[wsf-dev] ECP plugin build/execute feedback

Peter Williams pwilliams at rapattoni.com
Mon Apr 28 12:02:25 PDT 2008 

Copy of email sent to shibboleth-users group follows, on making shib2 package act as an ECP/PAOS-capable SP (to generate the EnvelopedAuthRequest, at least) in Windows/IIS. Not clear the shib exploder has distributed the original mail from Saturday, so its included here.

My plan is thus : 

1. wait till to Wed to try building/launching again the ECP plugin

2. run it against my working IIS7/Shib2 SP

3. have to talk to PingFederate 5.02 as IDP, using SAML2.SOAP binding.

(3) seems the part most at risk now, as I'm not sure I can get PingFed to issue a SOAP response that has the Enveloped form required by tjhe ECP proxy. Ill play tho. Ping are unsupportive on all this work (and wont even release hints); so its trial and error, for me. T&D may well fail, and I may have to go build the Shib2 Java IDP, to compensate.

Peter W.


---------------------

To allow IIS7 (via the shib_isapi handler) to invoke the NativeSP in "handler" mode (so Shib2 act as a layer 5 protocol engine, rather than web-session middleware) and then support a trial generting a SAMLRequest using ECP and PAOS, I did the following



1. in isapi src, alter code lines as follows

    A pair<bool,long> res = stf.getServiceProvider().doAuthentication(stf, true); // note true for 2nd parm

    B dynabuf handlervar(256);   // define val as global, and have CRT static alloc space

    C GetHeader(pn,pfc,"url",handlervar,256,false);  // add line to ShibTargetIsapiF constructor, after existing GetHeader(url). Fast hack to store inbound querystring as global char* in handlervar


    D // The filter never processes the POST, so stub these methods.
            const char* getQueryString() const { 
                  return (char*)handlervar;                        // implement using nasty hack, for use by CGIReader
                  //   throw IOException("getQueryString not implemented");  // comment away not implemented throw
            }



2. in isapi src, comment out any undesirable, "non protocol" features

    g_Config->setFeatures(
        SPConfig::Listener |
       // SPConfig::Caching |                //disable caching support in library
        SPConfig::RequestMapping |
        SPConfig::InProcess |
        SPConfig::Logging |
        SPConfig::Handlers
        );


3. In a shibboleth2.xml SP config file generated by TestShib harness, ensure default SessionInitiator has (undocumented) attribute ECP="true"
   <SessionInitiator type="SAML2" Location="/TestShib" ECP="true"         
   // note case sensitivity of ECP

4. Invoke trial usin tool like curl(1) ...using GET to induce protocol run, where providerId parameter is demonstrably set to "none" to showcase the ECP scenario. Run-time mux/demux requirements for trial varied by changing "TestShib" and applicationId=<val>. Invokes protocol engine for layer 5 S-SDU/initiate, in raw mode.

   https://win8pw.rapattoni.local/Shibboleth.sso/TestShib?applicationId=default&providerId=none



5. Ensure HTTP Request has conforming http request headers (taken verbatim from SAML2 documentation/latest-errata) 

   Accept: text/html; application/vnd.paos+xml
   PAOS: ver="urn:liberty:paos:2003-08" ; "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"




Unless I missed some of my code hacks, this produces a trial as follows. Since this is the first time in 12 months of trying with 3 windows products that I've got this far with ECP ...Im pretty happy with Shib2! Thanks!


GET /Shibboleth.sso/TestShib?applicationId=default&providerId=none HTTP/1.1
Accept-Language: en-us,en-securid
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)
Connection: Keep-Alive
Host: win8pw.rapattoni.local
Accept: text/html; application/vnd.paos+xml
PAOS: ver="urn:liberty:paos:2003-08" ; "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Content-Type: application/vnd.paos+xml
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 26 Apr 2008 22:30:38 GMT
Connection: close
Content-Length: 1515
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Header><paos:Request xmlns:paos="urn:liberty:paos:2003-08" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1" responseConsumerURL="http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:IDPEntry ProviderID="none"/></samlp:IDPList></ecp:Request><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"/></S:Header><S:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP" ID="_f5c9b87a8863ad2f94c7be25b5522cc3" IssueInstant="2008-04-26T22:30:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping><samlp:IDPList><samlp:IDPEntry ProviderID="none"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest></S:Body></S:Envelope>

_________________________
Peter Williams
Chief Information Security Officer
Mobile (805) 416-6305



From: Peter Williams
Sent: Sat 4/26/2008 1:11 PM
To: shibboleth-users at internet2.edu
Subject: RE: TestShib not responding to ACSURL


I've moved on in my experiment (changing Shib2 code to suit), hopefully exploiting a response on a different thread. It noted that one can initiate a (SAML2) protocol handler using URIs of the form:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080428/3dab6ef1/attachment-0001.html

More information about the Wsf-dev mailing list