ZXID Home - Open Source IdM for the Masses - SAML SSO
Sampo Kellomäki (sampo@iki.fi)What is it?
-
mod_auth_saml: An Apache httpd auth module that does SAML SSO. No programming, just configure Apache, see receipe. Web Master - you need this because it is config only install, no programming.
-
SSO servlet and libzxidjni.so: A Java JNI extension that wraps libzxid. Also supplied: zxidsrvlet.java that implements SP SSO as servlet, directly integrateable with existing application under servlet engine, e.g. Tomcat.
-
php_zxid: A PHP extension that wraps libzxid. Also supplied: zxidhlo.php that implements SP in mod_php environment.
-
Net::SAML: Perl module wrapping libzxid. Also zxidhlo.pl example, implementing SP in mod_perl environment, is supplied.
-
zxididp: Full featured Identity Provider and Discovery Service, as deployed by zxidp.org.
-
libzxid: C library for SAML 2.0 federated Single Sign-On (SSO) and ID-WSF Web Services. Many other language bindings are supported through SWIG. IdM Hacker - you need this because it supports all relevant protocols, you will study it and you will contribute patches.
|
DependenciesTo compile ZXID you need:
|
Platforms
ZXID is developed on ix86 Linux with POSIX as a goal, any modern system should work. You will need GNU make. I use gcc-3.4.6 as a compiler so others (such as gcc-4) may need minor tweaking. |
ZXID Project has vastly more ambitious goals. See the ZXID Project chapter in documentation (PDF).
Conor Cahill of Intel (formerly AOL) said back in 2006:
IMNSHO, better go Liberty up front and have the confidence that you do not need to upgrade later - or run two parallel systems. The Liberty (or SAML 2.0) system is comprehensive and addresses every use case anyone has thought so far. The percieved complexity is really an implementation issue and not underlying propery of the spec. Since we provide an implementation, the "complexity" is not customer problem.
Try it out immediately
In this space we host links to IdPs that work with ZXID and to ZXID test sites you can use to get a feel for yourself. There is no guarantee that these sites stay up:
Freely downloadable IdPs you can install and test against
-
Lasso: http://lasso.entrouvert.org/
Aims of ZXID Project
ZXID aims at full stack implementation of all federated identity management and identity web services protocols. Initial goal is supporting SP role, followed by ID-WSF WSC, WSP and IdP roles. We aim at supporting US GSA E-Auth profile.
ZXID is light weight, has a small foot print, and is implemented in C. It is suitable for both high performance (e.g. 300 SSO/sec on normal hardware without acceleration) and embedded applications. Scripting languages are supported using SWIG, including Perl, PHP and Java. The "full stack" nature of ZXID means it's self contained and has minimal external library dependencies (see downloads).
Targeted Federated Identity Standards
-
SAML 2.0 (fully done, SP and IdP roles)
-
SAML 1.1 (Assertion Consumer role 60% done)
-
Liberty ID-FF 1.2 (SP role 62% done)
-
Shibboleth 2.0 (98% done)
-
WS-Federation 1.0 Basic Profile (Assertion Consumer role 40% done)
Targeted ID Web Services Standards
-
Liberty ID-WSF 2.0 (95% done)
-
Liberty ID-WSF 1.1 (40% done)
-
TAS3 - Trusted Architecture for Securely Shareable Services (that are privacy friendly as well), www.tas3.eu. ZXID aims to be the reference implementation of the TAS3 APIs. See specs in ZXID-TAS3 Page
Targeted Authorization Standards
-
OASIS XACML 2.0 and 2.0 committee draft 1
Approach
ZXID consists of C libraries. Some of these libraries are generated from schema grammar descriptions using a tool called xsd2sg.pl, part of Plaindoc distribution. Other libraries that express flows and processing rules are hand-written. The language bindings, other than C, are generated automatically using swig(1), see http://swig.org/.
Status
0.63 (20100908) is 1.0 Release Candidate. As of 0.41 (20091120) the package has been mature for doing SSO and other SP related tasks. It also supports perl and mod_perl by way of Net::SAML module, PHP5 (and php4) using php_zxid.so, as well as Java using libzxidjni.so. The Java support includes SSO servlet to be used with Tomcat or other application server.
mod_auth_saml is fully production grade and can be used to implement SSO to Apach httpd just by configuring (no programming needed).
zxididp is beta grade.
zxididp ID-WSF Discovery functionality is alpha grade.
