ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

How can I create an XML Digital Signature for use with in a SAML 2.0 Single Sign On?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    How can I create an XML Digital Signature for use with in a SAML 2.0 Single Sign On?

    I have the need to provide a link on a secure portion of our company web site that will enable employees to directly and seamlessly link and log-in to a purchased Software as a Service medical services partner. The trading partner uses SAML 2.0 for their implementation of Single Sign-on to their application. The HTML needed to implement this uses a <FORM> statement with the employee unique credentials passed as XML document in a parameter of the <FORM> statement.

    I generate the employee specific XML document in RPG, it is translated to ASCII and encoded in BASE64. My problem is with the creation of the data unique XML digital signature. The specifics are documented at www.w3.org/TR/2015/NOTE-xmldsig-core2-20150723/#sec-CoreSyntax in 3.2 XML Signature 2.0 Conformance and 4.1 Signature Generation. A helpful description can also be found in An Introduction to XML Digital Signatures at www.xml.com/pub/a/2001/08/08/xmldsig.html.

    I?ve been thinking I can create key and signature using the IBM i 7.1 Cryptographic Services ?Qc3? APIs (such as Qc3EncryptData, Qc3EncryptWithMAC, Qc3GenPKAKeyPair). But I?m not actually sure if this will work.

    Is there anyone that has successfully done this from RPG on an IBM i? I?m currently running version 7.1.

    Please help if you can.

    Thank you.
    David Patten
    i5/Guy
    Tags: qc3, qc3endryptdata, rpg, saml 2.0, xml digital signature
  • #2
    Re: How can I create an XML Digital Signature for use with in a SAML 2.0 Single Sign

    I have not coded to the SAML 2.0 spec... I don't have time to read all of the docs you link to thoroughly, but a quick glance shows that it's basically just creating an SHA-1 hash and putting it into an XML document with a particular format. If that's all it is, this should be easy enough to do. I've used the Qc3CalculateHash() API many times for an SHA-1 hash in the past (not recently, though, as SHA-1 is no longer considered secure) so this should be easy enough to do...

    Comment

    • #3
      Re: How can I create an XML Digital Signature for use with in a SAML 2.0 Single Sign

      Scott, thank you for your encouraging reply. I?ve loosely assembled a plan of action and ask for your opinion (as well as that of others), criticism and correction.

      I?ve struggled trying to determine what the specifications means by terms ?Public? and ?Private? keys. I?ve now established a supposition, which is:
      • The ?Public key? is a digital certificate generated through a 3rd party Certificate Authority (such as Symantec/VeriSign).
      • The ?Private Key? is a hash of the digital certificate (public key).

      My proposed approach

      1. I will generate the sender?s Private Key (Hash) by running the sender?s digital certificate through the Qc3CalculateMAC() or Qc3CalculateHMAC() API. I?m not sure which API is appropriate for my needs. The output will become the < KeyInfo > value within the < Signature > element.
      2. Then I?ll use the Qc3CalculateSignature() API to create the actual XML Digital Signature.
        • Input data parameter will contain the entire contents of the < SignedInfo > element.
        • Key Description will be the value previously created using the Qc3CalculateMAC() or Qc3CalculateHMAC() API.
        • I?m not sure how to load the other parameters. I?m sure that will take repeated trial and error to get this to work.

      How does this sound to you (anyone)?
      Please point out any obvious flaws in my logic. I?ve spent enough time playing with this that I can accept the embarrassment if it moves me closer toward the final solution.

      Concern/Doubt
      Will step one create a truly private key? It seems that an imposter could duplicate this action. But how can I create this unshared private key that will allow the receiver to verify the signature by using only the senders public key? See the fourth quote listed below to determine if my interpretation is based on my tendency of ?smoking my socks.?

