I’ve made a SAML2 related release of the IdP to address a vulnerability discovered by Andreas Mayer (Adolf Würth GmbH & Co. KG), Vladislav Mladenov, Marcus Niemietz, and Joerg Schwenk from Horst Görtz Institute for IT Security (Ruhr-University Bochum). The release addresses the case where the Attribute Consumer Service URL and Binding are specified in the Request but are not checked against metadata. I’ve changed this so that WebBrowserSSOAuthHandler validates the requested ACS URL and Binding against the Service Provider’s metadata. Many thanks to Andreas and colleagues for the information.
The Guanxi IdP 2.2.6 release is available from GitHub.
Guanxi releases are pretty rare these days as I don’t really do much with the SP now and moving to the ‘standard’ IdP is prolly a good long term move. However, I needed to make a Guanxi IdP release to cope with the new SAML2 attribute landscape.
Just a quickie Guard release to make it more flexible when embedded in applications. You can now pull the config from an explicit path or environment variable. You can download from GitHub or Sourceforge.
- Updated src/main/java/org/guanxi/sp/guard/GuardBase.java. Can now specify config file location using environment variable or explicit path. Defaults to /WEB-INF/guanxi_sp_guard/config/guanxi-sp-guard.properties
- Updated src/main/webapp/WEB-INF/web.xml. Added optional configFile init-param to Guanxi Resource Guard
I’ve made the latest Guanxi module releases for bug fixes, improvements and an update that addresses SAML wrap attacks against the SP::Engine.
Files are available on github:
You can download it from Guanxi::SP::Engine@github.
This release adds the Internet2 Embedded Discovery Service user interface (more…)
The 2.2.3 release supports Google Apps SSO. Download it from IdP@github. (more…)
Download from sourceforge or github (more…)
A while ago, I migrated Guanxi to GitHub but for various reasons I haven’t been able to make a release, so I’ve hedged my bets and kept the CVS repo going on Sourceforge at the same time, planning to make a decision when the time came to make a release. Well, the next release of the SP and IdP is imminent and it looks like my decision has been made much easier by Sourceforge themselves. After the recent hack, they’ve shut down CVS access and reset all passwords but worryingly, they’re also phasing out CVS:
“We are also considering the end-of-life of the CVS service and hope to have user support in migrating CVS users to Subversion in coming months”
I’ve looked at Subversion for Guanxi before but it doesn’t support modules, which allow me to host all the Guanxi modules in one CVS repository (SP::Engine, SP::Guard, IdP etc). That’s why I decided to set up a Guanxi organisation on GitHub. I’ve also migrated the localhost tutorial to my own site, which I’ll make live fairly soon, once I’ve migrated the rest of the wiki content.
So it looks like I’ll be moving Guanxi to GitHub permanently and prolly just use Sourceforge for official release downloads.
The Internet2 Embedded Discovery Service (EDS) was recently released on beta so I thought I’d plumb it into the Guanxi Service Provider. The install instructions are pretty simple and The JSON schema is here. You basically just copy the files to somewhere on your SP and then feed it JSON generated from the metadata the SP consumes as part of its normal duties and bob’s your uncle.
Embedding it in Guanxi was fairly simple since I rejigged the profile handling into what is essentially a Profile Controller, called the Generic Profile Service (GPS). Guards redirect to this when requesting federated access and inserting a new handler, SAML2DiscoveryProfileService, I could easily create a feedback loop to replay the Guard request but populated with an entityID, chosen by the user from the EDS.
When I built the SAML2  Web Browser SSO Profile into the Guanxi IdP and SP, I based the attribute release from the IdP on a specific profile. The X.500/LDAP Attribute Profile which looks like this:
However, there’s another profile out there. The SAML2 Basic Attribute Profile, which looks like this:
The word on the streets is the former is the one to use, even though it’s just bloatware. I mean, why have so much crammed in there when all you want is the name and value of the attribute? Why not just use the basic attribute profile? Turns out some SPs do use the basic attribute profile so I’m now adding support for this to the Guanxi IdP and SP.
 SAML2 Specifications
 SAML2 X.500/LDAP Attribute Profile [PDF]
 SAML2 Basic Attribute Profile [PDF]