersweet moment today as I sent this email to the OpenSSO lists:

Some time ago (October 2006), we released 'Lightbulb', a simple SAML 2.0 service provider/relying party implemented in PHP, as a proof-of-concept, to show that it was indeed possible to write a 'pure' (no custom modules required) SAML 2.0 implementation in PHP.

Later, Lightbulb became an OpenSSO Extension, and was used by Andreas Solberg at FEIDE as the inspiration for simpleSAMLphp - a much more complete SAML 2.0 implementation, again in PHP, but this time including identity provider functionality, Shibboleth 1.3 and more.

Andreas has done a great job, devoting considerable time and effort to simpleSAMLphp, to the great benefit of the wider SAML 2.0 community. Over the months, simpleSAMLphp has become widely deployed in the academic community, to the extent that there are now events such as simpleSAMLphp workshops.

Consequently, we have decided to mark the OpenSSO SAML2/PHP Extension as 'deprecated' in favor of simpleSAMLphp. The old code will be left in place in CVS, but there is now a prominent README directing people to simpleSAMLphp.

Long live simpleSAMLphp!

Kind of like seeing one of your kids moving out of the family home and starting their own life, I guess...

Saturday Dec 15, 2007

links for 2007-12-16

Tuesday Jun 19, 2007

Single Logout with SAML 2.0 and PHP

Back in February, Marina Sum and I co-wrote an article on the OpenSSO SAML 2.0 PHP Extension, or Lightbulb, as it was then known. The sequel to that article - Single Logout: A Demo just went live at Sun Developer Network: Marina and I provide an update on Project Lightbulb's evolution into an OpenSSO Extension as well as a look at circles of trust and single logout in SAML 2.0. As before, we look at a simple example message flow, then delve down into the PHP code to see how it all works. Click here for the article.

Sunday Jun 17, 2007

SAML 2.0 HTTP-SimpleSign Support in OpenSSO SAML 2.0 PHP Extension

You might be aware of the SAML 2.0 HTTP-SimpleSign binding from blog posts by Jeff Hodges (co-author of the spec, with Scott Cantor) and George Fletcher. Put simply, HTTP-SimpleSign offers a simpler way to sign SAML 2.0 data, by simply signing the XML and other text data to be sent to the service provider verbatim, without any canonicalization. It works quite neatly, since the XML is base64 encoded and sent from the identity provider to the service provider via browser POST, so there are no intermediaries who might benignly munge it about and cause signature verification to fail.

George's report of AOL's HTTP-SimpleSign implementation prompted me to go add it to OpenSSO's SAML 2.0/PHP Extension (formerly known as 'Lightbulb'). It took about an hour, all told, since the main difference from the traditional HTTP POST signature verification:

function checkXMLSignature($token) {
	$objXMLSecDSig = new XMLSecurityDSig();
	$objXMLSecDSig->idKeys[] = 'ID';
	$objDSig = $objXMLSecDSig->locateSignature($token);

	/\* Must check certificate fingerprint now - validateReference removes it \*/        
	if ( ! validateCertFingerprint($token) )
		throw new Exception("Fingerprint Validation Failed");

	/\* Canonicalize the signed info \*/

	$retVal = NULL;
	if ($objDSig) {
		$retVal = $objXMLSecDSig->validateReference();
	if (! $retVal) {
		throw new Exception("SAML Validation Failed");

	$key = NULL;
	$objKey = $objXMLSecDSig->locateKey();
	if ($objKey) {
		if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig)) {
			/\* Handle any additional key processing such as encrypted keys here \*/
	if (empty($objKey)) {
		throw new Exception("Error loading key to handle Signature");

	return ($objXMLSecDSig->verify($objKey)==1);

is to just verify the signature directly on the SAML XML text and other parameters:

function checkSimpleSignature($params,$cert) {
	$rawSignature = $params['Signature'];
	$relayState = $params['RelayState'];
	$sigAlg = $params['SigAlg'];

	$samlResponse = base64_decode( $params['SAMLResponse'] );
	$signature = base64_decode($rawSignature);

	if (strcmp($sigAlg,XMLSecurityKey::RSA_SHA1) != 0) {
		throw new Exception("Signature algorithm ".$sigAlg." is not supported");

	if ( isset($params['RelayState'] ) ) {
		$signedData = "SAMLResponse=".$samlResponse."&RelayState=".$relayState."&SigAlg=".$sigAlg;
	} else {
		$signedData = "SAMLResponse=".$samlResponse."&SigAlg=".$sigAlg;

	return (openssl_verify($signedData, $signature, $cert) == 1);

The difference in complexity may not look substantial, due to the excellent XML Signature support from Rob Richards' XML Security library, but it's a huge difference if you're implementing from scratch.

