Googles Apps SAML/SSO decrypt

This should be an easy answer. I'm writing a custom SSO application
in PHP for integration with Google Apps. For generating the necessary
SAML responses, I'm using OpenSSO. Google requires you upload a
signed certificate, with a public key embedded. All SAML requests
sent and received between the service provider (Google) and the
identity provider (you) are encrypted using this key. I'm unsure what
to do with the request that Google Apps embeds in the URL though.
It's sent as a $_GET variable so it's not encrypted in a way that
php's openssl functions can understand. I'm not sure how to go about
decoding it:

http://www.example.com/sso?SAMLRequest=fVJLT8MwDL4j8R+i3PsCC Ua0Fg2miUkDKlY4cMsSd82WJiVON/j3dB3TxgGOcT5/D9vD289akw04VNakN AljSsAIK5VZpvS1mAQDepudnw2R17pho9ZX5gU+WkB

Any thoughts?

Re: Googles Apps SAML/SSO decrypt

SAMLRequest is a DEFLATE encoded XML string. You can decode with

function samlDecode($str) {
$str = base64_decode($str);
$str = gzinflate($str);
if ($str === false) {
$str = gzuncompress($str);
}
return $str;
}

gzinflate (rfc1951 - DEFLATE) and gzuncompress (rfc1950 - ZLIB) are
both tried because some implementations use the second format.

Google has some sample PHP code that implements this here:

http://google-apps-sso-sample.googlecode.com/files/samltool_ php.zip

SAML 2.0 March 05:

http://docs.oasis-open.org/security/saml/v2.0/saml-bindings- 2.0-os.pdf

On Oct 31, 4:30 pm, Tom wrote:
> This should be an easy answer. I'm writing a custom SSO application
> in PHP for integration with Google Apps. For generating the necessary
> SAML responses, I'm using OpenSSO. Google requires you upload a
> signed certificate, with a public key embedded. All SAML requests
> sent and received between the service provider (Google) and the
> identity provider (you) are encrypted using this key. I'm unsure what
> to do with the request that Google Apps embeds in the URL though.
> It's sent as a $_GET variable so it's not encrypted in a way that
> php's openssl functions can understand. I'm not sure how to go about
> decoding it:
>
> http://www.example.com/sso?SAMLRequest=fVJLT8MwDL4j8R+i3PsCC Ua0Fg2miU...
>
> Any thoughts?

Re: Googles Apps SAML/SSO decrypt

On Nov 1, 5:26 am, petersprc wrote:
> SAMLRequest is a DEFLATE encoded XML string. You can decode with
>
> function samlDecode($str) {
> $str = base64_decode($str);
> $str = gzinflate($str);
> if ($str === false) {
> $str = gzuncompress($str);
> }
> return $str;
>
> }
>
> gzinflate (rfc1951 - DEFLATE) and gzuncompress (rfc1950 - ZLIB) are
> both tried because some implementations use the second format.
>
> Google has some sample PHP code that implements this here:
>
> http://google-apps-sso-sample.googlecode.com/files/samltool_ php.zip
>
> SAML 2.0 March 05:
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-bindings- 2.0-os.pdf
>
> On Oct 31, 4:30 pm, Tom wrote:
>
>
>
> > This should be an easy answer. I'm writing a custom SSO application
> > in PHP for integration with Google Apps. For generating the necessary
> > SAML responses, I'm using OpenSSO. Google requires you upload a
> > signed certificate, with a public key embedded. All SAML requests
> > sent and received between the service provider (Google) and the
> > identity provider (you) are encrypted using this key. I'm unsure what
> > to do with the request that Google Apps embeds in the URL though.
> > It's sent as a $_GET variable so it's not encrypted in a way that
> > php's openssl functions can understand. I'm not sure how to go about
> > decoding it:
>
> >http://www.example.com/sso?SAMLRequest=fVJLT8MwDL4j8R+i3PsC CUa0Fg2miU...
>
> > Any thoughts?- Hide quoted text -
>
> - Show quoted text -

Thanks for the tip, and the URL for the php sample library. I was in
the process of rewriting process_response.php!