[Lasso-devel] HMAC-SHA1 signatures
Benjamin Dauvergne
bdauvergne at entrouvert.com
Mon Dec 5 15:21:42 CET 2011
A new feature arrived in the Lasso repository: you can now use shared key
cryptography instead of public key cryptography between IdP and SP using Lasso.
The XML signature implementation is standard compliant (based on XMLDsig) but
the signature for the HTTP-Redirect binding is a Lasso improvement over the
current specification. Maybe we could propose it for standardisation some day.
The main difference is that the number of assertion signing (limiting factor in
a SAML SSO flow) increase from 10 transactions per second on 1 core (using 2048
bits RSA signature, the current standard) to 1000 tps using shared key
cryptography with the HMAC-SHA1 algorithm. At this rate using SAML is
competitive with CAS, OpenID or any intranet SSO technology for fast and cheap
large scale use. You can keep the same technology for external and internal
delegation of authentication.
Example of use (on IdP) around the place where you initialize the server object:
LassoKey *key = lasso_key_new_for_signature_from_memory("shared"
" secret", 13, NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA1, NULL);
LassoProvider *remote_provider = lasso_server_get_provider(server,
"http://mysp.com/metadata");
lasso_provider_set_server_signing_key(remote_provider, key);
You usually should use a different shared secret for each service provider. To
permit the same service to use the same shared key to sign its messages you
must add this line:
lasso_provider_add_key(remote_provider, key, FALSE);
You do not need to change any metadata, shared key are used in preference to
the key in the metadata for signature validation.
--
"Java is a DSL for taking large XML files and converting them to stack traces"
More information about the Lasso-devel
mailing list