You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "bendemctl (Jira)" <ji...@apache.org> on 2023/05/31 14:05:00 UTC

[jira] [Commented] (GUACAMOLE-1372) SAML module should be able to encrypt and sign requests

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727984#comment-17727984 ] 

bendemctl commented on GUACAMOLE-1372:
--------------------------------------

If I'm not mistaken, this is the same request as GUACAMOLE-1565. Came here to ask this.

Also related, is it possible to expose the SAML SP metadata so it's easy to exchange configuration (and thus, keys) between IdP and SP.

> SAML module should be able to encrypt and sign requests
> -------------------------------------------------------
>
>                 Key: GUACAMOLE-1372
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1372
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-saml
>    Affects Versions: 1.3.0
>            Reporter: Michael Böhm
>            Priority: Minor
>             Fix For: 1.6.0
>
>
> Some IDPs and company's guidelines require SAML auth requests for a service provider to be signed and optionally encrypted. Guacamole's SAML module should be able to fetch a X509 certificate and private key from a config parameter and use this data to sign and encrypt requests.
>  
> SP Metadata dummy:
> {{<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://PointOfContactServer/sps/DummySP/saml20">}}
> {{<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">}}
> {{<md:KeyDescriptor use="signing">}}
> {{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">}}
> {{<X509Data>}}
> {{<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>}}
> {{</X509Data>}}
> {{</KeyInfo>}}
> {{</md:KeyDescriptor>}}
> {{<md:KeyDescriptor use="encryption">}}
> {{<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">}}
> {{<X509Data>}}
> {{<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>}}
> {{</X509Data>}}
> {{</KeyInfo>}}
> {{<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>}}
> {{</md:KeyDescriptor>}}
> {{<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>}}
> {{<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://PointOfContactServer/sps/DummySP/saml20/login" index="0" isDefault="true"/>}}
> {{</md:SPSSODescriptor>}}
> {{</md:EntityDescriptor>}}
>  
> Furthermore, IDP initiated SAML should be supported (or documented if it already works).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)