ID-WSF WSC and WSP roles are beta grade.
XACML PEP role is beta grade.
So far we have
-
General SAML 2.0 encoding and decoding of messages in C
-
Net::SAML perl module that gives access to the C functionality
-
php_zxid.so extension for php5 (and php4) roughly equal to Net::SAML
-
libzxidjni.so extension for Java roughly equal to Net::SAML
-
zxidsrvlet.class for Tomcat enviroment, giving SSO
-
SAML 2.0 metadata handling and support for Well Known Location method
-
Specific logic for Single Sign-On and Federation using artifact, post, and simplesign-post profiles
-
Single logout, defederation, and NameID management
-
Some session management and ability to handle discovery bootstrap, ability to start Java HttpSession, ability to pass information from SSO to WSC.
-
SP role as a CGI written in C
-
SP role written in perl that works both in mod_perl and as a CGI
-
SP role written in php that works under apache mod_php5 (and possibly php4).
-
SP role written in Java as servlet (zxidsrvlet)
-
SP role written in shell script
-
SP role as Apache httpd auth module (mod_auth_saml)
-
IdP role written in C
-
Command line WSC testing tool
-
Discovery WSC role in C, perl, php, and Java
-
Discovery WSP role in C
-
General WSC role in C, perl, php, and Java
-
General WSP role in C
-
ID-DAP WSC role in C
-
ID-HR-XML WSC and WSP
-
Encoders and decoders for
-
SAML 2.0 (most mature)
-
SAML 1.1
-
Liberty ID-FF 1.2
-
Liberty ID-WSF 1.1
-
Liberty ID-WSF 2.0
-
XACML 2.0
-
-
XACML 2.0 PEP role in C, perl, php, and Java
-
XACML 2.0 PDP role in C, but without XACML rule evaluation engine (i.e. we use proprietary rules)
Documentation
Documentation starts from README.zxid (PDF) file. There is also low level source code derived documentation in API Reference
I also encourage you to read the source, especially headers. Starting from c/zx-sa-data.h, zxid.h, zxid.c, and zxidsimp.c will be most instructive.
All the specifications supported by ZXID are freely available on the net. Try
-
Liberty Alliance: http://projectliberty.org/liberty/specifications__1
-
W3C
Support
Mailing list and forums
-
Official ZXID mailing list is zxid.user@lists.unh.edu
-
The archives can be seen at http://listproc.unh.edu/archives/zxid.user
Bugs
Mail the author until we get bug tracking set up. Or volunteer.
Developer access
Anonymous GIT read only: <
For commit we use git over ssh, but access needs to be manually configured and is not anonymous. If you contribute significantly, I will bother. Others can send patches (diff -u) to me - a good way to show you are worthy of git access. I've heard some mixed experiences about open source sites like sourceforge. If you run such site and want to host ZXID Project, please contact me.
If you just always want the latest stable source: get the tar ball from the downloads section. Trust me, this is still so much in flux that only the tar ball snapshots are in any usable state. git access just to get latest source would be pointless.
Commercial Support
Following companies provice consultancy and support contracts for ZXID:
-
Levelview (+351-918.731.007)
Previous Releases
- 2010 (show/hide)
-
zxid-0.64.tgz (20100917 - Improved Win32cl target)
-
zxid-0.63.tgz (20100908 - Improved zxidp Shibboleth SP compatibility)
-
zxid-0.62.tgz (20100701 - Fixed IdP AN screen)
-
zxid-0.60.tgz (20100623 - No real change, just version number synchronization with TAS3 pool)
-
zxid-0.59.tgz (20100623 - Stabilization release)
-
zxid-0.58.tgz (20100617 - Extensive new features, due to TAS3)
-
zxid-0.53.tgz (20100323 - Shibboleth metadata extentions, IdP fixes)
-
zxid-0.52.tgz (20100217 - Fixed multidiscovery, etc.)
-
zxid-0.50.tgz (20100211 - Fixed multibootstrap)
-
zxid-0.49.tgz (20100201 - Removed many arbitrary 64KB limits. Added zxcall tool.)
