Architecting and deploying SAML-based federation for companies using tools like PingFederate and CA SiteMinder is one of CoreBlox’ key services. Since I find myself using the same sites repeatedly during these deployments, I thought it would be useful to jot them down for your enjoyment. There are other sites out there are as well, but these few always seem to be on my list:
- The SAML 2.0 Debugger lets you decode a SAML message encoded with the HTTP-POST or HTTP-REDIRECT encoding
- The Base64 Decoder allows you to decode Base64-encoded text strings
- The URL Encoder/Decoder let you take strings and either URL encode or decode them
- The Online XML Digital Signature Verifier allows you to verify the signature on SAML assertions
Update - This was also brought to my attention: SAML Tracer for Firefox
Update 2 – Crissy Stone (below) points out that the XML DOM site let’s you verify XML syntax either pasted in or by uploading a file
Since this also comes up, here are the steps I use to create a self-signed certificate with OpenSSL for use with SiteMinder for Federation. The certificate can be used to sign SAML assertions during testing (or I cheat sometimes and using it in production since I can create a certificate with an extended expiration date). I am not an OpenSSL expert, but these steps seem to do the trick (be sure to substitute your desired values):
Generate Private Key and Cert:
> openssl req -x509 -days 3650 -newkey rsa:1024 -keyout saml_key.pem -out saml_cert.pem
Enter PEM Passphrase: password
Verify Passphrase: password
Country: US
State: Massachusetts
Locality: Framingham
Organization Name: CoreBlox
Organizational Unit Name: SiteMinder Team
Common Name: ps.coreblox.com
Email Address: siteminder@coreblox.com
Convert Private Key PCKS8 DER Encoding:
> openssl pkcs8 -topk8 -inform PEM -outform DER -in saml_key.pem -out saml_key.pkcs8
Enter Passphrase: password
Enter Encryption Password: password
Verify Encryption Password: password
Create SiteMinder Key Database (if you haven’t done this already):
> smkeytool.bat -createDB -password password -importDefaultCACerts
Import Certs into Key Database:
> smkeytool.bat -addPrivKey -alias defaultEnterprisePrivateKey -certfile saml_cert.pem -keyfile saml_key.pkcs8 -password password
Validate certs imported correcly:
> smkeytool.bat -listCerts -alias defaultEnterprisePrivateKey
I hope this is helpful. If you have any tricks or sites you use, please post them in the comments.
We are currently being tasked with building applications for the Army which uses SiteMinder. Are you aware of a “Developer Edition” or free version of SM to support developing applications that will live behind SM?
CA partners should have access to download products for this purpose. Otherwise, if you are doing the work for Army, the Army should be able to provide you with an environment for this purpose.
The thing to keep is mind is that building an application to integrate with SiteMinder is really just designing it to trust header information set by the web agent/proxy. So, for example, instead of putting up a login page, just read SM_USER for the user identity.
I hope that helps.
I like to use this site for verifying the XML of assertions if I have a problem with the assertion I check the XML using this site and then if that all looks good start looking at the SAML specs themselves to determine he issue with the assertion.
http://www.w3schools.com/dom/dom_validate.asp
Thanks Crissy. I added the site to the main post as well.