Blog Bling – Part 2 – Tag Cloud

Back in version 3.1, Apache Roller added support for tags. After Dave Levy blogged about tag clouds, I added one, based on his code:

#set($mytags = $model.weblog.getPopularTags(-1, 100))
#foreach ($tag in $mytags)
#if ($tag.count > 2)
<a class="tag s${tag.intensity}" href="$url.tag($"

The code is quite simple – we create a set of popular tags, and, for each tag, if there are more than two blog entries with that tag, we create a link. The link’s class is s1, s2…s5 based on the number of entries with that tag (‘tag intensity’). The classes control the font size of the link:

<style type="text/css">
.s1 {
.s2 {
.s3 {
.s4 {
.s5 {

That’s all there is to it. I can link to all entries for a given tag – for example,; there are even RSS feeds per tag – You can also combine tags to get an intersection – I’ve completely moved from categories to tags now – “It just works”.

Concordia Workshop June 26 2007

Well, I was going to type up my notes from the Project Concordia workshop yesterday, but it looks like the two Marks (Dixon and Wahl) comprehensively beat me to the punch. Much good stuff, particularly the GSA eAuthentication presentation, which detailed the issues involved in rolling out federation across the Federal Government. It was also refreshing to see folks from Microsoft and the OpenID and Liberty Alliance communities engaging most constructively. Seems like Concordia was appropriately named.

Basic Authorization with Sun Java System Access Manager

As I reported yesterday at The Aquarium, Robert Skoczylas of Indigo Consulting and Sun tech author Marina Sum just published Developing Secure Applications with Sun Java System Access Manager, Part 1: Basic Authorization at Sun Developer Network. This article, part 1 of a series, presents a case study of implementing authentication, single sign-on, and authorization at a fictional health-care insurance company.

There’s some really good stuff in there – Robert and Marina work from a high-level description of the problem right down to specific Access Manager customizations. In particular, the detailed description of customizing Access Manager’s policy framework is well worth the read for anyone working with, or evaluating, Sun Java System Access Manager.

It’s only a flesh wound!

The Burton Group‘s Catalyst conference is always great value – insightful analysis from the Burton crew, customer case studies and last, but certainly not least, vendor hospitality suites. Our superstar marketeer Bianca Botello always does a fantastic job on Sun’s suite – last year’s theme was a superhero-filled Identity City; 2005 saw an Identity Mission into space. This year it’s ‘Monty Python and the Holy Grail’ – complete with our CEO, president and star blogger ‘King’ Jonathan Schwartz. Come and quaff ale at Sun’s hospitality suite in the Hilton San Francisco’s California Room on Thursday, June 28 from 6 to 9:30pm.

Sign up for a hospitality suite badge with promo code: hsgsun.

While we’re on the Holy Grail theme… It’s a little known fact that my older brother, George Patterson, was an extra in Monty Python and the Holy Grail. A couple of years ago I bought the DVD and captured the relevant screens. Here’s George dancing in the wedding scene (he’s the tall guy with red hair), about to be slaughtered by John Cleese:

And a very cool close-up, post-slaughter:

A more recent pic:

As far as I know, George has had zero presence on the web. Until today 🙂

Web 2.0 Meets Directory

Friday lunchtime is my slot for catching up with podcasts. Today I listened to Trey, Don and Brandon discussing the OpenDS project and its Atom/LDAP offshoot – ‘Web 2.0 Meets Directory‘. Good stuff and quite funny as they rib Trey a little over James Governor‘s assessment of the Atom/LDAP mashup as “the coolest work at Sun Microsystems right now“. Of course, I would submit that OpenDS and Atom/LDAP are actually just a little way off being the coolest project at Sun. But then, I would, wouldn’t I?

Lost my Wikipedia Virginity

I was nosing about on Wikipedia the other day when I noticed a link to a page for Sun Java System Access Manager. The link went to the standard ‘editing’ page, so I decided to register at Wikipedia and create my first entry. Quite painless. The entry is a stub, and I’m not sure how much I can add without falling foul of Wikipedia’s policy on spam. As it stands, I think the stub is useful context, particularly as the link was already present in a couple of pages. I guess I’ll sit back and see if anyone posts a request for expansion.

Single Logout with SAML 2.0 and PHP

Back in February, Marina Sum and I co-wrote an article on the OpenSSO SAML 2.0 PHP Extension, or Lightbulb, as it was then known. The sequel to that article – Single Logout: A Demo just went live at Sun Developer Network: Marina and I provide an update on Project Lightbulb’s evolution into an OpenSSO Extension as well as a look at circles of trust and single logout in SAML 2.0. As before, we look at a simple example message flow, then delve down into the PHP code to see how it all works. Click here for the article.

SAML 2.0 HTTP-SimpleSign Support in OpenSSO SAML 2.0 PHP Extension

You might be aware of the SAML 2.0 HTTP-SimpleSign binding from blog posts by Jeff Hodges (co-author of the spec, with Scott Cantor) and George Fletcher. Put simply, HTTP-SimpleSign offers a simpler way to sign SAML 2.0 data, by simply signing the XML and other text data to be sent to the service provider verbatim, without any canonicalization. It works quite neatly, since the XML is base64 encoded and sent from the identity provider to the service provider via browser POST, so there are no intermediaries who might benignly munge it about and cause signature verification to fail.

George’s report of AOL’s HTTP-SimpleSign implementation prompted me to go add it to OpenSSO’s SAML 2.0/PHP Extension (formerly known as ‘Lightbulb’). It took about an hour, all told, since the main difference from the traditional HTTP POST signature verification:

function checkXMLSignature($token) {
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys[] = 'ID';
$objDSig = $objXMLSecDSig->locateSignature($token);
/* Must check certificate fingerprint now - validateReference removes it */
if ( ! validateCertFingerprint($token) )
throw new Exception("Fingerprint Validation Failed");
/* Canonicalize the signed info */
$retVal = NULL;
if ($objDSig) {
$retVal = $objXMLSecDSig->validateReference();
if (! $retVal) {
throw new Exception("SAML Validation Failed");
$key = NULL;
$objKey = $objXMLSecDSig->locateKey();
if ($objKey) {
if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig)) {
/* Handle any additional key processing such as encrypted keys here */
if (empty($objKey)) {
throw new Exception("Error loading key to handle Signature");
return ($objXMLSecDSig->verify($objKey)==1);

is to just verify the signature directly on the SAML XML text and other parameters:

function checkSimpleSignature($params,$cert) {
$rawSignature = $params['Signature'];
$relayState = $params['RelayState'];
$sigAlg = $params['SigAlg'];
$samlResponse = base64_decode( $params['SAMLResponse'] );
$signature = base64_decode($rawSignature);
if (strcmp($sigAlg,XMLSecurityKey::RSA_SHA1) != 0) {
throw new Exception("Signature algorithm ".$sigAlg." is not supported");
if ( isset($params['RelayState'] ) ) {
$signedData = "SAMLResponse=".$samlResponse."&RelayState=".$relayState."&SigAlg=".$sigAlg;
} else {
$signedData = "SAMLResponse=".$samlResponse."&SigAlg=".$sigAlg;
return (openssl_verify($signedData, $signature, $cert) == 1);

The difference in complexity may not look substantial, due to the excellent XML Signature support from Rob RichardsXML Security library, but it’s a huge difference if you’re implementing from scratch.

I’ve done some informal testing and everything seems to check out. If you are working with HTTP-SimpleSign on the IdP end, please do grab the SAML2.0/PHP code, check it against your implementation and report back.