SMTP authentication using SAML

help-gsasl
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SMTP authentication using SAML

From:	Simon Josefsson
Subject:	SMTP authentication using SAML
Date:	Tue, 03 Apr 2012 13:20:36 +0200
User-agent:	Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.0.94 (gnu/linux)
The SAML20 mechanism [1] allows you to authenticate against
SMTP/IMAP/XMPP/etc servers using SAML in your web-browser.  Version
1.7.3 of GNU SASL has a (hopefully) complete implementation, and it is
now ready for wider testing.  There is documentation in the manual:

https://www.gnu.org/software/gsasl/manual/gsasl.html#SAML20

To simplify testing, I have set up a SMTP interop server (see [2]) that
supports SAML on the server side.  The code for it is available here:

http://git.savannah.gnu.org/cgit/gsasl.git/tree/examples/saml20

See in particular the README:

http://git.savannah.gnu.org/cgit/gsasl.git/tree/examples/saml20/README

The client side of the SAML20 SASL mechanism is trivial: basically send
the identifier of the SAML IdP, get a redirect URL back and invoke that
URL in the users browser, and let the user finish authentication in the
browser.  Once complete, the SASL server will let you in.

To test it, download and build gsasl-1.7.3:

address@hidden:~$ wget ftp://alpha.gnu.org/gnu/gsasl/gsasl-1.7.3.tar.gz
...
address@hidden:~$ tar xfz gsasl-1.7.3.tar.gz 
address@hidden:~$ cd gsasl-1.7.3/
address@hidden:~/gsasl-1.7.3$ ./configure
...
address@hidden:~/gsasl-1.7.3$ sudo make install
...

The mapping from IdP identifier to IdP is static.  The interop server is
configured with the Feide OpenIdP and ProtectNetwork IdPs with these IdP
identifiers:

'openidp.feide.no' goes to Feide, see https://openidp.feide.no/
'idp.protectnetwork.org' => goes to ProtectNetwork,
                            see https://www.protectnetwork.org/

Sign up for a user account on either of these IdPs.  Feide is more
responsive, it sends an e-mail automatically and you will have an
account within minutes.

If you want to test another IdP, please e-mail me the URL to your IdP
metadata and I'll set it up.

Use the 'gsasl' command line tool to talk with the interop server.  Here
I am using the SAML IdP identifier 'openidp.feide.no'.  Note that the
SAML server uses port 2001, the server running on port 2000 is for
OpenID.

