SHA-2 Compatibility Sample Code
The code on this page shows how to test a SAML2 SP for SHA-2 compatibility using bash.
Suppose you have an account on a Shib 2 IdP that supports HTTP Basic Authentication, and further assume that unsolicited SSO has been enabled at the IdP. Using this setup, the goal is to simulate SAML2 Web Browser SSO using a command-line tool such as curl.
First we need a curl config file that contains login credentials and (optionally) the IdP's browser-facing SSL/TLS certificate (but only if that certificate is self-signed):
$ curl_config_file=~/sha2/.curlrc_vt.edu $ /bin/cat $curl_config_file # --- beg curl config file --- # # authentication options # (curl defaults to HTTP basic auth) # user = "USERNAME:PASSWORD" # # SSL/TLS options # (only needed for self-signed, browser-facing SSL/TLS certs) # cacert = "/path/to/self-signed/cert.pem" # # --- end curl config file ---
Using Self-Signed Server Certs
The cacert option shown above is only necessary if you're using self-signed, browser-facing SSL/TLS certificates. For best results, use OpenSSL to generate the self-signed certificates. Some self-signed server certificates (such as those created with IIS 7) will not validate with all versions of curl.
To obtain a SAML2 response from a Shibboleth IdP, four round trips are required. The first three requests result in redirects. In each case, follow the URL in the redirect response, as in the example below:
$ cookie_jar_file=/tmp/cookie-jar.txt # step 1: obtain initial security context from IdP; write cookies $ unsolicited_sso_url=https://shib-test-sha1.middleware.vt.edu:8443/profile/SAML2/Unsolicited/SSO $ /usr/bin/curl --verbose --cookie-jar $cookie_jar_file --config $curl_config_file $unsolicited_sso_url\?providerId=https%3A%2F%2Ffm.incommon.org%2Fsp # step 2: follow redirect response (HTTP 302) from IdP; read cookies $ shib_AuthnEngine_url=https://shib-test-sha1.middleware.vt.edu:8443/AuthnEngine $ /usr/bin/curl --verbose --cookie $cookie_jar_file --config $curl_config_file $shib_AuthnEngine_url # step 3: follow redirect response (HTTP 302) from IdP; read and write cookies # include credentials (otherwise HTTP 401 response will be issued) $ shib_Authn_RemoteUser_url=https://shib-test-sha1.middleware.vt.edu:8443/Authn/RemoteUser $ /usr/bin/curl --verbose --cookie $cookie_jar_file --cookie-jar $cookie_jar_file --config $curl_config_file $shib_Authn_RemoteUser_url # step 4: follow redirect response (HTTP 302) from IdP; read and write cookies $ /usr/bin/curl --verbose --cookie $cookie_jar_file --cookie-jar $cookie_jar_file --config $curl_config_file $unsolicited_sso_url
If all goes well, the above sequence will result in an HTML page containing an HTML form, which under normal circumstances would automatically be POSTed to the SP. Before we do that (using curl of course), let's optimize by combining all four of the above steps into one (which is much more efficient):
$ /usr/bin/curl --verbose --cookie-jar $cookie_jar_file --cookie $cookie_jar_file --location --max-redirs 3 --config $curl_config_file $unsolicited_sso_url\?providerId=https%3A%2F%2Ffm.incommon.org%2Fsp
The result of the above command should be the same as the previous four commands, that is, the IdP will have issued an unsolicited SAML2 response.
Now that we have a good understanding of what's required on the IdP side, let's wrap the previous functionality in a couple of bash functions. While we're at it, let's extract and POST the SAML2 response to the SP. See the shell script attached to this wiki page for details.
This final test sequence assumes there are two IdPs, one that signs using SHA-1 and another IdP that signs using SHA-2. The exact requirements of these two IdPs are listed on the parent page of this wiki page.
# load the shell script attached to this page $ source test_function_lib.sh # IdP #1 $ SHA1_IDP_UNSOLICITED_SSO_URL=https://shib-test-sha1.middleware.vt.edu:8443/profile/SAML2/Unsolicited/SSO $ SHA1_IDP_CURL_CONFIG_FILE=~/sha2/.curlrc_vt.edu # IdP #2 $ SHA2_IDP_UNSOLICITED_SSO_URL=https://shib-test-sha2.middleware.vt.edu:8443/profile/SAML2/Unsolicited/SSO $ SHA2_IDP_CURL_CONFIG_FILE=~/sha2/.curlrc_vt.edu # temporary files $ out_file_sha1=/tmp/http-response-sha1.txt $ out_file_sha2=/tmp/http-response-sha2.txt $ post_unsolicited_response $SHA1_IDP_UNSOLICITED_SSO_URL $SHA1_IDP_CURL_CONFIG_FILE > $out_file_sha1 $ echo $? 0 $ post_unsolicited_response $SHA2_IDP_UNSOLICITED_SSO_URL $SHA2_IDP_CURL_CONFIG_FILE > $out_file_sha2 $ echo $? 0 $ /usr/bin/cmp $out_file_sha1 $out_file_sha2
That last command should return no output since the two files are identical, which implies that the SP in question is SHA-2 compatible.