ColdFusion / SAML (Part 1)

Introduction

I decided to create this series of posts because I had no experience working with SAML before this recent project. I found through Google searches that implementing via ColdFusion is extremely scarce, but was able to figure it out by going back and forth between 3 different websites:

1) Adventures in Web Application Development by Phil Duba
2) Webdevwork by Howard Ross
3) Tag: by David Rutter

All of the above are great references and I suggest you use them in addition to my own. Each environment is slightly different, so hopefully my contribution to this subject can help someone else attempting the ColdFusion/SAML combination. I have ColdFusion MX 7.0.2 running on Solaris 10 with Covalent Apache 1.3.


Glossary

IDP = refers to the identity provider; In this case, it will be the site you're implmenting this for in ColdFusion.
SP = refers to the partner site (or service provider) that the user is trying to get to after logging on to the IDP
KS = keystore w/ signature components
Canonicalizer = an algorithm that formats the XML file to a standard canonical form so that signatures can match up between IDP & SP
Keytool = UNIX key and certificate management utility


Setting Up the ColdFusion Server

1) Download the Apache XML Security library.

2) Download the updated xmlsec.jar file.

3) Place all of these in ColdFusion's /lib directory and restart the server. Since they're in ColfFusion's /lib, they're automatically detected by the server and you shouldn't have to manually enter any paths into the Administrator.


Creating the Keystore

1) In a UNIX window, type in the following, replacing the italicized items with your own values:

keytool -genkey -v -keyalg RSA -alias ALIAS -keystore KEYTORE_FILENAME -storepass PASSWORD

-genkey is the function of keytool that generates a keystore
-v will display step by step instructions (verbose)
-keyalg selects the algorithm to use. The default is DSA, so we need to change it to RSA to be compatible with the XML security library
-alias is the alias of the keystore
-keystore is the name of the keystore file
-storepass is the password to access the keystore

2) Answer all of the questions that come up... name, organizational unit, organization, location, state and country.

3) Verify the keystore creation with:

keytool -list -alias ALIAS -keystore KEYTORE_FILENAME

Enter the password when prompted and you should get an MD5 hash.

4) Now that the keystore is all set, you have to create a certificate for the SP to install in their end. Enter the following command:

keytool -keystore KEYTORE_FILENAME -storepass PASSWORD -export -alias ALIAS -rfc > CERTIFICATE_FILENAME

5) Verify the certificate creation with:

keytool -printcert -v -file CERTIFICATE_FILENAME

You should get an onscreen output of the general keystore info., serial number, expiration date and a digital fingerprint. This certificate contains the public key.

After setting up your ColdFusion server and creating the keystore, all the tools are set for coding to begin. In part 2, I'll get into the XML and all of the components you need to fill in from the IDP's database.