SAML Not So Simple

SAML Logo

SAML Logo

(Originally published June 7, 2013)

Like most of my adult programming life, all of the major languages or platforms I’ve learned have been due to amust have it yesterday deadline by other managers. Or an emergency project that no one expected (like the Spanish Inquistion). Never a best scenario plan but ultimately what happens a lot in this industry. I’m sure it happens pretty much in every industry, and those who adapt, even thrive, in these moments will go far. Otherwise, you’ll just burn out. Or kill everyone around you. It’s a toss-up.

Enter SAML, a standard for exchanging data between secure domains using authentication, authorization, and encryption or obfuscation. It uses XML which makes it platform-agnostic, and is submitted via HTTP-POST which is as simple a protocol as I can think of. The biggest and most basic example I can think of is when universities want students to use Gmail for their accounts; their university email address is really just a forward to Gmail which has much more space for a lot less cost. My configuring a few lines of code and metadata exchange between the Identity Provider (IdP, in the local parlance) and Service Provider (SP).  There are many configuration ways to have this running. The IdP can also be the SP if the same company wishes to have users identified between its own unique applications.

All of the major languages are doing it: Java, .NET, and PHP, which is my language of preference. It’s been two years since I was thrust into this new universe, and barely managed to get it up and running back then. Thankfully, since then, more applications and vendors are asking for/requiring it, and my monopoly on it right now enables me to steer the direction that the university can take from here on. A dedicated resource for how to set it installed and enabled quickly and as painlessly as possible for future developers is my next goal. While I truly enjoy this moment I do hope others to learn it eventually so I’m not the choking point for any future projects.

As this post title suggests, it’s not nearly as out-of-the-box basic as it suggests. This is in spite of the domain of my primary source of knowledge: simplesamlphp.org. It’s only once you get past the heavy and sometimes ambiguous terminology that things really start to click in place. I’ve gone from taking a week to getting a site up and running to 30 minutes or less (or it’s free; well, it’s open source, so it’s already free). I cannot speak for the Java or .NET communities for SAML, but the PHP one is well-documented and its main participants are quick to help out with problems. Sometimes, the main site (linked above) suffers from English not being a primary language of the founder, but it’s not a show stopper by any means. Certainly, there is a lot of advanced techniques and options at your disposal, but documentation for them is a bit more scant, and for now I’ve resorted to using jQuery and ajax to perform certain filtering tests that SAML could probably do natively, but I am unable to determine at this time.

Looking back these past 2 years, it was a riveting and jarring experience early on. Being tasked with an entirely new platform conducting highly critical functions AND involving sensitive data involving our own university’s email system. It was a watershed moment for my career, and it’s only going to get crazier as time goes on.

Share Your Thoughts