Comments (6)
pederbl
commented on July 18, 2024
All of the standard Java SAML solutions that I have seen do support exc_c14n so it seems it may be widely used in SAML. E.g. the IdP that I use does canonicalize its xml with exc_c14n. So it would be really great if this support is added.
from ruby-saml.
pederbl
commented on July 18, 2024
I think ruby-saml should be made dependent on a Ruby library that has c extensions to xmlsec (http://www.aleksey.com/xmlsec/) instead of trying to fully implement the relevant parts of the XML Security specification. That would enable you to fully support XML Security with much less effort and fewer bugs. Unfortunately, there is no supported xmlsec library for Ruby. But, I think you could create that library and build partial support (initially with just one function: verify_xml), and end up saving a lot of effort.
Canonix doesn't support Exclusive XML Canonicalization 1.0 which is a standard algo for XML Security and thus SAML.
from ruby-saml.
stevenwilkin
commented on July 18, 2024
I've just modified ruby-saml to use xmlsec:
https://github.com/stevenwilkin/ruby-saml/tree/xmlsec
I've been working against an ADFS 2.0 identity provider and ruby-saml was falling over when verifying the response signatures.
A potential drawback to using xmlsec is that it requires a full certificate, not a fingerprint.
from ruby-saml.
curious-attempt-bunny
commented on July 18, 2024
Salesforce as an IdP use exc_c14n:
<ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:Transform xmlns:ds='http://www.w3.org/2000/09/xmldsig#' Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
<ds:Transform xmlns:ds='http://www.w3.org/2000/09/xmldsig#' Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'><ec:InclusiveNamespaces xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#' PrefixList='ds saml samlp xs'/></ds:Transform>
</ds:Transforms>
Stevenwilken's fork is well over a year old. Does anyone else have exc_c14n working?
from ruby-saml.
curious-attempt-bunny
commented on July 18, 2024
FYI Nokogiri appears to have support for the exc-c14n transform:
See XML::Node#canonicalize. http://nokogiri.org/Nokogiri/XML/Node.html#method-i-canonicalize
from ruby-saml.
stouset
commented on July 18, 2024
Canonicalization has been fixed in recent versions of ruby-saml. If you believe this issue persists, please explain further and reopen this issue. Thanks!
from ruby-saml.
Related Issues (20)
- Parse Remote Chooses POST over Redirect HOT 3
- Validate signature of published federation metadata HOT 3
- This project is currently not under active development HOT 5
- SAML Request signing broken due to `strip!` method HOT 7
- Add secure channel for security incident reporting
- Homepage in gemspec points to "Page not found"
- Update Readme how to use parser's options HOT 4
- Remove OneLogin namespace (in a major version upgrade) HOT 2
- Using ECDSA private key causes OpenSSL::PKey::RSAError
- ArgumentError: key must be 32 bytes HOT 2
- Link on Rubygems page is wrong
- ruby toolkit sample code has incorrect module name HOT 1
- Fun & games with AWS Identity center HOT 9
- Missing name id for valid SloLogoutrequest HOT 3
- Assertion Consumer Service URL vs Recipient HOT 2
- v2.1: Improve check_idp_cert_expiration behavior
- v2.1: Validate certificate vs private_key HOT 3
- POST binding should not use compression by default HOT 2
- How to pick which binding to use when parsing metadata? HOT 1
- Add `base64` gem dependency for Ruby 3.4 compatibility HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ruby-saml.