Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Implemented
-
1.3.0
-
None
Description
Some IDPs and company's guidelines require SAML auth requests for a service provider to be signed and optionally encrypted. Guacamole's SAML module should be able to fetch a X509 certificate and private key from a config parameter and use this data to sign and encrypt requests.
SP Metadata dummy:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://PointOfContactServer/sps/DummySP/saml20">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>... here goes Guacamole's certificate ...</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://PointOfContactServer/sps/DummySP/saml20/login" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Furthermore, IDP initiated SAML should be supported (or documented if it already works).