|o||XML::Canonical or XML::CanonicalizeXML|
XML-Signature Syntax and Processing <http://www.w3.org/TR/xmldsig-core/> Google-Documentation on SSO and SAML <https://developers.google.com/google-apps/sso/saml_reference_implementation> XML Security Library <http://www.aleksey.com/xmlsec/>
Creates a new object and needs to have all parameters needed to generate the signed xml later on. Parameters are passed in as a hash-reference.
The SAML request, base64-encoded and all, just as retrieved from the GET request your user contacted you with (make sure that its not url-encoded, though)
The path to your private key that will be used to sign the response. Currently, only RSA and DSA keys without pass phrases are supported. <B>NOTEB>: To handle DSA keys, the module Crypt::OpenSSL::DSA needs to be installed. However, it is not listed as a requirement in the Makefile for Google::SAML::Response, so make sure it really is installed before using DSA keys.
Your users login name with Google
Time to live: Number of seconds your response should be valid. Default is two minutes.
Generate the signed response xml and return it as a string
The method does what the w3c tells us to do (<http://www.w3.org/TR/xmldsig-core/#sec-CoreGeneration>):
3.1.1 Reference Generation
For each data object being signed:
1. Apply the Transforms, as determined by the application, to the data object.
2. Calculate the digest value over the resulting data object.
3. Create a Reference element, including the (optional) identification of the data object, any (optional) transform elements, the digest algorithm and the DigestValue. (Note, it is the canonical form of these references that are signed in 3.1.2 and validated in 3.2.1 .)
3.1.2 Signature Generation
1. Create SignedInfo element with SignatureMethod, CanonicalizationMethod and Reference(s).
2. Canonicalize and then calculate the SignatureValue over SignedInfo based on algorithms specified in SignedInfo.
This function will give you a complete HTML page that you can send to clients to have them redirected to Google. Note that former versions of this module also included a Content-Type HTTP header. Fortunately, this is no longer the case and you will have to send a Content-Type: text/html yourself using whatever method your framework provides.
Hence the only required argument: the RelayState parameter from the users GET request
Coming up with a valid response for a SAML-request is quite tricky. The simplest way to go is to use the xmlsec1 program distributed with the XML Security Library. Google seems to use that program itself. However, I wanted to have a perlish way of creating the response. Testing your computed response is best done against xmlsec1: If your response is stored in the file test.xml, you can simply do:
xmlsec1 --verify --store-references --store-signatures test.xml > debug.txt
This will give you a file debug.txt with lots of information, most importantly it will give you the canonical xml versions of your response and the References element. If your canonical xml of these two elements isnt exactly like the one in debug.txt, your response will not be valid.
This brings us to another issue: XML-canonicalization. There are currently two modules on CPAN that promise to do the work for you: XML::CanonicalizeXML and XML::Canonical. Both can be used with Google::SAML::Response, however the default is to use the former because it is much easier to install. However, the latters interface is much cleaner and Perl-like than the interface of the former.
XML::Canonical uses XML::GDOME which has a Makefile.PL that begs to be hacked because it insists on using the version of gdome that was available when Makefile.PL was written (2003) and then it still doesnt install without force. XML::CanonicalizeXML is much easier to install, you just have to have the libxml development files installed so it will compile.
o Add support for encrypted keys
This module has a github repository:
Manni Heumann (saml at lxxi dot org)
with the help of Jeremy Smith and Thiago Damasceno. Thank you!
Copyright (c) 2008-2013 Manni Heumann. All rights reserved.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
|perl v5.20.3||GOOGLE::SAML::RESPONSE (3)||2016-04-03|