Downloads
Dependencies: To compile ZXID you need:
Platforms:
ZXID is developed on ix86 Linux with POSIX as a goal, any modern system should work. You will need GNU make. I use gcc-3.4.6 as a compiler so others (such as gcc-4) may need minor tweaking. |
ZXID has joined the OpenLiberty.org open source initiative
ZXID source code is available from OpenLiberty area in SourceForge
ZXID.org will stay up as an alternate source code distribution point
ZXID project has currently (April 2008) six outputs
A C library for supporting SAML 2.0, including federated Single Sign-On (SSO)
A C program that implements a SAML Service Provider (SP) as a CGI script
A Perl module wrapping libzxid. Also zxid.pl, that implements SP in mod_perl environment, is supplied.
A PHP extension that wraps libzxid. Also supplied: zxid.php that implements SP in mod_php environment.
A Java JNI extension that wraps libzxid. Also supplied: zxid.java that implements SP as a CGI script. zxidhlo.java demonstrates use under servlet engine, e.g. Tomcat.
An Apache httpd auth module that does SAML SSO. No programmatic integration required, just alter your Apache httpd.conf
You need this if you are
You want to enable SAML based Single Sign-On (SSO) to your web site. In this case you would use the zxid SP CGI script directly, only configuring it slightly or you can go the zxid_simple() route. Otherwise you can hint your PHP or perl developer that this functionality is available and your want it.
You can use the Net::SAML module to integrate SSO to your application and web site. Given the direct perl support, this is easier than fully understanding the C interface. Both mod_perl and perl as CGI are supported.
You can use dl("php_zxid.so") to load the module and access the high level functionality, such as SAML 2.0 SSO. We support functionality roughly equivalent to perl Net::SAML. The PHP module is fully ready to use for SSO, but we expect to add a lot more, such as WSC, in future. Both mod_php5 and php as CGI are supported. php4 should also work.
You can use System.loadLibrary("zxidjni") to pull into your Java proram the full power of the ZXID. The functionality supported is roughly equal to Net::SAML.
You want to integrate SAML based SSO to your web site tool or product so that your customers can enjoy SSO enabled web sites. In this case you would study zxid.c for examples and use libzxid.a to implement the functionality in your own program.
You need some building blocks: you will study libzxid and add to it, contributing to the project.
ZXID Project has vastly more ambitious goals. See the ZXID Project chapter in documentation (PDF).
Conor Cahill of Intel (formerly AOL) said back in 2006:
IMNSHO, better go Liberty up front and have the confidence that you do not need to upgrade later - or run two parallel systems. The Liberty (or SAML 2.0) system is comprehensive and addresses every use case anyone has thought so far. The percieved complexity is really an implementation issue and not underlying propery of the spec. Since we provide an implementation, the "complexity" is not customer problem.
In this space we host links to IdPs that work with ZXID and to ZXID test sites you can use to get a feel for yourself. There is no guarantee that these sites stay up:
Freely downloadable IdPs you can install and test against
Lasso: http://lasso.entrouvert.org/
ZXID aims at full stack implementation of all federated identity management and identity web services protocols. Initial goal is supporting SP role, followed by ID-WSF WSC and IdP roles. We aim at supporting US GSA E-Auth profile.
ZXID is light weight, has a small foot print, and is implemented in C. It is suitable for both high performance and embedded applications. Scripting languages are supported using SWIG, including Perl, PHP and Java. The "full stack" nature of ZXID means it's self contained and has minimal external library dependencies (see downloads).
Targeted Federated Identity Standards
SAML 2.0 (SP role 99% done)
SAML 1.1 (Assertion Consumer role 60% done)
Liberty ID-FF 1.2 (SP role 62% done)
WS-Federation 1.0 Basic Profile (Assertion Consumer role 40% done)
Targeted ID Web Services Standards
Liberty ID-WSF 2.0 (95% done)
Liberty ID-WSF 1.1 (40% done)
ZXID consists of C libraries. Some of these libraries are generated from schema grammar descriptions using a tool called xsd2sg.pl, part of Plaindoc distribution. Other libraries that express flows and processing rules are hand-written. The language bindings, other than C, are generated automatically using swig(1).
Beta. As of 0.25 (April 2008) the package is mature for doing SSO and other SP related tasks. It also supports perl and mod_perl by way of Net::SAML module, PHP5 (and php4) using php_zxid.so, as well as Java using libzxidjni.so. However it is still missing some essential functionality (e.g. signature generation).
mod_auth_saml and the WSC and WSP roles are still alpha grade.
So far we have
General SAML 2.0 encoding and decoding of messages in C
Net::SAML perl module that gives access to the C functionality
php_zxid.so extension for php5 (and php4) roughly equal to Net::SAML
libzxidjni.so extension for Java roughly equal to Net::SAML
SAML 2.0 metadata handling and support for well known location method
Specific logic for Single Sign-On and Federation using artifact and post profiles
Single logout, defederation, and NameID management
Some session management and ability to handle discovery bootstrap
SP role as a CGI written in C
SP role written in perl that works both in mod_perl and as a CGI
SP role written in php that works under apache mod_php5 (and possibly php4).
