Index syndication
comment syndication

Archive for webdev

ADFS2 is not always SAML 2.0 standards compliant

Now the madness with ADFS2 SAML assertions via WS-Trust 1.3 – and how they are not valid for use with Amazon Web Services (AWS).

lexx:saml$ aws sts assume-role-with-saml --role-arn $role --principal-arn $principal --saml-assertion $assertion
A client error (InvalidIdentityToken) occurred when calling the AssumeRoleWithSAML operation: Responses must contain SubjectConfirmatonData with a Recipient and NotOnOrAfter

This failed due to a missing Recipient attribute on the SubjectConfirmationData element. Of course; I can’t modify the assertion to add the missing Recipient; as the SAML token is signed:

lexx:saml$ aws sts assume-role-with-saml --role-arn $role --principal-arn $principal --saml-assertion $assertion
A client error (InvalidIdentityToken) occurred when calling the AssumeRoleWithSAML operation: Response signature invalid

Second fail is because I’ve modified the assertion to add the missing attribute; but now the signature is invalid.

When you get an assertion from the ADFS Identity Provider via the IdP Web Landing Page, for AWS, the assertion includes a “recipient”:

<subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <subjectconfirmationdata NotOnOrAfter="2015-02-08T22:48:18.520Z" Recipient="https://signin.aws.amazon.com/saml"></subjectconfirmationdata>
</subjectconfirmation>

When you ask for an assertion from the WS-Trust 1.3 endpoint; it is missing:

<subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <subjectconfirmationdata NotOnOrAfter="2015-02-09T05:03:10.517Z"></subjectconfirmationdata>
</subjectconfirmation>

Seems to be a common problem with ADFS2 whereby ADFS1 did it correctly. It’s not just me

In the original SAML 2.0 Core spec – Line 725 – Recipient is an optional attribute in the SubjectConfirmationData element. However in subsequent errata for the specification, Errata 02 in May 2007, made it mandatory. Errata 05 still includes this requirement.

At lease one bearer element MUST contain a element that itself MUST contain a Recipient attribute containing the service provider’s assertion consumer service URL

Of course; Amazon adhere to the Standard:

The value of the Recipient attribute inside the SubjectConfirmationData element must match the AWS endpoint (https://signin.aws.amazon.com/saml)

It seems that ADFS2 doesn’t provide valid SAML 2.0 assertions issued via the WS-Trust 1.3 endpoint. Since this has been a standard since for almost 8 years, how does ADFS2 even claim to be standards based.

Is SNI viable?

Traditionally if one was to secure a web server using TLS (or previously, SSL) – then one would configure your web server to use TCP port 443 to listen for TLS requests from clients (browsers). When a browser connects to the web server using the HTTPS protocol, the server would encrypt the communications and all would be well with the world.

A problem occurs when you use name based Virtual Hosting on your web server. If you need to determine the client request before providing content from a virtual host, e.g. blah.com vs. blahblah.com, then this couldn’t be done if you encrypted the communications using TLS. Enter stage left: Server Name Indication.

According to Wikipedia:

Server Name Indication is a feature that extends the SSL and TLS protocols. It permits the client to request the domain name before the certificate is committed to the server. This is essential for using TLS in virtual hosting mode.

I’ve a need to use Server Name Indication (SNI) for some freelance IT work I perform, but colleagues shy away from SNI since Internet Explorer on Windows XP is unsupported.

Is this an issue? Are so many people still on Windows XP that it will diminish the security aspects of implementing SSL to secure input of personal data ?

One of the best places to determine OS usage trends in Australia would be from Google, but they don’t provide such data. Therefore I turn to another source of data: StatCounter. They have been providing stats to websites and business for well over 10 years, so their data should be viable.

Source: StatCounter Global Stats – OS Market Share


The chart above shows Operating system usage for 2014 in Australia. Windows XP sits at 4 percent usage at the end of 2014. For an operating system that’s now unsupported and 4 Major versions old; it just shouldn’t be considered anymore.

Source: StatCounter Global Stats – Combine Chrome (all versions) & Firefox (5+) Market Share

The second chart shows browser usage statistics in 2014. Internet Explorer 6, which doesn’t support SNI, isn’t even on the chart anymore.

Knowing the actual statistics – the usage of Internet Explorer 6 (or a lesser version) and Windows XP seems to be so minimal that usage of SNI is a viable option; especially where it gives a rise to cost saving on implementation of x509 certificates on web front ends. What do you think?

PHP5 Zip Support on OpenBSD 4.5

This is a cheat sheet on getting PHP5 on OpenBSD to have zip support. I needed this to get CiviCRM to work with Joomla.

First off install some require packages, including the zziplib package:


  export PKG_PATH=http://mirror.aarnet.edu.au/pub/OpenBSD/4.5/packages/i386/
  pkg_add -v zziplib
  pkg_add -v autoconf-2.62

Now download and extract the PECL zip package:

  mkdir /usr/local/src/
  cd /usr/local/src/
  wget http://pecl.php.net/get/zip
  tar zxvf zip
  cd zip-1.10.2/ 

Compile PECL zip, making sure you set your correct autoconf to use:

  export AUTOCONF_VERSION=2.62
  phpize
  ./configure
  make
  make install

Finally setup php5 and restart httpd:

  cat &lt;&lt; EOF &gt;&gt; /var/www/conf/php.ini
  extension=zip.so
  EOF
  sudo apachectl stop
  sudo apachectl start

Of course, this will go stale over time as new releases and versions come out, so YMMV.

Tweet WordPress plugin v1.2 released

Twitter Logo

I’ve uploaded the initial public release, v1.2, of my simple Tweet plugin to the WordPress Plugin Repository. You can install the plugin by:

  • downloading it from http://wordpress.org/extend/plugins/tweet/ ; or
  • On a recent version of wordpress, v2.7 or above, follow these steps:
    1. Login to your wordpress dashboard
    2. Select the Plugins/Add New menu item as shown
      Step 1 installing the Tweet plugin
    3. Search for Author lantrix as shown
      Step 2 for installing Tweet plugin
    4. Click on the Install link for the Tweet plugin

If you need any assistance, you can leave a comment over on the dedicated page for the Tweet WordPress plugin for Twitter.

If you like the plugin, I’m happy to accept donations if that’s your thing.

Next entries »