ZXID Home - Open Source IdM for the Masses - SAML SSO
Sampo Kellomäki (sampo@iki.fi)What is it?
-
mod_auth_saml: An Apache httpd auth module that does SAML SSO. No programming, just configure Apache, see receipe.
-
php_zxid: A PHP extension that wraps libzxid. Also supplied: zxid.php that implements SP in mod_php environment.
-
libzxidjni.so: A Java JNI extension that wraps libzxid. Also supplied: zxid.java that implements SP as a CGI script. zxidhlo.java demonstrates use under servlet engine, e.g. Tomcat.
-
Net::SAML: Perl module wrapping libzxid. Also zxid.pl example, implementing SP in mod_perl environment, is supplied.
-
libzxid: C library for SAML 2.0 federated Single Sign-On (SSO) and ID-WSF Web Services
|
DependenciesTo compile ZXID you need:
|
Platforms
ZXID is developed on ix86 Linux with POSIX as a goal, any modern system should work. You will need GNU make. I use gcc-3.4.6 as a compiler so others (such as gcc-4) may need minor tweaking. |
Who needs this?
-
Web Master: You want to enable SAML based Single Sign-On (SSO) to your web site? Use mod_auth_saml to federate your web site without any programming...
Just edit your Apache httpd.conf or hint your PHP or perl developer - see below. -
PHP Developer: Use dl("php_zxid.so") to load the module for SAML 2.0 SSO...
zxid_simple() API is fully usable and we expect to add soon WSC and WSP features that are already (Oct 2008) available for C. We support functionality roughly equivalent to perl Net::SAML. Both mod_php5 and php as CGI are supported. php4 should also work. -
Java Developer: Use System.loadLibrary("zxidjni") to pull into your Java proram the full SSO power of the ZXID...
The functionality supported is roughly equal to Net::SAML. Tested in Apache Tomcat environment. -
Perl Developer: Use the Net::SAML module to integrate SSO to mod_perl application...
Given the direct perl support, this is easier than fully understanding the C interface. Both mod_perl and perl as CGI are supported. -
Platform Developer: Integrate SAML based SSO to your web site tool or product so that your customers can enjoy SSO enabled web sites. ...
Study zxidhlo.c for examples and use libzxid.a to implement the functionality in your own program. -
Identity Management hacker: You need some building blocks: you will study libzxid and add to it, contributing to the project.
ZXID Project has vastly more ambitious goals. See the ZXID Project chapter in documentation (PDF).
Conor Cahill of Intel (formerly AOL) said back in 2006:
IMNSHO, better go Liberty up front and have the confidence that you do not need to upgrade later - or run two parallel systems. The Liberty (or SAML 2.0) system is comprehensive and addresses every use case anyone has thought so far. The percieved complexity is really an implementation issue and not underlying propery of the spec. Since we provide an implementation, the "complexity" is not customer problem.
Try it out immediately
In this space we host links to IdPs that work with ZXID and to ZXID test sites you can use to get a feel for yourself. There is no guarantee that these sites stay up:
Freely downloadable IdPs you can install and test against
-
Lasso: http://lasso.entrouvert.org/
Aims of ZXID Project
ZXID aims at full stack implementation of all federated identity management and identity web services protocols. Initial goal is supporting SP role, followed by ID-WSF WSC and IdP roles. We aim at supporting US GSA E-Auth profile.
ZXID is light weight, has a small foot print, and is implemented in C. It is suitable for both high performance and embedded applications. Scripting languages are supported using SWIG, including Perl, PHP and Java. The "full stack" nature of ZXID means it's self contained and has minimal external library dependencies (see downloads).
Targeted Federated Identity Standards
-
SAML 2.0 (SP role 99% done)
-
SAML 1.1 (Assertion Consumer role 60% done)
-
Liberty ID-FF 1.2 (SP role 62% done)
-
WS-Federation 1.0 Basic Profile (Assertion Consumer role 40% done)
Targeted ID Web Services Standards
-
Liberty ID-WSF 2.0 (95% done)
-
Liberty ID-WSF 1.1 (40% done)
Approach
ZXID consists of C libraries. Some of these libraries are generated from schema grammar descriptions using a tool called xsd2sg.pl, part of Plaindoc distribution. Other libraries that express flows and processing rules are hand-written. The language bindings, other than C, are generated automatically using swig(1).
Status
Beta. As of 0.25 (April 2008) the package is mature for doing SSO and other SP related tasks. It also supports perl and mod_perl by way of Net::SAML module, PHP5 (and php4) using php_zxid.so, as well as Java using libzxidjni.so. However it is still missing some essential functionality (e.g. signature generation).
mod_auth_saml and the WSC and WSP roles are still alpha grade.
So far we have
-
General SAML 2.0 encoding and decoding of messages in C
-
Net::SAML perl module that gives access to the C functionality
-
php_zxid.so extension for php5 (and php4) roughly equal to Net::SAML
-
libzxidjni.so extension for Java roughly equal to Net::SAML
-
SAML 2.0 metadata handling and support for well known location method
-
Specific logic for Single Sign-On and Federation using artifact and post profiles
-
Single logout, defederation, and NameID management
-
Some session management and ability to handle discovery bootstrap
-
SP role as a CGI written in C
-
SP role written in perl that works both in mod_perl and as a CGI
-
SP role written in php that works under apache mod_php5 (and possibly php4).
