[jira] [Commented] (GUACAMOLE-1372) SAML module should be able to encrypt and sign requests

Fri, 26 Nov 2021 22:43:09 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17449766#comment-17449766
 ] 

Mike Jumper commented on GUACAMOLE-1372:
----------------------------------------

Signing requests makes perfect sense, of course. However:

{quote}
Furthermore, IDP initiated SAML should be supported (or documented if it 
already works).
{quote}

Can you clarify (1) why you would consider this is in scope for general support 
of signed SAML requests and (2) why you believe this needs to be supported 
overall? My understanding of IdP-initiated SAML is that it is not a recommended 
approach.

> SAML module should be able to encrypt and sign requests
> -------------------------------------------------------
>
>                 Key: GUACAMOLE-1372
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1372
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-saml
>    Affects Versions: 1.3.0
>            Reporter: Michael Böhm
>            Priority: Minor
>
> Some IDPs and company's guidelines require SAML auth requests for a service 
> provider to be signed and optionally encrypted. Guacamole's SAML module 
> should be able to fetch a X509 certificate and private key from a config 
> parameter and use this data to sign and encrypt requests.
>  
> SP Metadata dummy:
> {{<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor 
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
> entityID="https://PointOfContactServer/sps/DummySP/saml20";>}}
> {{<md:SPSSODescriptor 
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">}}
> {{<md:KeyDescriptor use="signing">}}
> {{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>}}
> {{<X509Data>}}
> {{<X509Certificate>... here goes Guacamole's certificate 
> ...</X509Certificate>}}
> {{</X509Data>}}
> {{</KeyInfo>}}
> {{</md:KeyDescriptor>}}
> {{<md:KeyDescriptor use="encryption">}}
> {{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>}}
> {{<X509Data>}}
> {{<X509Certificate>... here goes Guacamole's certificate 
> ...</X509Certificate>}}
> {{</X509Data>}}
> {{</KeyInfo>}}
> {{<md:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>}}
> {{</md:KeyDescriptor>}}
> {{<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>}}
> {{<md:AssertionConsumerService 
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
> Location="https://PointOfContactServer/sps/DummySP/saml20/login"; index="0" 
> isDefault="true"/>}}
> {{</md:SPSSODescriptor>}}
> {{</md:EntityDescriptor>}}
>  
> Furthermore, IDP initiated SAML should be supported (or documented if it 
> already works).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to