Syncope on AWS

2017-08-20 Thread John Stegeman 
Hello All,
We have installed Syncope into AWS’s CodePipline (commit/build/deploy) and are 
using AWS’s Elastic Beanstalk environment.  We pretty much have the entire 
process documented and working, however we are running into an error with 
Console.  Essentially, when trying to access the Users and Groups 
administration area, Console kicks you out and returns to the login screen.  We 
have tracked down where the return code is being processed.  Also, we have 
checked the API via swagger.  We also tried with the distribution WAR’s using 
the built-in H2 database with the same result..  The rest of console seems to 
function properly.  


In the console.log this errore appears at the top of the log:

11:38:28.163 ERROR org.apache.cxf.jaxrs.utils.JAXRSUtils - No message body 
reader has been found for class org.apache.syncope.common.lib.to.ErrorTO, 
ContentType: text/html;charset=iso-8859-1
11:38:28.175 ERROR org.apache.cxf.jaxrs.utils.JAXRSUtils - No message body 
reader has been found for class java.util.List, ContentType: 
text/html;charset=iso-8859-1
11:38:28.177 ERROR 
org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener - 
Exception found
org.apache.wicket.WicketRuntimeException: Error attaching this container for 
rendering: [WebMarkupContainer [Component id = body]]


And the subsequent REST call produces this error:

at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 ~[tomcat-util.jar:8.0.45]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]
Caused by: javax.xml.ws.WebServiceException: Remote exception with status code: 
NOT_FOUND
at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:76)
 ~[syncope-client-lib-2.0.4.jar:2.0.4]
at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
 ~[syncope-client-lib-2.0.4.jar:2.0.4]

Using swagger on GET/groups/own a 500 error is returned and GET/users returns a 
404 error code.

We have actually made great progress and will share with the community

Any insight or suggestions is greatly appreciated.

Thank you,
John

Re: Multi-factor authentication in Syncope?

2017-08-20 Thread Francesco Chicchiriccò 

Hi Nicolas,
and glad of your interest in Apache Syncope.

See my replies embedded below.

Regards.

On 2017-08-19 20:41 Nicholas Folse wrote:


Greetings,

I'm researching digital identity management frameworks and found Apache 
Syncope.


I have two main questions. The first is about implementing support for 
new authenticators (e.g. U2F, hardware tokens, etc.). The second 
question is about using Syncope for IoT applications.


FIRST: Does Syncope support multi-factor authentication? The 
documentation references OAuth, but I can't seem to find any details 
about how this is done.


AFAICT the only place where OAuth is referenced in the documentation is 
when it introduces the Access Management technology:


https://syncope.apache.org/docs/reference-guide.html#access-managers

but this does not apply to Syncope, being mainly - at least in the 
current version - rather a Provisioning Engine:


https://syncope.apache.org/docs/reference-guide.html#provisioning-engines

How could I implement support for new authenticators? For example, 
would it be possible to implement a U2F module?


The NIST digital identity guidelines 
(https://pages.nist.gov/800-63-3/sp800-63b.html) detail a number of 
different authenticators and I'm curious how these could be integrated 
into Syncope.


Other libraries like pac4j also include support for a variety of 
different authenticators. Could Syncope be adapted to support pac4j?


The authentication and authorization process in Syncope is based on 
Spring Security, and features JWT:


https://syncope.apache.org/docs/reference-guide.html#rest-authentication-and-authorization

The current authentication methods include only username / password and 
SAML 2.0 SSO, but the service design built for the latter can be 
definitely replicated for other mechanisms, including OAuth 2.0:


https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature

FYI, the SAML 2.0 SP feature

https://syncope.apache.org/docs/reference-guide.html#saml-2-0-service-provider

was built on the support provided by Apache CXF, and there are already 
plans for OAuth 2.0:


https://issues.apache.org/jira/browse/SYNCOPE-534
https://issues.apache.org/jira/browse/SYNCOPE-1018

I'd say that integration with pac4j is definitely possible, but requires 
some integration work.


On a side note, my company has some experience in integration with CAS:

http://blog.tirasa.net/cas-rest-authentication.html

SECOND: A recent post on opensource forum mentions Syncope's potential 
regarding IoT, but I couldn't find any mention of this in the reference 
guide. Can you point me to some documentation regarding IoT use-cases 
and scenarios?


The only aspect that could bind Syncope an IoT is ATM its native support 
for Any Objects, e.g. for modeling new identity types, their attributes 
and relationships. Please bare in mind that anything regarding Syncope 
is currently bound to the provisioning domain.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Any tutorials?

2017-08-20 Thread Francesco Chicchiriccò 

On 2017-08-20 01:20 Sergio Muriel wrote:


Although I can see now the drivers in:

core/target/syncope/WEB-INF/lib/mssql-jdbc-6.1.0.jre8.jar

core/target/syncope/WEB-INF/lib/mysql-connector-java-5.1.42.jar

I still get the same error "InvalidExternalResource [JDBC Driver is not 
found on classpath.]" when I try to create a new resource.