SP role written in Java
SP role written in shell script
SP role as Apache httpd auth module
Command line WSC testing tool
Discovery WSC role in C
ID-DAP WSC role in C
ID-HR-XML WSC and WSP
Encoders and decoders for
SAML 2.0 (most mature)
SAML 1.1
Liberty ID-FF 1.2
Liberty ID-WSF 1.1
Liberty ID-WSF 2.0
IdP, DS, and WSP functionality are slated only later (unless a volunteer steps forward).
Currently most documentation is maintained as an extensive README.zxid (PDF) file. This file details compilation, installing, configuring, and use. It is also distributed as part of the source code package.
I also encourage you to read the source, especially headers. Starting from c/zx-sa-data.h, zxid.h, zxid.c, and zxidsimp.c will be most instructive.
All the specifications supported by ZXID are freely available on the net. Try
Liberty Alliance: http://projectliberty.org/liberty/specifications__1
W3C
Mail the author until we get the list set up. Or volunteer a list :-)
Mail the author until we get bug tracking set up. Or volunteer.
We use CVS, but access needs to be manually configured and is not anonymous. If you contribute significantly, I will bother. Others can send patches (good way to show you are worthy of CVS access) to me. I've heard some mixed experiences about open source sites like sourceforge. If you run such site and want to host ZXID Project, please contact me.
If you just always want the latest source: get the tar ball from the downloads section. Trust me, this is still so much in flux that only the tar ball snapshots are in any usable state. CVS access just to get latest source would be pointless.
Following companies provice consultancy and support contracts for ZXID:
zxid-0.25.tgz (17.4.2008, SAML POST-SimpleSign binding, mod_auth_saml)
zxid-0.22.tgz (11.10.2007, Added log levels 1 and 2, Fixed Destination handling; Ensured preservation of whitespace in XML parsing and exc-xml-canon; Fixed alphabetization of attributes in exc-xml-canon; Added signing ArtifactResolve, Logout and MNI requests over SOAP; Improved handling of empty ns prefix for XML attributes; Print source IP to logs)
zxid-0.21.tgz (8.10.2007, bug fixes: Content-type header, SWIG related build problem for Net::SAML on RedHat, added cygwin target, fixed InclusiveNamespaces/@PrefixList)
zxid-0.20.tgz (1.10.2007, working towards GSA E-Auth requirements, EncryptedAssertions, EncryptedIDs, bug fixes)
zxid-0.19.tgz (11.8.2007, minor bug fixes, documentation)
zxid-0.18.tgz (17.7.2007, ID-HR-XML, WSF bug fixes)
zxid-0.17.tgz (6.3.2007, WSC development, bug fixes) This is a very stable release.
zxid-0.16.tgz (4.3.2007, WSC development, bug fixes)
zxid-0.15.tgz (23.2.2007, Tomcat bug fixes)
zxid-0.14.tgz (21.2.2007, Tomcat tutorial)
zxid-0.13.tgz (20.2.2007, clean up Java interface, Mac compile, bug fixes)
zxid-0.12.tgz (10.2.2007, WSF bootstrap handling, rework of session system, bug fixes)
zxid-0.11.tgz (1.2.2007, MinGW DLL fixes)
zxid-0.10.tgz (31.1.2007, MinGW DLL production works)
zxid-0.9.tgz (26.1.2007, fixed compilation, preliminary Windows support using MinGW)
zxid-0.8.tgz (16.1.2007, zxid_simple() API, logging, conf file, more signature support, JNI support)
zxid-0.7.tgz (15.10.2006, with digital signatures, improved PHP, mod_php, and mod_perl support)
zxid-0.6.tgz (18.9.2006, with PHP support, including mod_php)
zxid-0.5.tgz (15.9.2006, with encoders and decoders for ID-WSF and ID-FF)
zxid-0.4.tgz (4.9.2006, with mod_perl/Net::SAML SP)
zxid-0.3.tgz (first fully functional release)
Historic: zxid-0.2.tgz, zxid-0.1.tgz
Another directory where ZXID is featured: linuxlinks
http://www.freshports.org/security/zxid/
Copyright (c) 2006-2008 Symlabs (symlabs@symlabs.com), All Rights Reserved. Author: Sampo Kellomäki (sampo@iki.fi)
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
While the source distribution of ZXID does not contain SSLeay or OpenSSL code, if you use this code you will use OpenSSL library. Please give Eric Young and OpenSSL team credit (as required by their licenses).
And remember, you, and nobody else but you, are responsible for auditing ZXID and OpenSSL library for security problems, backdoors, and general suitability for your application.