address@hidden:~$ gsasl --smtp -m SAML20 interop.josefsson.org 2001
Trying ‘interop.josefsson.org’...
220 localhost ESMTP GNU SASL smtp-server
EHLO [127.0.0.1]
250-localhost
250 AUTH ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1 
SAML20 OPENID20
EHLO [127.0.0.1]
250-localhost
250 AUTH ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1 
SAML20 OPENID20
AUTH SAML20
334 
Enter SAML authentication identifier (e.g. "http://example.org/";): 
openidp.feide.no
biwsb3BlbmlkcC5mZWlkZS5ubw==
334 
aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vL3NpbXBsZXNhbWwvc2FtbDIvaWRwL1NTT1NlcnZpY2UucGhwP1NBTUxSZXF1ZXN0PWZaRlBiNE13RE1XJTJGQ3NvZEFoUzZMZ0lrYUZlcDB2NVVZOXBobHltaXBzMFVraXdPM2ZidEIxU2R1a3N2UGp6N0p6OCUyRlo4ZzdhVmpadTRONmhzOGUwSG5mblZUSXBrWk9lcXVZNWlpUUtkNEJNdGV3dW55NFozRVFNbU8xMDQyVzVBSzVUbkJFc0U1b1Jiek5LaWZ2c3pSY3o2UGxQSjJ2NDZwS3dqSXV5eXBaM0ticDh1WXVyaExpdllMRllUNG5BejVBaUQxc0ZEcXUzQ0NGVWV5SGlSJTJGT1hxS0loUXNXSlclMkZFV3cwM0NNWGRSQjJjTThnbzFRYVUySm1nQmJHRFFHbUtvak1TUnNkMExERWR1clN1bjJxd1I5RkFZQTZHZUd0dEc1aXl5VW5MSmNMb1lEc2NJWTV3Vm9wczVObmt6QmJuZlVJNXNOb0VIeHFoUmRRcTBIWlA5OGhSJTJCdE8lMkIwRWVUMFVzME83M2ljUWh0czlwcUtacWYwVURIM2ZWTVIwWHMlMkZIWWFaYzV5aFFLVUkxNHBwZjVhV3VEdXp5d3RUanYlMkZmN3o0QlElM0QlM0QmU2lnQWxnPWh0dHAlM0ElMkYlMkZ3d3cudzMub3JnJTJGMjAwMCUyRjA5JTJGeG1sZHNpZyUyM3JzYS1zaGExJlNpZ25hdHVyZT1ja0t1UWZ3YTUlMkYlMkZIJTJCZkZrVnF4JTJCc2huVTJBYW9Nd01FRE9aQUJZbE5Zb1BIWTlvckxaVm96d21qJTJCRDk2ZVpRb0VTZm85SXAwSnVPRUJyOEpIQ01SeTBrcVpReUFRcFJyaSUyRlR6NUFuR1hKWW9VWFRsNXpHY2UySXlnSHZzTENEejRVYmh4S3JqZGd2TElpM0N0b0tGU3Bxb2J3JTJCTlBWSlRTejBWRjlRVVBuV01oTVpxb0E5RkdCdFRzb3dkeHhYS2x5N0I1bndzcWcyaDVzd3BJb0VJR3ZETHZTS1BPcjA4TzIzV2FIaFlHdEUyMVNuYUIxRzA4RGRndHNmeVdHMlJJR085MmNPVSUyRjkzVU1jYUJiVG5XbnNob2tsOXFSY3UwN3cyVjFZU1B6cCUyRkE5eTBOdmFKSkR6bms0QktpSnklMkJid0J3JTJCMjlGOWo1WHZJczRNZ3pnSU1xS2RXJTJCekElMkJZdE9SJTJGM0ZyVDZ6bENOaE5BUjgwQ25yZmJBamlTJTJGSXozU09laEpRZ2M4JTJCUzl1YWZibERjZHZoVHclM0QlM0Q=
Visit this URL to proceed with authentication:
https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fZFPb4MwDMW%2FCsodAhS6LgIkaFep0v5UY9phlymips0UkiwO3fbtB1SduksvPjz7Jz8%2FZ8g7aVjZu4N6hs8e0HnfnVTIpkZOequY5iiQKd4BMtewuny4Z3EQMmO1042W5AK5TnBEsE5oRbzNKifvszRcz6PlPJ2v46pKwjIuyypZ3Kbp8uYurhLivYLFYT4nAz5AiD1sFDqu3CCFUeyHiR%2FOXqKIhQsWJW%2FEWw03CMXdRB2cM8go1QaU2JmgBbGDQGmKojMSRsd0LDEdurSun2qwR9FAYA6GeGttG5iyyUnLJcLoYDscIY5wVops5NnkzBbnfUI5sNoEHxqhRdQq0HZP98hR%2BtO%2B0EeT0Us0O73icQhts9pqKZqf0UDH3fVMR0Xs%2FHYaZc5yhQKUI14ppf5aWuDuzywtTjv%2Ff7z4BQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=ckKuQfwa5%2F%2FH%2BfFkVqx%2BshnU2AaoMwMEDOZABYlNYoPHY9orLZVozwmj%2BD96eZQoESfo9Ip0JuOEBr8JHCMRy0kqZQyAQpRri%2FTz5AnGXJYoUXTl5zGce2IygHvsLCDz4UbhxKrjdgvLIi3CtoKFSpqobw%2BNPVJTSz0VF9QUPnWMhMZqoA9FGBtTsowdxxXKly7B5nwsqg2h5swpIoEIGvDLvSKPOr08O23WaHhYGtE21SnaB1G08DdgtsfyWG2RIGO92cOU%2F93UMcaBbTnWnshokl9qRcu07w2V1YSPzp%2FA9y0NvaJJDznk4BKiJy%2BbwBw%2B29F9j5XvIs4MgzgIMqKdW%2BzA%2BYtOR%2F3FrT6zlCNhNAR80CnrfbAjiS%2FIz3SOehJQgc8%2BS9uafblDcdvhTw%3D%3D
PQ==

now the server is waiting for you to finish the SAML authentication.
You do this by opening the URL shown above in your web browser and
completing the SAML login.  The the server will realize when the SAML
authentication has finished, and the gsasl output continues:

235 OK [authid: _0851336c1bf817bfa17ae2dc3db7eaaa0fde5110b2 authzid: N/A]
Client authentication finished (server trusted)...
Enter application data (EOF to finish):

You have logged in to a SMTP server using SAML authentication!  Type
'QUIT' and hit return to log out.

The authid shown is not very exciting, it is the transient name-type.
However, the SP has access to the entire SAML assertion, just do "view
source" on the final web page to see the XML output hidden in the HTML
code.  Any of those fields could easily be signalled back to the SMTP
server, and it could use that for authorization decisions.  This aspect
will likely need to depend on the IdP used and some local configuration.

The client side is trivial, if your application uses GNU SASL you just
add support for the GSASL_AUTHENTICATE_IN_BROWSER callback, compare line
219+ of the callback used by the 'gsasl' command line tool:

http://git.savannah.gnu.org/cgit/gsasl.git/tree/src/callbacks.c#n219

The server side is trickier to setup because you need to have a SAML SP
listening.  See the example SMTP server linked to above for an example
of how it can be done.

What do you think?  Feedback is welcome.

/Simon

[1] https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml
[2] https://lists.gnu.org/archive/html/help-gsasl/2012-03/msg00002.html
[Prev in Thread]
Current Thread
[Next in Thread]
SMTP authentication using SAML, Simon Josefsson <=
Prev by Date: GNU SASL 1.7.3 released (development version)
Previous by thread: GNU SASL 1.7.3 released (development version)
Index(es):
- Date
- Thread