Peter 的个人资料Peter's ruminations照片日志列表更多  |  工具 帮助 |
|
|
10月6日 Shib CA PKI federation startup.If you want to run you own CA, we wrote a book encouraging those with few crypto skills to at least try (these were the folks with enough programming skills in visual basic to build object servers/components but not build systems). We aimed to complement the CAPICOM library Microsoft eventually released to the same audience - crypto APIs for dummies ..still wanting the assurance that they were using "reputable" and standard security services.
http://www.amazon.com/gp/offer-listing/0201309807/ref=dp_olp_1
Even tho it’s a book about a non SAML entity, it may yet help one to learn to bootstrap a SAML federation - a (distant) family member of the CA ...that we did write about. The step of issuing SAML metadata to bootstrap a federation is analogous to the CA administrator issuing a certificate to an OCSP validation authority (flame shield up).
I doubt that book talked much about it (tho I cannot really remember which control topics I wrote about, any more), Validation Authorities aimed to authorize a farm of servers listening on anycast addresses across the internet to make "status" statements on behalf of a leaf CA. The signatures could be across simple small messages (IETF), or Merkle hash trees (patented). Whereas a Validation Authority validation network might use IETF's signed OCSP messages to dynamically issue (a) signed statement(s) about a static cert to which various attributes about the subject (managed by third parties) may be attached, a SAML IDP issues signed XML "assertions"...to which various attributes about the subject (managed by third parties) may be attached (strangely enough). By fiat, attributes can be entitlements, and attribute contracts would (I grudgingly suppose) implement what a CISSP would probably call a network-/federation- wide non-discretionary security policy by controlling their release (IDP side) and acceptance (SP side).
Be aware that, in the book referenced, there is no academic tone and no text book grade organization of knowledge about the various issues involved in operating a CA. Read it before an exam, you will probably fail. (So don’t! It was written to make you think, vs score highly on tests.) Note, furthermore, that anyone with a "professional" reputation to uphold in PKI gets as far away from the book (and the book's authors) as possible. It’s a PKI for dummies who would like to be otherwise - which is kind of an oxymoron within the PKI profession. Be aware that the code is 10 years old, written in languages that are not supported any longer by Microsoft, and though the compiled objects are still reputed to work with a modern Windows Server platform, the OS security models have changed so much that one might wish to start again. Actually... please start again!
The main object of the particular writing effort was... to persuade the unwashed, the perhaps-scorned, and the feeling-inept about certificates that they too COULD run their own CA - and then go off and do local integration ...using the (Microsoft) component-ware we focused on.
Peter.
------------
I'm sure that some people think the polite thing would be to say "sorry, we can't help you". And I might do that in some cases, but NOT with this question. Setting up a federation and creating/managing metadata is not something you can just wing. It would be like running a CA with the same level of understanding. It demands a serious response.
FWIW, I'm very glad that you found a solution you're happy with.
-- Scott 4月27日 Shibboleth2 ECP for IIS7/Windows 2008To allow IIS7 (via the shib_isapi handler) to invoke the NativeSP in "handler" mode (so Shib2 act as a layer 5 protocol engine, rather than web-session middleware) and then support a trial generting a SAMLRequest using ECP and PAOS, I did the following 1. in isapi src, alter code lines as follows A pair<bool,long> res = stf.getServiceProvider().doAuthentication(stf, true); // note true for 2nd parm B dynabuf handlervar(256); // define val as global, and have CRT static alloc space C GetHeader(pn,pfc,"url",handlervar,256,false); // add line to ShibTargetIsapiF constructor, after existing GetHeader(url). Fast hack to store inbound querystring as global char* in handlervar D // The filter never processes the POST, so stub these methods. 2. in isapi src, comment out any undesirable, "non protocol" features g_Config->setFeatures( 3. In a shibboleth2.xml SP config file generated by TestShib harness, ensure default SessionInitiator has (undocumented) attribute ECP="true" <SessionInitiator type="SAML2" Location="/TestShib" ECP="true" // note case sensitivity of ECP 4. Invoke trial usin tool like curl(1) ...using GET to induce protocol run, where providerId parameter is demonstrably set to "none" to showcase the ECP scenario. Run-time mux/demux requirements for trial varied by changing "TestShib" and applicationId=<val>. Invokes protocol engine for layer 5 S-SDU/initiate, in raw mode. https://win8pw.rapattoni.local/Shibboleth.sso/TestShib?applicationId=default&providerId=none 5. Ensure HTTP Request has conforming http request headers (taken verbatim from SAML2 documentation/latest-errata) Accept: text/html; application/vnd.paos+xml Unless I missed some of my code hacks, this produces a trial as follows. Since this is the first time in 12 months of trying with 3 windows products that I've got this far with ECP ...Im pretty happy with Shib2! Thanks!
_________________________ From: Peter Williams Sent: Sat 4/26/2008 1:11 PM To: shibboleth-users@internet2.edu Subject: RE: TestShib not responding to ACSURL I've moved on in my experiment (changing Shib2 code to suit), hopefully exploiting a response on a different thread. It noted that one can initiate a (SAML2) protocol handler using URIs of the form: Feedback on OpenLiberty ECP plugin for Mozilla FirefoxUsing instructions at http://openliberty.org/wiki/index.php?title=ECP_Plugin_Documentation&action=edit, I have the capability to now mostly build the ECP extensions, but have not succeeded to run the ECP plug-in on windows2008 Enterprise Edition. Some pretty raw feedback follows:-
The notes might want to suggest an SP site, with which to make a trial - and/or define a means to know at least that the extensions is at least loaded into Firefox. _________________________ |
|
|