      Here?s a small part of what I read that led me to my conclusions:
      ?Public key cryptography allows users of an insecure network, like the Internet, to exchange data with confidence that it will be neither modified nor inappropriately accessed. This is accomplished through a transformation of the data according to an algorithm parameterized by a pair of numbers -- the so-called public and private keys. Each participant in the exchange has such a pair of keys. They make the public key freely available to anyone wishing to communicate with them, and they keep the other key private and protected. Although the keys are mathematically related, if the cryptosystem has been designed and implemented securely, it is computationally infeasible to derive the private key from knowledge of the public key.?
      And,
      ?To create a digital signature for a message, the data to be signed is transformed by an algorithm that takes as input the private key of the sender. Because a transformation determined by the sender's private key can only be undone if the reverse transform takes as a parameter the sender's public key?. If the data can be verified using the sender's public key, then it must have been signed using the corresponding private key (to which only the sender should have access).?
      My understanding is that the public certificate is
      ?? A certificate, issued by a Certification Authority, is an assertion of the validity of the binding between the certificate's subject and her public key such that other users can be confident that the public key does indeed correspond to the subject who claims it as her own.?
      And a snippet more,
      ?? the entire message data is typically not itself transformed directly with the private key. Instead a small unique thumbprint of the document, called a ?hash? or ?digest?, is transformed?. by transforming the hash with their private key, the sender also allows the recipient to verify that it was indeed the sender that performed the transformation (because the recipient was able to use the sender's public key to "undo" the transformation). The hash of a document, transformed with the sender's private key, thereby acts as a digital signature for that document and can be transmitted openly along with the document to the recipient. The recipient verifies the signature by taking a hash of the message and inputting it to a verification algorithm along with the signature that accompanied the message and the sender's public key. If the result is successful, the recipient can be confident of both the authenticity and integrity of the message.?

      Quotes and primary recent study resources:

      David Patten
      i5/Guy

      Comment

      • #4
        Re: How can I create an XML Digital Signature for use with in a SAML 2.0 Single Sign

        Hey forum, hey David,

        have you been successful? I'm just facing the similar problem to have an XML document digitally signed to communicate with a SOAP web service. They demand a digital signature according to the WS Security standard.
        So I read about creating a hash/digest according to SHA-1 standards -- which shouldn't be a big probem, I think. But first you have to perform "c14n" with the document, i.e. XML Canonicalization to transform the document into a defined form as described in http://www.w3.org/2001/10/xml-exc-c14n#.

        There is a C library called libxml2 which contains c14n stuff and there are header files for RPG on github, but I don't know how to get started.

        As a workaround I think I could build a c14n-ed XML body template with placeholders for the actual data on a PC using an external tool. Then place it in the IFS, replace placeholders by my data and create an sha-1 hash from this using RPG. And then put the data in my actual SOAP document. Nevertheless, I don't think this would be a desirable solution.

        Markus

        Comment

        • #5
          Re: How can I create an XML Digital Signature for use with in a SAML 2.0 Single Sign

          We finally did reach 100% success, but not using the method I originally attempted. We sort of started over with an entirely new plan. A team member devised a way to accomplish SSO using SimpleSAMLphp (www.SimpleSAMLphp.org) running on Zend Server. The production HTML environment forced upon us for this project is not running on Zend or PHP. It is running on an HTML server called Strategi by Advanced Business Link (nothing you want to look at).

          Here?s how we got the magic to work for us
          • A user has already logged into Strategi HTML hosted page using their credentials. On this secure page I?ve placed a link (logo) the user can click on to access their information on the service provider?s system.
          • When the user clicks the link on the Strategi HTML hosted page I create a unique record in the DB2 database on the IBM i server. This unique record contains all the identity credential information, as well as an expiration timestamp, needed for the Single Sign On (SSO) to the service provider?s system. This DB2 record has a unique serial number as a record key. The serial number is tacked onto the end of the URL link as a parameter.
          Example values:
          Strategi HTML server running on IBM i url:
          Code:
          https://[URL="http://www.mycompany.com/"]www.mycompany.com[/URL]
          SimpleSAML running Zend server on same IBM i URL:
          Code:
          samlserver.mycompany.com
          URL to destination service provider:
          Code:
          us.ServiceProvider.com:saml2.0
          DB2 record key:
          Code:
          [B]123456789
[/B]
          The assembled URL with parameters looks like this:

          HTML Code:
          http://samlserver.mycompany.com/simplesaml/saml2/idp/SSOService.php?spentityid=us.ServiceProvider.com:saml2.0&sid=123456789
          • The rest of the work occurs on the same IBM i server (but a different IP address) when SimpleSAMLphp server running on Zend Server receives the request with the destination server URL and the DB2 record key that were passed as parameters in the URL. The SimpleSAML PHP script retrieves the authentication data from DB2 database record using SQL. The expiration timestamp is checked and if not expired performs the SAML SSO authentication with the destination service provider. Upon successful authentication the user?s browser session is seamlessly logged into the service provider. If authentication failed, the user?s is presented with the login page to the service provider?s web site. All communication is now occurring directly between the user?s browser and the service provider?s web server.


          Everything on our end (Strategi HTML server, Zend Server and the PHP stuff) is all running on the same IBM i server in a single partition. Performance is acceptable and has been completely stable. We did 2-3 months of internal testing before going live. We are 4-5 weeks into production use now. What a journey.
          David Patten
          i5/Guy

          Comment

          Previous template Next
          Working...
          X