For clarity’s sake, let me reiterate, I hate Java. Along with Java comes all the confusing collection of classes and variable typing and capitalization, oh my! In the other suitcase, Java also brings XML and her children, like SAML (pronounced “samuel” for the vowel-challenged) who covers my keyboard with sticky residue from certificates and encryption keys.

SAML, a standard co-authored by OASIS and XML, is designed to help create a federation of identities across organizations, to simplify access to services and to complicate my life beyond all reason!

The project started out simple enough: allow a user to login to a web application at a partner site and allow that application to successfully assert the user’s identity to an application here. The problem, as I see it, is that SAML is written exclusively in XML. And signed with XML. And generated by Java.

The bigger problem, again, as I see it, is that there is no easy way to iteratively test the process. Either it works (well, to be honest, I have not seen THAT outcome yet) or it doesn’t. And it mostly doesn’t. That wouldn’t be so bad if error messages were simple and to the point. But they generally come with a distinctly Java accent:

 ERROR – java.lang.NullPointerException

That’s not much help. Browser based errors aren’t very descriptive either.

500 Internal Server Error

So in an attempt to discover a way to test the SAML connection without the overhead of a conference call with way too many people speculating on the source of a NullPointerException, I looked for a simple way to generate assertions. … and I looked. And I looked. Finally, in blind desperation and with no hope for a solution, I clicked on a link that led me to the Code Project. There, a clearly decent fellow by the name of David Speight posted an article, appliction and code (in C#, not Java — YAY!) on Performing a SAML Post with C#.

The accompanying small application is a little cryptic. But it will work. It requires you to fill in a few blanks such as identity Issuer, Recipient, Target and Domain. The most complicated one for me by far, was the Certificate. The Select Certificate dialog box references a file location.

I got that. But then it talks about Store Location, Store Name and Find Method. A bit more looking led me to CertMgr, which is part of the .NET framework. I already had a self-signed private key, public key and certificate. But in order to import them into CertMgr, I had to convert them to PKCS#12 format using OpenSSL, which fortunately is available for Windows 7 64-bit.

Once I converted my previously created CACERT.pem and PRIVATE.pem key to PKCS#12 format, I could then import both into CertMgr. I put them under “Trusted People” certificates because I have an unusually high amount of trust for myself as a person.

The Post SAML Assertion program started to churn a bit before kicking back a distinctly over-familiar message:

ERROR – RequestHandlerRuntimeException: XML signature verification failed. Decryption error

But at least I knew why! The cert I was using for the assertion was not related in the least to the cert I was using on the assertion receiver. After being steeped in SAML/XML/Encryption Keys/Message Digests and above all Java for more days than I care to remember, I’m finally making progress!

Other useful tools and information found along the way:

• Base64 Encoder and Decoder
• Signing XML Documents
• CSR and Certificate Decoder
• PySAML: a SAML 2.0 Toolkit for Python

Maybe I’ll finish my own HTML/JavaScript version of a SAML Assertion provider. All I lack is the icky, sticky SAML/XML portion. How hard can that be?