I've done some informal testing and everything seems to check out. If you are working with HTTP-SimpleSign on the IdP end, please do grab the SAML2.0/PHP code, check it against your implementation and report back.

Thursday May 24, 2007

New Iteration of the SAML 2.0 PHP SP

Many thanks to Andreas Åkre Solberg of the FEIDE project for this latest iteration of the SAML 2.0 PHP service provider (SP) OpenSSO Extension (you might remember it as 'Lightbulb'). I spent Thursday afternoon running through some tests with the PHP SP and OpenSSO as the identity provider - apart from one very minor bug (already fixed , it all works great!

Changes since the initial implementation:

  • Code restructured with SPIs for session handling and name mapping
  • Single logout listener
  • Support for transient identifiers
  • A new, simpler, sample
  • Documentation!
  • Several bugfixes

Grab the code via CVS from opensso.dev.java.net (it's in opensso/extensions/saml2php/). Instructions for getting the code via CVS.

Wednesday Apr 04, 2007

SSOCircle Latest - SAML2.0/PHP and OpenID

Looks like Hu's been busy - not only has he deployed a sample SAML 2.0 service provider based on the SAML 2.0/PHP OpenSSO Extension (formerly known as Lightbulb), he's also rolled out Paul's OpenID code (another OpenSSO Extension). So, now you can go register at SSOCircle and use either SAML 2.0 or OpenID to authenticate to relying parties/service providers, all through the magic of OpenSSO. Cool!

Monday Mar 12, 2007

Lightbulb is Dead; Long Live OpenSSO Extensions!

Last October, we released the first SAML 2.0 implementation in PHP, codenamed 'Project Lightbulb' (because Lightbulb fits into LAMP) and a sub-project of OpenSSO. In the few months since then, other folks have proposed similar extensions to OpenSSO, and the 'Lightbulb' name has looked increasingly anachronistic, particularly since the core OpenSSO project has always fully supported LAMP with its Apache HTTP Server and Tomcat policy agents.

Today, we launch OpenSSO Extensions, OpenSSO's code incubator, with three initial modules:

So - what is an OpenSSO Extension? Well, it's any piece of code that either

  • extends OpenSSO to provide new functionality, for example, the OpenID identity provider, or
  • interfaces with OpenSSO, extending other systems, such as the PHP Client SDK and SAML 2.0 relying party.

If you have an idea for extending OpenSSO in an interesting way, then click here to participate!

Tuesday Feb 06, 2007

Switch on SAML for PHP with Project Lightbulb

Marina Sum and I just published an article over on the Sun Developer Network (SDN) - Switch on SAML for PHP with Project Lightbulb. The article walks through some of the Project Lightbulb code, following the single sign-on process. If you want to work with the Lightbulb code, or you just want a better idea of how SAML 2.0 works, this article is for you.

As I mention in the conclusion, we'll look at SAML 2.0 single logout and the circle-of-trust in a future article.

Tuesday Dec 05, 2006

YADIS/XRI Identifier Resolution with SAML 2.0

This week at Internet Identity Workshop 2006b I've been demonstrating some work I've been doing to combine YADIS/XRI Identifier Resolution (as in OpenID) with SAML 2.0 Web Browser SSO Profile. The user experience is:

  1. I go to a service provider (relying party)
  2. I enter my identifier (URL or i-name)
  3. I authenticate at my identity provider
  4. I can access services at the service provider

The magic takes place between steps 2 and 3: the service provider resolves the user's identifier, which might be a URL or an i-name, to the location of a SAML 2.0 identity provider. The service provider can now do vanilla SAML 2.0 with the identity provider. The easiest way to see what's going on is via a demo, so, here you go:

Click to view Flash presentation

By the way - the service provider is implemented on top of Project Lightbulb. I need to do some tidying first, but I'll put the YADIS/XRI code there soon.