-
zxid-0.48.tgz (20100119 - Unknown XML paresing improvements)
-
zxid-0.47.tgz (20100114 - Added zxcot -bs and fixed recursive bootstrap infinite loop)
-
zxid-0.46.tgz (20100113 - Fixed Java build)
-
zxid-0.45.tgz (20100112 - Signature generation in web service call, logging messages)
-
- 2009 (show /hide)
-
zxid-0.44.tgz (20091216 - Minor bug fixes)
-
zxid-0.42.tgz (20091126 - ID-WSF full web service call improvements)
-
zxid-0.41.tgz (20091120 - Java servlet improvements)
-
zxid-0.40.tgz (20091114 - Java servlet improvements, PHP check Perl check)
-
zxid-0.39.tgz (20091105 - Java servlet improvements)
-
zxid-0.34.tgz (17.9.2009, Java compile fix)
-
zxid-0.33.tgz (16.9.2009, Major improvements to mod_auth_saml, bug fixes to Net::SAML)
-
zxid-0.32.tgz (4.4.2009, documentation fixes)
-
- 2008 (show /hide)
-
zxid-0.29.tgz (25.9.2008, mod_auth_saml fixes, more config options)
-
zxid-0.28.tgz (18.9.2008, bug fixes)
-
zxid-0.27.tgz (17.9.2008, build precheck)
-
zxid-0.26.tgz (9.5.2008, fixed Auto-CoT bug due to form field name conflict)
-
zxid-0.25.tgz (17.4.2008, SAML POST-SimpleSign binding, mod_auth_saml)
-
zxid-0.22.tgz (11.10.2007, Added log levels 1 and 2, Fixed Destination handling; Ensured preservation of whitespace in XML parsing and exc-xml-canon; Fixed alphabetization of attributes in exc-xml-canon; Added signing ArtifactResolve, Logout and MNI requests over SOAP; Improved handling of empty ns prefix for XML attributes; Print source IP to logs)
-
zxid-0.21.tgz (8.10.2007, bug fixes: Content-type header, SWIG related build problem for Net::SAML on RedHat, added cygwin target, fixed InclusiveNamespaces/@PrefixList)
-
zxid-0.20.tgz (1.10.2007, working towards GSA E-Auth requirements, EncryptedAssertions, EncryptedIDs, bug fixes)
-
- 2007 (show/hide)
-
zxid-0.19.tgz (11.8.2007, minor bug fixes, documentation)
-
zxid-0.18.tgz (17.7.2007, ID-HR-XML, WSF bug fixes)
-
zxid-0.17.tgz (6.3.2007, WSC development, bug fixes) This is a very stable release.
-
zxid-0.16.tgz (4.3.2007, WSC development, bug fixes)
-
zxid-0.15.tgz (23.2.2007, Tomcat bug fixes)
-
zxid-0.14.tgz (21.2.2007, Tomcat tutorial)
-
zxid-0.13.tgz (20.2.2007, clean up Java interface, Mac compile, bug fixes)
-
zxid-0.12.tgz (10.2.2007, WSF bootstrap handling, rework of session system, bug fixes)
-
zxid-0.11.tgz (1.2.2007, MinGW DLL fixes)
-
zxid-0.10.tgz (31.1.2007, MinGW DLL production works)
-
zxid-0.9.tgz (26.1.2007, fixed compilation, preliminary Windows support using MinGW)
-
zxid-0.8.tgz (16.1.2007, zxid_simple() API, logging, conf file, more signature support, JNI support)
-
- 2006 (show /hide)
-
zxid-0.7.tgz (15.10.2006, with digital signatures, improved PHP, mod_php, and mod_perl support)
-
zxid-0.6.tgz (18.9.2006, with PHP support, including mod_php)
-
zxid-0.5.tgz (15.9.2006, with encoders and decoders for ID-WSF and ID-FF)
-
zxid-0.4.tgz (4.9.2006, with mod_perl/Net::SAML SP)
-
zxid-0.3.tgz (first fully functional release)
-
Historic: zxid-0.2.tgz, zxid-0.1.tgz
-
Some Links
-
Another directory where ZXID is featured: linuxlinks
-
Good collection of docs: http://polarssl.org/?page=docs (n.b. zxid does not yet support polarssl, but contributions are always welcome)
-
TAS3 project: www.tas3.eu
-
Sampo's hobby: Teräsaika (iron and steel making)
-
Web Risk: http://zxid.org/webrisk.htm
Acknowledgement
The research leading to these results has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement number 216287 (TAS3 - Trusted Architecture for Securely Shared Services - www.tas3.eu).
|