-
SP role written in Java
-
SP role written in shell script
-
SP role as Apache httpd auth module
-
Command line WSC testing tool
-
Discovery WSC role in C
-
ID-DAP WSC role in C
-
ID-HR-XML WSC and WSP
-
Encoders and decoders for
-
SAML 2.0 (most mature)
-
SAML 1.1
-
Liberty ID-FF 1.2
-
Liberty ID-WSF 1.1
-
Liberty ID-WSF 2.0
-
IdP, DS, and WSP functionality are slated only later (unless a volunteer steps forward).
Documentation
Currently most documentation is maintained as an extensive README.zxid (PDF) file. This file details compilation, installing, configuring, and use. It is also distributed as part of the source code package.
I also encourage you to read the source, especially headers. Starting from c/zx-sa-data.h, zxid.h, zxid.c, and zxidsimp.c will be most instructive.
All the specifications supported by ZXID are freely available on the net. Try
-
Liberty Alliance: http://projectliberty.org/liberty/specifications__1
-
W3C
Support
Mailing list and forums
-
Official ZXID mailing list is zxid.user@lists.unh.edu
-
The archives can be seen at http://listproc.unh.edu/archives/zxid.user
Bugs
Mail the author until we get bug tracking set up. Or volunteer.
Developer access
We use CVS, but access needs to be manually configured and is not anonymous. If you contribute significantly, I will bother. Others can send patches (good way to show you are worthy of CVS access) to me. I've heard some mixed experiences about open source sites like sourceforge. If you run such site and want to host ZXID Project, please contact me.
If you just always want the latest source: get the tar ball from the downloads section. Trust me, this is still so much in flux that only the tar ball snapshots are in any usable state. CVS access just to get latest source would be pointless.
Commercial Support
Following companies provice consultancy and support contracts for ZXID:
Previous Releases
- 2009 (show/hide)
-
zxid-0.32.tgz (4.4.2009, documentation fixes)
-
- 2008 (show /hide)
-
zxid-0.29.tgz (25.9.2008, mod_auth_saml fixes, more config options)
-
zxid-0.28.tgz (18.9.2008, bug fixes)
-
zxid-0.27.tgz (17.9.2008, build precheck)
-
zxid-0.26.tgz (9.5.2008, fixed Auto-CoT bug due to form field name conflict)
-
zxid-0.25.tgz (17.4.2008, SAML POST-SimpleSign binding, mod_auth_saml)
-
zxid-0.22.tgz (11.10.2007, Added log levels 1 and 2, Fixed Destination handling; Ensured preservation of whitespace in XML parsing and exc-xml-canon; Fixed alphabetization of attributes in exc-xml-canon; Added signing ArtifactResolve, Logout and MNI requests over SOAP; Improved handling of empty ns prefix for XML attributes; Print source IP to logs)
-
zxid-0.21.tgz (8.10.2007, bug fixes: Content-type header, SWIG related build problem for Net::SAML on RedHat, added cygwin target, fixed InclusiveNamespaces/@PrefixList)
-
zxid-0.20.tgz (1.10.2007, working towards GSA E-Auth requirements, EncryptedAssertions, EncryptedIDs, bug fixes)
-
- 2007 (show/hide)
-
zxid-0.19.tgz (11.8.2007, minor bug fixes, documentation)
-
zxid-0.18.tgz (17.7.2007, ID-HR-XML, WSF bug fixes)
-
zxid-0.17.tgz (6.3.2007, WSC development, bug fixes) This is a very stable release.
-
zxid-0.16.tgz (4.3.2007, WSC development, bug fixes)
-
zxid-0.15.tgz (23.2.2007, Tomcat bug fixes)
-
zxid-0.14.tgz (21.2.2007, Tomcat tutorial)
-
zxid-0.13.tgz (20.2.2007, clean up Java interface, Mac compile, bug fixes)
-
zxid-0.12.tgz (10.2.2007, WSF bootstrap handling, rework of session system, bug fixes)
-
zxid-0.11.tgz (1.2.2007, MinGW DLL fixes)
-
zxid-0.10.tgz (31.1.2007, MinGW DLL production works)
-
zxid-0.9.tgz (26.1.2007, fixed compilation, preliminary Windows support using MinGW)
-
zxid-0.8.tgz (16.1.2007, zxid_simple() API, logging, conf file, more signature support, JNI support)
-
- 2006 (show /hide)
-
zxid-0.7.tgz (15.10.2006, with digital signatures, improved PHP, mod_php, and mod_perl support)
-
zxid-0.6.tgz (18.9.2006, with PHP support, including mod_php)
-
zxid-0.5.tgz (15.9.2006, with encoders and decoders for ID-WSF and ID-FF)
-
zxid-0.4.tgz (4.9.2006, with mod_perl/Net::SAML SP)
-
zxid-0.3.tgz (first fully functional release)
-
Historic: zxid-0.2.tgz, zxid-0.1.tgz
-
Some Links
-
Another directory where ZXID is featured: linuxlinks
-
Good collection of docs: http://polarssl.org/?page=docs (n.b. zxid does not yet support polarssl, but contributions are always welcome)
|