UPDATE - coverage of this demo at IIW2006b:

Wednesday Nov 29, 2006

Podcasting and Webcasting

It's been quite a week already and it's only Wednesday night! Yesterday, I was interviewed by Aldo Castañeda for 'The Story of Digital Identity' - Aldo's regular podcast. The conversation centered on Project Lightbulb (a sub-project of OpenSSO) - the PHP implementation of SAML 2.0. We covered a lot of ground, looking at the motivation behind Lightbulb and what I'm working on right now - figuring out how we can bring together some aspects of OpenID with SAML 2.0. There are some interesting synergies here, and I'm looking forward to talking about them at IIW2006b next week in Mountain View. If you're not too interested in digital identity, you can always skip to about 47"50' to hear all about single malt Scotch whisky

This was my first podcast experience and a lot of fun it was, much less intense than a webcast (no slides!). Aldo is doing a great job, and I felt quite honored to be a part of 'STODID'. This series of podcasts really is required listening if you want to keep up with what's going on in digital identity.

By the way, you'll need iTunes or Quicktime to play the podcast. I didn't have any luck with Windows Media Player or RealPlayer. Other players might also work - feel free to leave a comment.

Today's event was a webcast for the Liberty Alliance, again focusing on Project Lightbulb, but this time with slides and a demo. In the demo I show how to SAML 2.0 enable a simple PHP application by dragging in the Lightbulb files and editing 4 PHP scripts. I fall off the high wire one time , but recover quite gracefully

The webcast is archived (you might need to scroll down a bit - look for 'Open Source Identity for the Web 2.0 Era'), but you have to download the Webex player to watch it.

I wonder what the rest of the week will bring...

Tuesday Nov 21, 2006

Open Source Identity for the Web 2.0 Era

Regular readers might recall I gave a presentation in Japan last month titled 'Open Source Identity for the Web 2.0 Era'. The Liberty Alliance folks liked it so much, they've asked me to repeat it as a webcast next Wednesday - 11/29/2006 - details here (if you're interested, better sign up fast, places are limited!).

The presentation focuses on OpenSSO and Project Lightbulb - the OpenSSO sub-project that implements a SAML 2.0 service provider in straight PHP - no custom extensions required. I'm planning to SAML 2.0-enable a simple PHP application, live on-the-air, no safety net

Johannes has already picked up on the webcast announcement and wonders what the Web 2.0 angle is. Let me explain...

Web 2.0 is a difficult term; it means something different to almost everyone you ask. Some focus on particular technologies - Ajax (just pasted that link in - do you realize, that essay, that coined the term 'Ajax', is only 21 months old!) being the most common example. Others focus on particular companies - Flickr, YouTube, any number of social networking sites - or business models - for example, combining your users' individual efforts to create something bigger than the sum of their parts.

For me, 'Web 2.0' is simply a shorthand for 'the Web today is very different from the Web of 5 years ago'. It's a whole world of change wrapped into a somewhat glib phrase. The Tokyo Liberty Alliance Day took Web 2.0 as its theme - my angle on it with this presentation is that a large part of Web 2.0 is participation - notably open source and lightweight languages - look at any 'Web 2.0 company' and you'll find lots of LAMP. It's this aspect that I focus on in 'Open Source Identity for the Web 2.0 Era' - bridging the gap between the enterprise/telco/square world of SAML 2.0 and the bloggy/scripty/hip world of PHP.

Having said all that, Johannes is spot on that "putting control in the hands of the end user — the essence of Web 2.0 — is not typically compatible with the way SAML projects tend to end up". There is much work to do in figuring out how the core of SAML 2.0 can be leveraged in wider settings than the typical (but no less important for that) enterprise/telco use cases. We're seeing some great thinking in this area from the likes of Paul and Eve. I suspect that this will be a key topic of the upcoming Internet Identity Workshop 2006b.




« July 2016