Michael Böhm created GUACAMOLE-1372:
---------------------------------------
Summary: SAML module should be able to encrypt and sign requests
Key: GUACAMOLE-1372
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1372
Project: Guacamole
Issue Type: Improvement
Components: guacamole-auth-saml
Affects Versions: 1.3.0
Reporter: Michael Böhm
Some IDPs and company's guidelines require SAML auth requests for a service
provider to be signed and optionally encrypted. Guacamole's SAML module should
be able to fetch a X509 certificate and private key from a config parameter and
use this data to sign and encrypt requests.
SP Metadata dummy:
{{<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://PointOfContactServer/sps/DummySP/saml20";>}}
{{<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">}}
{{<md:KeyDescriptor use="signing">}}
{{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>}}
{{<X509Data>}}
{{<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>}}
{{</X509Data>}}
{{</KeyInfo>}}
{{</md:KeyDescriptor>}}
{{<md:KeyDescriptor use="encryption">}}
{{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>}}
{{<X509Data>}}
{{<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>}}
{{</X509Data>}}
{{</KeyInfo>}}
{{<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>}}
{{</md:KeyDescriptor>}}
{{<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>}}
{{<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://PointOfContactServer/sps/DummySP/saml20/login"; index="0"
isDefault="true"/>}}
{{</md:SPSSODescriptor>}}
{{</md:EntityDescriptor>}}
Furthermore, IDP initiated SAML should be supported (or documented if it
already works).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
