syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: [DISCUSS] SAML 2.0 Service Provider feature
Date Fri, 31 Mar 2017 13:59:52 GMT
After discussing with Colm on IRC, I went ahead and merged the PR.
Regards.

On 30/03/2017 14:30, Francesco Chicchiriccò wrote:
> On 30/03/2017 11:42, Colm O hEigeartaigh wrote:
>> Hi Francesco,
>>
>> Good work!
>
> Thanks sir :-)
>
>> A few questions for you:
>>
>> a) Is there any documentation available on how to set this up for a 
>> Syncope
>> deployment? I'll give it a try once there is.
>
> There is something in the (updated) reference guide:
>
> https://github.com/Tirasa/syncopeSAML2SP/blob/SYNCOPE-1041/src/main/asciidoc/reference-guide/concepts/extensions.adoc#saml-20-service-provider

>
>
> Essentially, you need to download the IdP metadata into one XML file, 
> then go into Admin Console > Extensions > SAML 2.0 and import.
>
> Then, edit the created IdP entry to set the appropriate mapping; I 
> have been using:
>
> * username -> uid for TestShib
> * email -> EmailAddress for SSO Circle
>
> Now download SP metadata from the second tab from the same page: 
> please be aware to access the Syncope deployment with some FQDN and 
> localhost, so that metadata URLs are generated accordingly.
>
> SP metadata for Admin Console is also downloadable from
>
> http://your.host.name:9080/syncope-console/saml2sp/metadata
>
> Once downloaded, import such SP metadata into your SAML IdP.
>
> Then edit one of the users so that the mapping above is verified; I 
> did it by:
>
> * setting username to 'myself' for TestShib (the test user available 
> there)
> * setting email value to the one for the user I created at SSO circle
>
> Finally, log out from Admin Console: a new combo box is shown at the 
> bottom of the login screen, from which you can choose one of 
> configured IdPs: by selecting one, the SAML SSO process is triggered 
> and - if all goes well - you will end up by logging into the Admin 
> Console as the user authenticated via SAML.
>
> The same feature is available for Enduser UI, but requires to 
> download  / import into IdP some slightly different metadata:
>
> http://your.host.name:9080/syncope-enduser/saml2sp/metadata
>
>> b) Does the code support both the "RP" and "IdP" initiated flows? Both
>> would be useful, although we could always add the other at a later 
>> stage if
>> not.
>
> At the moment only SP-initiated is supported.
>
>> c) I see CXF's SAMLProtocolResponseValidator in the code but not the
>> SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of
>> validating the SAML Response against the web SSO profile, or are you 
>> doing
>> this manually somewhere?
>
> Exactly: most of checks performed by SAMLSSOResponsevalidator are done 
> through SAML2SPLogic methods.
>
>> d) There are some TransformerFactory instances that need to have the 
>> secure
>> processing feature enabled.
>
> "some"? There should be only one, actually: please suggest the 
> modifications and I'll push a commit for that.
> Thanks for reporting!
>
> Regards.
>
>> On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccò 
>> <ilgrosso@apache.org> wrote:
>>> Hi all,
>>> I have just submitted the PR #45 containing my work for 
>>> SYNCOPE-1041: it
>>> basically introduces a new extension which allows to:
>>>
>>> 1. import IdP metadata and configure mapping to match internal users 
>>> (also
>>> via admin console)
>>> 2. export SP metadata
>>> 3. enable Admin Console and Enduser to perform SAML-based SSO
>>>
>>> I have tested the feature with both
>>>
>>>   https://www.testshib.org/
>>>
>>> and
>>>
>>> http://www.ssocircle.com/en/
>>>
>>> Please note that, as kindly suggested by Colm and Sergey, I did not
>>> re-implement the SAML assertion validation, but I did re-use
>>> cxf-rt-rs-security-sso-saml.
>>> At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 
>>> should
>>> be close enough.
>>>
>>> Please let me have your feedback.
>>> Regards.
>>>
>>> On 07/03/2017 17:25, Francesco Chicchiriccò wrote:
>>>
>>>> On 07/03/2017 17:19, Colm O hEigeartaigh wrote:
>>>>
>>>>> Hi Francesco,
>>>>>
>>>>> It's good to see support for SAML coming to Syncope. I'd encourage 
>>>>> you to
>>>>> re-use the functionality developed in CXF to validate the SAML 
>>>>> Response
>>>>> from the IdP:
>>>>>
>>>>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso
>>>>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML
>>>>> ProtocolResponseValidator.java
>>>>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso
>>>>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/
>>>>> SAMLSSOResponseValidator.java
>>>>>
>>>>> I spent a lot of time reading the specs and making sure the 
>>>>> validation
>>>>> rules were all followed :-)
>>>>>
>>>> That's very nice, thanks for the pointers!
>>>> Regards.
>>>>
>>>> On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò <
>>>>> ilgrosso@apache.org
>>>>>
>>>>>> wrote:
>>>>>> On 07/03/2017 11:56, Sergey Beryozkin wrote:
>>>>>>
>>>>>> Hi Francesco
>>>>>>> Not sure if it can be relevant for this work but at the CXF 
>>>>>>> level we
>>>>>>> have
>>>>>>> this SAML SP support:
>>>>>>>
>>>>>>> http://cxf.apache.org/docs/saml-web-sso.html,
>>>>>>>
>>>>>>> something Colm and myself worked upon earlier on.
>>>>>>>
>>>>>>> Thanks for the pointer, Sergey: I did already find it, though.
>>>>>> This does not completely fit in our scenario since here the idea

>>>>>> is to
>>>>>> split the responsibilities in two: from one side the front-end
>>>>>> web-fragment
>>>>>> takes care of the SAML exchange, from the other side the Syncope

>>>>>> core
>>>>>> (e.g.
>>>>>> the CXF application) works as back-end for the effective SAML 
>>>>>> assertion
>>>>>> validation and generation.
>>>>>>
>>>>>> I'll look at the provided page and related implementation, 
>>>>>> anyway, thank
>>>>>> you very much indeed.
>>>>>>
>>>>>> FYI, this class
>>>>>>
>>>>>> https://github.com/apache/wss4j/blob/trunk/ws-security-commo
>>>>>> n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java
>>>>>>
>>>>>> has been already extremely useful to me, since OpenSAML 3 
>>>>>> documentation
>>>>>> is
>>>>>> practically absent.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> On 07/03/17 10:49, Francesco Chicchiriccò wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>> I have made a proposal at [1] and opened SYNCOPE-1041 for
the 
>>>>>>>> purpose.
>>>>>>>>
>>>>>>>> I am already working on it, and it should be ready on time
for 
>>>>>>>> Syncope
>>>>>>>> 2.0.3.
>>>>>>>>
>>>>>>>> The idea is to embed the whole implementation in a PR, with

>>>>>>>> option of
>>>>>>>> further discussing before merge.
>>>>>>>>
>>>>>>>> Also, I would like to include, in the 2.0.3 release notes,
a 
>>>>>>>> public
>>>>>>>> "thank you" statement to the University of Helsinki similar
to 
>>>>>>>> the one
>>>>>>>> we made for 1.1.0 [2].
>>>>>>>>
>>>>>>>> WDYT?
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>> [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU
>>>>>>>> SS%5D+SAML+2.0+Service+Provider+feature
>>>>>>>> [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit
>>>>>>>> um#Adlibitum-1.1.0(April5th,2013)

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


Mime
View raw message