Thursday Nov 02, 2006

Added Single Logout to Lightbulb - SAML 2.0 in PHP

I just finished adding single logout to the 'Lightbulb' OpenSSO SAML 2.0 PHP implementation. I'll take this opportunity to reiterate: THIS IS BY NO MEANS PRODUCTION CODE. There are probably bugs, there are certainly shortcuts. This is development out in the open.

Please do feel free to pick this up, play with it, suggest improvements - even contribute code. As I mentioned before, there is a bit of process to this, but I think it's more than worth it.

The next step for me now is to write a how-to on getting an IdP up to play with...

Friday Oct 20, 2006

Q&A on the OpenSSO SAML 2.0 PHP work

Yesterday I announced the first drop of my SAML 2.0 PHP code. I've had a few questions since then - here they are, with answers:

  • Q: Can I contribute to this?
    A: Of course! This was the whole point of releasing this code as open source. I know a little about SAML 2.0, but I'm no PHP expert. I'd welcome PHP folks to take a look and suggest/make improvements. See the OpenSSO governance for more information on contributing.
  • Q: Is this 'pure' PHP?
    A: That depends on your definition of 'pure'. No custom modules are required. It does use openssl, mysql, dom and xml, but support for these is pretty standard. The default PHP5 in my Ubuntu 6.06 had everything I needed.

Please do leave comments with any further questions - I'll update this entry with the answers.

Thursday Oct 19, 2006

Switching on the Lightbulb

Over the past few months I've had a side project - implementing a SAML 2.0 service provider (SP) in PHP. I originally set out using PHP/Java Bridge and got something working (I even presented it [pdf] at Identity Open Space in Vancouver), but I was inspired by Kim Cameron's success in implementing InfoCard in PHP to try a more direct approach.

Rob Richard's XML Security implementation provided the impetus I needed to get a 'pure' PHP SAML 2.0 SP working. Rob kindly allowed me to adopt the XML Security code into OpenSSO (note that the base XML security code is still, and will continue to be, available, in its original public domain form, at Rob's page) and I set forth hacking away.

Well - I'm done with an initial version. SAML 2.0 POST profile works. There is no artifact profile, no single log out, no bells or whistles. It does verify the assertion signature (via PHP's integration with openssl) and checks that the certificate fingerprint matches what it expects from that identity provider.

There is some general documentation on SAML-enabling PHP [odt], and some specific documentation on this code [odt]. I'll write a step-by-step guide to getting it up and running next...

UPDATE - some FAQs here.

About

superpat

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today