Forwarding and bindingedit
Although the number of supported profiles is quite large, the Profiles specification SAMLProf  is simplified since the binding aspects of each profile have been factored out into a separate Bindings specification SAMLBind . The service provider has four bindings from which to choose while the identity provider has three, which leads to twelve 12 possible deployment scenarios.
We outline three of those deployment scenarios below. This is one of the most common scenarios. The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2—7. The service provider may use any kind of mechanism to discover the identity provider that will be used, e.
The RelayState token is an opaque reference to state information maintained at the service provider. Typically, however, this is not necessary. If the user does not have a valid security context, the identity provider identifies the user with any mechanism details omitted. The assertion consumer service processes the response, creates a security context at the service provider and redirects the user agent to the target resource. If the user does not have a valid security context, the identity provider identifies the user details omitted.
If a valid security context at the service provider already exists, skip steps 2— The service provider redirects the user agent to the single sign-on SSO service at the identity provider. The SSO service at the identity provider redirects the user agent to the assertion consumer service at the service provider.
In this example, the domain example. The Common Domain Cookie is a secure browser cookie scoped to the common domain. For each browser user, this cookie stores a history list of recently visited IdPs. This service appends the IdP's unique identifier to the common domain cookie.
The SP, when it receives an unauthenticated request for a protected resource, requests the Common Domain Cookie Reading Service to discover the browser user's most recently used IdP.
Often a requester, acting on behalf of the principal, queries an identity provider for attributes. Below we give an example of a query issued by a principal directly:. Note that the Issuer is the Subject in this case. This is sometimes called an attribute self-query. In contrast to the BearerAssertion shown earlier, this assertion has a longer lifetime corresponding to the lifetime of the X. Moreover, since the assertion is signed, the user can push this assertion to a relying party, and as long as the user can prove possession of the corresponding private key hence the name "holder-of-key" , the relying party can be assured that the assertion is authentic.
Quite literally, metadata is what makes SAML work or work well. Let's look at some important uses of metadata:. Metadata ensures a secure transaction between an identity provider and a service provider. Before metadata, trust information was encoded into the implementation in a proprietary manner. Now the sharing of trust information is facilitated by standard metadata. The previous metadata element describes the SSO service at the identity provider.
Note the following details about this element:. As noted at the beginning of this section, the values of the Location attributes are used by a service provider to route SAML messages, which minimizes the possibility of a rogue identity provider orchestrating a man-in-the-middle attack. As noted at the beginning of this section, the values of the Location attributes are used by an identity provider to route SAML messages, which minimizes the possibility of a rogue service provider orchestrating a man-in-the-middle attack.
Typically metadata aggregates are published by trusted third parties called federations who vouch for the integrity of all the metadata in the aggregate. Note that metadata aggregates can be very large, composed of hundreds or even thousands of entities per aggregate. From Wikipedia, the free encyclopedia.
This section may require cleanup to meet Wikipedia's quality standards. No cleanup reason has been specified. The Optional header includes lots and lots of information that can be used to pick apart the file structure, and obtain some useful information about it.
This wikibook separates them out for convenience. Immediately after the PE Optional Header we find a section table. Each structure is 40 bytes in length.
Pictured below is a hex dump from a program I am writing depicting the section table:. A PE loader will place the sections of the executable image at the locations specified by these section descriptors relative to the base address and usually the alignment is 0x, which matches the size of pages on the x Whenever a developer writes a program, there are a number of subroutines and functions which are expected to be implemented already, saving the writer the hassle of having to write out more code or work with complex data structures.
Instead, the coder need only declare one call to the subroutine, and the linker will decide what happens next. There are two types of linking that can be used: Static uses a library of precompiled functions. This precompiled code can be inserted into the final executable to implement a function, saving the programmer a lot of time.
In contrast, dynamic linking allows subroutine code to reside in a different file or module , which is loaded at runtime by the operating system.
This is also known as a "Dynamically linked library", or DLL. A library is a module containing a series of functions or values that can be exported. This is different from the term executable , which imports things from libraries to do what it wants. From here on, "module" means any file of PE format, and a "Library" is any module which exports and imports functions and values. This section discusses how this is achieved using the PE file format. An important point to note at this point is that anything can be imported or exported between modules, including variables as well as subroutines.
The downside of dynamically linking modules together is that, at runtime, the software which is initialising an executable must link these modules together. For various reasons, you cannot declare that "The function in this dynamic library will always exist in memory here ". If that memory address is unavailable or the library is updated, the function will no longer exist there, and the application trying to use it will break.
