syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: [DISCUSS] SAML 2.0 Service Provider feature
Date Thu, 30 Mar 2017 12:30:28 GMT
On 30/03/2017 11:42, Colm O hEigeartaigh wrote:
> Hi Francesco,
> Good work!

Thanks sir :-)

> A few questions for you:
> a) Is there any documentation available on how to set this up for a Syncope
> deployment? I'll give it a try once there is.

There is something in the (updated) reference guide:

Essentially, you need to download the IdP metadata into one XML file, 
then go into Admin Console > Extensions > SAML 2.0 and import.

Then, edit the created IdP entry to set the appropriate mapping; I have 
been using:

* username -> uid for TestShib
* email -> EmailAddress for SSO Circle

Now download SP metadata from the second tab from the same page: please 
be aware to access the Syncope deployment with some FQDN and localhost, 
so that metadata URLs are generated accordingly.

SP metadata for Admin Console is also downloadable from

Once downloaded, import such SP metadata into your SAML IdP.

Then edit one of the users so that the mapping above is verified; I did 
it by:

* setting username to 'myself' for TestShib (the test user available there)
* setting email value to the one for the user I created at SSO circle

Finally, log out from Admin Console: a new combo box is shown at the 
bottom of the login screen, from which you can choose one of configured 
IdPs: by selecting one, the SAML SSO process is triggered and - if all 
goes well - you will end up by logging into the Admin Console as the 
user authenticated via SAML.

The same feature is available for Enduser UI, but requires to download  
/ import into IdP some slightly different metadata:

> b) Does the code support both the "RP" and "IdP" initiated flows? Both
> would be useful, although we could always add the other at a later stage if
> not.

At the moment only SP-initiated is supported.

> c) I see CXF's SAMLProtocolResponseValidator in the code but not the
> SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of
> validating the SAML Response against the web SSO profile, or are you doing
> this manually somewhere?

Exactly: most of checks performed by SAMLSSOResponsevalidator are done 
through SAML2SPLogic methods.

> d) There are some TransformerFactory instances that need to have the secure
> processing feature enabled.

"some"? There should be only one, actually: please suggest the 
modifications and I'll push a commit for that.
Thanks for reporting!


> On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccò <>
>> Hi all,
>> I have just submitted the PR #45 containing my work for SYNCOPE-1041: it
>> basically introduces a new extension which allows to:
>> 1. import IdP metadata and configure mapping to match internal users (also
>> via admin console)
>> 2. export SP metadata
>> 3. enable Admin Console and Enduser to perform SAML-based SSO
>> I have tested the feature with both
>> and
>> Please note that, as kindly suggested by Colm and Sergey, I did not
>> re-implement the SAML assertion validation, but I did re-use
>> cxf-rt-rs-security-sso-saml.
>> At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should
>> be close enough.
>> Please let me have your feedback.
>> Regards.
>> On 07/03/2017 17:25, Francesco Chicchiriccò wrote:
>>> On 07/03/2017 17:19, Colm O hEigeartaigh wrote:
>>>> Hi Francesco,
>>>> It's good to see support for SAML coming to Syncope. I'd encourage you to
>>>> re-use the functionality developed in CXF to validate the SAML Response
>>>> from the IdP:
>>>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML
>>>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/
>>>> I spent a lot of time reading the specs and making sure the validation
>>>> rules were all followed :-)
>>> That's very nice, thanks for the pointers!
>>> Regards.
>>> On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò <
>>>>> wrote:
>>>>> On 07/03/2017 11:56, Sergey Beryozkin wrote:
>>>>> Hi Francesco
>>>>>> Not sure if it can be relevant for this work but at the CXF level
>>>>>> have
>>>>>> this SAML SP support:
>>>>>> something Colm and myself worked upon earlier on.
>>>>>> Thanks for the pointer, Sergey: I did already find it, though.
>>>>> This does not completely fit in our scenario since here the idea is to
>>>>> split the responsibilities in two: from one side the front-end
>>>>> web-fragment
>>>>> takes care of the SAML exchange, from the other side the Syncope core
>>>>> (e.g.
>>>>> the CXF application) works as back-end for the effective SAML assertion
>>>>> validation and generation.
>>>>> I'll look at the provided page and related implementation, anyway, thank
>>>>> you very much indeed.
>>>>> FYI, this class
>>>>> n/src/main/java/org/apache/wss4j/common/saml/
>>>>> has been already extremely useful to me, since OpenSAML 3 documentation
>>>>> is
>>>>> practically absent.
>>>>> Regards.
>>>>> On 07/03/17 10:49, Francesco Chicchiriccò wrote:
>>>>>> Hi all,
>>>>>>> I have made a proposal at [1] and opened SYNCOPE-1041 for the
>>>>>>> I am already working on it, and it should be ready on time for
>>>>>>> 2.0.3.
>>>>>>> The idea is to embed the whole implementation in a PR, with option
>>>>>>> further discussing before merge.
>>>>>>> Also, I would like to include, in the 2.0.3 release notes, a
>>>>>>> "thank you" statement to the University of Helsinki similar to
the one
>>>>>>> we made for 1.1.0 [2].
>>>>>>> WDYT?
>>>>>>> Regards.
>>>>>>> [1]
>>>>>>> SS%5D+SAML+2.0+Service+Provider+feature
>>>>>>> [2]
>>>>>>> um#Adlibitum-1.1.0(April5th,2013)

View raw message