syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: [DISCUSS] SAML 2.0 Service Provider feature
Date Thu, 30 Mar 2017 12:30:28 GMT
On 30/03/2017 11:42, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
> Good work!

Thanks sir :-)

> A few questions for you:
>
> a) Is there any documentation available on how to set this up for a Syncope
> deployment? I'll give it a try once there is.

There is something in the (updated) reference guide:

https://github.com/Tirasa/syncopeSAML2SP/blob/SYNCOPE-1041/src/main/asciidoc/reference-guide/concepts/extensions.adoc#saml-20-service-provider

Essentially, you need to download the IdP metadata into one XML file, 
then go into Admin Console > Extensions > SAML 2.0 and import.

Then, edit the created IdP entry to set the appropriate mapping; I have 
been using:

* username -> uid for TestShib
* email -> EmailAddress for SSO Circle

Now download SP metadata from the second tab from the same page: please 
be aware to access the Syncope deployment with some FQDN and localhost, 
so that metadata URLs are generated accordingly.

SP metadata for Admin Console is also downloadable from

http://your.host.name:9080/syncope-console/saml2sp/metadata

Once downloaded, import such SP metadata into your SAML IdP.

Then edit one of the users so that the mapping above is verified; I did 
it by:

* setting username to 'myself' for TestShib (the test user available there)
* setting email value to the one for the user I created at SSO circle

Finally, log out from Admin Console: a new combo box is shown at the 
bottom of the login screen, from which you can choose one of configured 
IdPs: by selecting one, the SAML SSO process is triggered and - if all 
goes well - you will end up by logging into the Admin Console as the 
user authenticated via SAML.

The same feature is available for Enduser UI, but requires to download  
/ import into IdP some slightly different metadata:

http://your.host.name:9080/syncope-enduser/saml2sp/metadata

> b) Does the code support both the "RP" and "IdP" initiated flows? Both
> would be useful, although we could always add the other at a later stage if
> not.

At the moment only SP-initiated is supported.

> c) I see CXF's SAMLProtocolResponseValidator in the code but not the
> SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of
> validating the SAML Response against the web SSO profile, or are you doing
> this manually somewhere?

Exactly: most of checks performed by SAMLSSOResponsevalidator are done 
through SAML2SPLogic methods.

> d) There are some TransformerFactory instances that need to have the secure
> processing feature enabled.

"some"? There should be only one, actually: please suggest the 
modifications and I'll push a commit for that.
Thanks for reporting!

Regards.

> On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccò <ilgrosso@apache.org>
wrote:
>> Hi all,
>> I have just submitted the PR #45 containing my work for SYNCOPE-1041: it
>> basically introduces a new extension which allows to:
>>
>> 1. import IdP metadata and configure mapping to match internal users (also
>> via admin console)
>> 2. export SP metadata
>> 3. enable Admin Console and Enduser to perform SAML-based SSO
>>
>> I have tested the feature with both
>>
>>   https://www.testshib.org/
>>
>> and
>>
>> http://www.ssocircle.com/en/
>>
>> Please note that, as kindly suggested by Colm and Sergey, I did not
>> re-implement the SAML assertion validation, but I did re-use
>> cxf-rt-rs-security-sso-saml.
>> At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should
>> be close enough.
>>
>> Please let me have your feedback.
>> Regards.
>>
>> On 07/03/2017 17:25, Francesco Chicchiriccò wrote:
>>
>>> On 07/03/2017 17:19, Colm O hEigeartaigh wrote:
>>>
>>>> Hi Francesco,
>>>>
>>>> It's good to see support for SAML coming to Syncope. I'd encourage you to
>>>> re-use the functionality developed in CXF to validate the SAML Response
>>>> from the IdP:
>>>>
>>>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso
>>>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML
>>>> ProtocolResponseValidator.java
>>>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso
>>>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/
>>>> SAMLSSOResponseValidator.java
>>>>
>>>> I spent a lot of time reading the specs and making sure the validation
>>>> rules were all followed :-)
>>>>
>>> That's very nice, thanks for the pointers!
>>> Regards.
>>>
>>> On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò <
>>>> ilgrosso@apache.org
>>>>
>>>>> wrote:
>>>>> On 07/03/2017 11:56, Sergey Beryozkin wrote:
>>>>>
>>>>> Hi Francesco
>>>>>> Not sure if it can be relevant for this work but at the CXF level
we
>>>>>> have
>>>>>> this SAML SP support:
>>>>>>
>>>>>> http://cxf.apache.org/docs/saml-web-sso.html,
>>>>>>
>>>>>> something Colm and myself worked upon earlier on.
>>>>>>
>>>>>> Thanks for the pointer, Sergey: I did already find it, though.
>>>>> This does not completely fit in our scenario since here the idea is to
>>>>> split the responsibilities in two: from one side the front-end
>>>>> web-fragment
>>>>> takes care of the SAML exchange, from the other side the Syncope core
>>>>> (e.g.
>>>>> the CXF application) works as back-end for the effective SAML assertion
>>>>> validation and generation.
>>>>>
>>>>> I'll look at the provided page and related implementation, anyway, thank
>>>>> you very much indeed.
>>>>>
>>>>> FYI, this class
>>>>>
>>>>> https://github.com/apache/wss4j/blob/trunk/ws-security-commo
>>>>> n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java
>>>>>
>>>>> has been already extremely useful to me, since OpenSAML 3 documentation
>>>>> is
>>>>> practically absent.
>>>>>
>>>>> Regards.
>>>>>
>>>>> On 07/03/17 10:49, Francesco Chicchiriccò wrote:
>>>>>
>>>>>> Hi all,
>>>>>>> I have made a proposal at [1] and opened SYNCOPE-1041 for the
purpose.
>>>>>>>
>>>>>>> I am already working on it, and it should be ready on time for
Syncope
>>>>>>> 2.0.3.
>>>>>>>
>>>>>>> The idea is to embed the whole implementation in a PR, with option
of
>>>>>>> further discussing before merge.
>>>>>>>
>>>>>>> Also, I would like to include, in the 2.0.3 release notes, a
public
>>>>>>> "thank you" statement to the University of Helsinki similar to
the one
>>>>>>> we made for 1.1.0 [2].
>>>>>>>
>>>>>>> WDYT?
>>>>>>> Regards.
>>>>>>>
>>>>>>> [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU
>>>>>>> SS%5D+SAML+2.0+Service+Provider+feature
>>>>>>> [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit
>>>>>>> um#Adlibitum-1.1.0(April5th,2013)

Mime
View raw message