Instead, each module library or executable must declare what functions or values it exports to other modules, and also what it wishes to import from other modules. As said above, a module cannot declare where in memory it expects a function or value to be. Instead, it declares where in its own memory it expects to find a pointer to the value it wishes to import. This permits the module to address any imported value, wherever it turns up in memory. Exports are functions and values in one module that have been declared to be shared with other modules.
This is done through the use of the "Export Directory", which is used to translate between the name of an export or "Ordinal", see below , and a location in memory where the code or data can be found. All export data must exist in the same section. The directory is headed by the following structure:. The "Characteristics" value is generally unused, TimeDateStamp describes the time the export directory was generated, MajorVersion and MinorVersion should describe the version details of the directory, but their nature is undefined.
These values have little or no impact on the actual exports themselves. Each exported value has both a name and an "ordinal" a kind of index. The actual exports themselves are described through AddressOfFunctions, which is an RVA to an array of RVAs, each pointing to a different function or value to be exported.
The size of this array is in the value NumberOfFunctions. Each of these functions has an ordinal. This is also of size NumberOfNames, but each value is a 16 bit word, each value being an ordinal. These two arrays are parallel and are used to get an export value from AddressOfFunctions. To find an export by name, search the AddressOfNames array for the correct string and then take the corresponding value from the AddressOfNameOrdinals array.
This value is then used as index to AddressOfFunctions yes, it's 0-based index actually, NOT base-biased ordinal, as the official documentation suggests! As well as being able to export functions and values in a module, the export directory can forward an export to another library.
This allows more flexibility when re-organising libraries: If so, an export can be forwarded to that library, instead of messy reorganising inside the original module.
Forwarding is achieved by making an RVA in the AddressOfFunctions array point into the section which contains the export directory, something that normal exports should not do. ExportName" for the appropriate place to forward this export to. The other half of dynamic linking is importing functions and values into an executable or other module.
Before runtime, compilers and linkers do not know where in memory a value that needs to be imported could exist. The import table solves this by creating an array of pointers at runtime, each one pointing to the memory location of an imported value.
This array of pointers exists inside of the module at a defined RVA location. In this way, the linker can use addresses inside of the module to access values outside of it. Each of these identify a library or module that has a value we need to import.
The array continues until an entry where all the values are zero. The structure is as follows:. The TimeDateStamp is relevant to the act of "Binding", see below. ForwarderChain will be explained later. The arrays are terminated with an entry that is equal to zero. These two arrays are parallel and point to the same structure, in the same order. The reason for this will become apparent shortly.
This is used when looking up a value in the export directory see above through the AddressOfNames array. The "Hint" value is an index into the AddressOfNames array; to save searching for a string, the loader first checks the AddressOfNames entry corresponding to "Hint".
These descriptors identify a library to import things from. Using the above import directory at runtime, the loader finds the appropriate modules, loads them into memory, and seeks the correct export. However, to be able to use the export, a pointer to it must be stored somewhere in the importing module's memory.
Once an imported value has been resolved, the pointer to it is stored in the FirstThunk array. It can then be used at runtime to address imported values. The PE file format also supports a peculiar feature known as "binding". The process of loading and resolving import addresses can be time consuming, and in some situations this is to be avoided. If a developer is fairly certain that a library is not going to be updated or changed, then the addresses in memory of imported values will not change each time the application is loaded.
So, the import address can be precomputed and stored in the FirstThunk array before runtime, allowing the loader to skip resolving the imports - the imports are "bound" to a particular memory location.
However, if the versions numbers between modules do not match, or the imported library needs to be relocated, the loader will assume the bound addresses are invalid, and resolve the imports anyway. The "TimeDateStamp" member of the import directory entry for a module controls binding; if it is set to zero, then the import directory is not bound.
If it is non-zero, then it is bound to another module. However, the TimeDateStamp in the import table must match the TimeDateStamp in the bound module's FileHeader, otherwise the bound values will be discarded by the loader. In these cases, the non-forwarded imports can be bound, but the values which get forwarded must be identified so the loader can resolve them. This is done through the ForwarderChain member of the import descriptor.
This continues until the FirstThunk value is -1, indicating no more forwarded values to import. Resources are data items in modules which are difficult to be stored or described using the chosen programming language. This requires a separate compiler or resource builder, allowing insertion of dialog boxes, icons, menus, images, and other types of resources, including arbitrary binary data.
The first thing we need to do when we want to manually manipulate a file's resources is to find the resource section. To do this we need some information found in the DataDirectory array and the Section Table.