OBS! Der findes en nyere version af den valgte ressource. Klik her for at se den nyeste version.
Releasedate: 21. November 2011
Releasenote
This release contains a security fix for a vulnerability found in the XML Encryption standard.
It may be possible to use a service provider as an oracle to decrypt encrypted messages sent to that serviceprovider. The details of the attack can be found here:
http://dl.acm.org/citation.cfm?doid=2046707.2046756
Version1.7.4 of OIOSAML.NET attempts to prevent this attack by hiding the details of errors to the end-user. The full error details are still accessible from the logfiles.
For debugging/testing purposes, it is possible to show all error messages in the browser as normal, by enabling this with the following new setting in web.config.
<ShowError>[true|false]</ShowError>
Hello everybody,
I try to run the sample of OIOSAML.NET. The first time it is successful, but now it is always failed with error (in IdPDemo):
Unexpected node type Element. ReadElementString method can only be called on elements with simple or empty content. Line 4, position 6. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Xml.XmlException: Unexpected node type Element. ReadElementString method can only be called on elements with simple or empty content. Line 4, position 6.
and i don't see any IdP in the SPDemo
Please help me this problem.
Regards,
Cong
Hi Cong
You don't give me much to guess from :-). Have you eabled full logging in both SP and IdP as descriped section "13.1 Enabling debug logging" in the OIOSAML.NET 1.7.4 documentation.
Best regardsBrian Nielsen
I am curious to know if the OIOSAML.NET will become obsolete when Windows Identy Foundation (WIF) eventually provides SAML2 support ? (It has been in CTP since may 2011)
I have read that it also contains a DemoIdP i.e. similar test support as OIOSAML.NET.
On Stackoverflow a developer recommends WIF over OIOSAMl.NET
http://stackoverflow.com/questions/428599/opensso-or-esoe-for-net
Sicne I have not tried out WIF yet I am curious to know the pro/cons of WIF vs OIOSAML.NET
Of course it is speculations. But any thoughts ?
Regards Jesper
We are in a situation where we want to make an Internal IdP/STS for our own websites.
Since we are familiar with OIOSAML.NET it would be obvious to start the code with the DemoIdP from this framework.
But the document Net SAML2 Service Provider Framework.pdf states very explicitly that: "It should not be used as a permanent substitute for at real identity provider in a development environment"
So my question is what security concerns makes the DemoIdp unfit as a "real Identity Provider" ?
And what changes should be made to make it a "real identity provider" ?
What are the best bets if not to use the DemoIdP ? (I would probably look in the direction of ADFS or WIF first)
Hi Jesper
I would expect the reason to be that it was develop for the sole purpose of inital toolkit testing, and as such has not been QA'ed in any sense for aspects like security, stability, features, compliance, logging etc.
In terms of what is missing? Not to be rude, but that's up to you to define that.
As for alternatives, I don't have much experience, but ADFS V2.0 (should be possible "AD FS 2.0 Step-by-Step Guide: Federation with Ping Identity PingFederate") could be a possibility along with other SAML supportive/compliant products (there's quite a list in wikipedias "SAML-based products and services").
Hi Brian,
Thank you for the answer. Then it is as I expected, and we will not rule out the DemoIdP as the basis. But I will also look at your link and consider other alternatives.
Do not worry we are capable of finding out what is missing functionality wise :) But it if there is fundamental security flaws then there is no point in figuring this out the hard way.
BTW: I have made a few changes to the OIOSAML.NET toolkit. Namely to store the Metadata in App_data instead of in a path outside the website (thereby running into issues with setting up folder permissions). Should I submit these changes somewhere ?
Ønsker du at skrive indlæg eller blot kommentere indlæg, skal du være oprettet som bruger og logget ind.
En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.
- (kræver login)
Der er ikke tilknyttet tags fra andre brugere