I did as you suggest:

* Added the dependency to core/pom.xml
* Rebuilt everything from the root directory via "mvn -Pall clean 
install".

* Ran it from enduser via "mvn -P embedded,all"

I don't know what is wrong.


Which value did you provide for the "JDBC Driver" property? Are you 
attempting to configure the DBTable Connector Bundle?


https://connid.atlassian.net/wiki/spaces/BASE/pages/360497/Database+Table#DatabaseTable-ConfigurationProperties

Regards.


FROM: Francesco Chicchiriccò 
SENT: Saturday, August 19, 2017 7:39 AM
TO: user@syncope.apache.org
SUBJECT: Re: Any tutorials?

Hi Sergio,
about some points below:

First point about AnyTypeClasses worked flawlessly. (Although I'm 
still trying

to figure out why I cannot reuse those schemata pre-loaded there).


The pre-loaded Schemas are already assigned to some AnyTypeClass - and 
each Schema might be assigned to an AnyTypeClass instance at most.


I take back part of what I said on the second point. The dependency 
addition
actually works and downloads the drivers, but I did it on 
enduser/pom.xml
instead of core/pom.xml because the Getting Started page [1] suggests 
to run it

from there:

" .. then, from the enduser subdirectory, execute:
mvn -P embedded,all"


Logically, the MySQL JDBC driver is used by the Core, not by the 
Enduser UI, so the correct procedure is to add the dependency to 
core/pom.xml, rebuild everything from the root directory via "mvn clean 
install" or "mvn -Pall clean install", then move back to the enduser 
subdirectory and start as reported by the Getting Started guide.


Regards.

On 19-ago-17, at 2:37, Sergio Muriel  wrote:


Hi again Francesco,


I take back part of what I said on the second point. The dependency 
addition
actually works and downloads the drivers, but I did it on 
enduser/pom.xml
instead of core/pom.xml because the Getting Started page [1] suggests 
to run it

from there:



" .. then, from the enduser subdirectory, execute:
mvn -P embedded,all"



Is it okay?



[1] https://syncope.apache.org/docs/getting-started.html


Apache Syncope 2.0.4 - Getting Started
syncope.apache.org
Apache Syncope is an Open Source system for managing digital identities 
in enterprise environments, implemented in Java EE technology and 
released under the Apache 2 ...



From: Sergio Muriel 
Sent: Friday, August 18, 2017 3:06 PM
To: user@syncope.apache.org
Subject: Re: Any tutorials?



Hi Francesco,


First point about AnyTypeClasses worked flawlessly. (Although I'm 
still trying

to figure out why I cannot reuse those schemata pre-loaded there).



Second point about dependency still throws same error: "
InvalidExternalResource. JDBC Driver is not found on classpath." This 
is what I
added (right before the first  occurrence in 
core/pom.xml ) :








mysql
mysql-connector-java
5.1.42


com.microsoft.sqlserver
sqljdbc4
4.0





Since I'm trying to connect to sqlserver as well.
Suggestions will be greatly appreciated.



Thank you!



Best Regards,
Sergio



From: Francesco Chicchiriccò 
Sent: Friday, August 18, 2017 1:32 AM
To: user@syncope.apache.org
Subject: Re: Any tutorials?
Hi Sergio,
see my replies embedded below.



Regards.



On 17/08/2017 23:28, Sergio Muriel wrote:



Thank you Francesco.


I'm trying to accomplish what you say, however I'm having two issues 
at the

moment:


1. I log in to syncope-console/ as admin, click on Types -> 
AnyTypeClasses ->
New AnyTypeClass but I find no schema to add because all lists are 
empty.


Of course, you need first to create new schemas that are not assigned 
yet to any

AnyTypeClass.


1. I was able to create a connector in Topology -> connid -> Add New 
Connector,
but when I try to create a resource for that connector it shows this 
error
message: InvalidExternalResource. JDBC Driver is not found on 
classpath.



This happens because you are likely attempting to create a DBTable or
ScriptedSQL connector for a DBMS (MySQL / MariaDB? PostgreSQL? 
other?), for

which you'll need to include the related JDBC driver.


Since it seems you're running the Maven project, just add the related 
dependency

to core/pom.xml (right before the first  occurrence):




mysql
mysql-connector-java
5.1.42




for MySQL, or




org.mariadb.jdbc
mariadb-java-client
1.6.1




for MariaDB, and so on.



I created my project with maven archetype and run it with



mvn -P embedded,all



Any clue of what I'm doing wrong here?



Your help is very appreciated.



Sergio



From: Francesco Chicchiriccò 
Sent: Friday, August 11, 2017