Syncope on AWS
Hello All, We have installed Syncope into AWS’s CodePipline (commit/build/deploy) and are using AWS’s Elastic Beanstalk environment. We pretty much have the entire process documented and working, however we are running into an error with Console. Essentially, when trying to access the Users and Groups administration area, Console kicks you out and returns to the login screen. We have tracked down where the return code is being processed. Also, we have checked the API via swagger. We also tried with the distribution WAR’s using the built-in H2 database with the same result.. The rest of console seems to function properly. In the console.log this errore appears at the top of the log: 11:38:28.163 ERROR org.apache.cxf.jaxrs.utils.JAXRSUtils - No message body reader has been found for class org.apache.syncope.common.lib.to.ErrorTO, ContentType: text/html;charset=iso-8859-1 11:38:28.175 ERROR org.apache.cxf.jaxrs.utils.JAXRSUtils - No message body reader has been found for class java.util.List, ContentType: text/html;charset=iso-8859-1 11:38:28.177 ERROR org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener - Exception found org.apache.wicket.WicketRuntimeException: Error attaching this container for rendering: [WebMarkupContainer [Component id = body]] And the subsequent REST call produces this error: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.0.45] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141] Caused by: javax.xml.ws.WebServiceException: Remote exception with status code: NOT_FOUND at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:76) ~[syncope-client-lib-2.0.4.jar:2.0.4] at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) ~[syncope-client-lib-2.0.4.jar:2.0.4] Using swagger on GET/groups/own a 500 error is returned and GET/users returns a 404 error code. We have actually made great progress and will share with the community Any insight or suggestions is greatly appreciated. Thank you, John
Re: Multi-factor authentication in Syncope?
Hi Nicolas, and glad of your interest in Apache Syncope. See my replies embedded below. Regards. On 2017-08-19 20:41 Nicholas Folse wrote: Greetings, I'm researching digital identity management frameworks and found Apache Syncope. I have two main questions. The first is about implementing support for new authenticators (e.g. U2F, hardware tokens, etc.). The second question is about using Syncope for IoT applications. FIRST: Does Syncope support multi-factor authentication? The documentation references OAuth, but I can't seem to find any details about how this is done. AFAICT the only place where OAuth is referenced in the documentation is when it introduces the Access Management technology: https://syncope.apache.org/docs/reference-guide.html#access-managers but this does not apply to Syncope, being mainly - at least in the current version - rather a Provisioning Engine: https://syncope.apache.org/docs/reference-guide.html#provisioning-engines How could I implement support for new authenticators? For example, would it be possible to implement a U2F module? The NIST digital identity guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html) detail a number of different authenticators and I'm curious how these could be integrated into Syncope. Other libraries like pac4j also include support for a variety of different authenticators. Could Syncope be adapted to support pac4j? The authentication and authorization process in Syncope is based on Spring Security, and features JWT: https://syncope.apache.org/docs/reference-guide.html#rest-authentication-and-authorization The current authentication methods include only username / password and SAML 2.0 SSO, but the service design built for the latter can be definitely replicated for other mechanisms, including OAuth 2.0: https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature FYI, the SAML 2.0 SP feature https://syncope.apache.org/docs/reference-guide.html#saml-2-0-service-provider was built on the support provided by Apache CXF, and there are already plans for OAuth 2.0: https://issues.apache.org/jira/browse/SYNCOPE-534 https://issues.apache.org/jira/browse/SYNCOPE-1018 I'd say that integration with pac4j is definitely possible, but requires some integration work. On a side note, my company has some experience in integration with CAS: http://blog.tirasa.net/cas-rest-authentication.html SECOND: A recent post on opensource forum mentions Syncope's potential regarding IoT, but I couldn't find any mention of this in the reference guide. Can you point me to some documentation regarding IoT use-cases and scenarios? The only aspect that could bind Syncope an IoT is ATM its native support for Any Objects, e.g. for modeling new identity types, their attributes and relationships. Please bare in mind that anything regarding Syncope is currently bound to the provisioning domain. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Any tutorials?
On 2017-08-20 01:20 Sergio Muriel wrote: Although I can see now the drivers in: core/target/syncope/WEB-INF/lib/mssql-jdbc-6.1.0.jre8.jar core/target/syncope/WEB-INF/lib/mysql-connector-java-5.1.42.jar I still get the same error "InvalidExternalResource [JDBC Driver is not found on classpath.]" when I try to create a new resource. I did as you suggest: * Added the dependency to core/pom.xml * Rebuilt everything from the root directory via "mvn -Pall clean install". * Ran it from enduser via "mvn -P embedded,all" I don't know what is wrong. Which value did you provide for the "JDBC Driver" property? Are you attempting to configure the DBTable Connector Bundle? https://connid.atlassian.net/wiki/spaces/BASE/pages/360497/Database+Table#DatabaseTable-ConfigurationProperties Regards. FROM: Francesco ChicchiriccòSENT: Saturday, August 19, 2017 7:39 AM TO: user@syncope.apache.org SUBJECT: Re: Any tutorials? Hi Sergio, about some points below: First point about AnyTypeClasses worked flawlessly. (Although I'm still trying to figure out why I cannot reuse those schemata pre-loaded there). The pre-loaded Schemas are already assigned to some AnyTypeClass - and each Schema might be assigned to an AnyTypeClass instance at most. I take back part of what I said on the second point. The dependency addition actually works and downloads the drivers, but I did it on enduser/pom.xml instead of core/pom.xml because the Getting Started page [1] suggests to run it from there: " .. then, from the enduser subdirectory, execute: mvn -P embedded,all" Logically, the MySQL JDBC driver is used by the Core, not by the Enduser UI, so the correct procedure is to add the dependency to core/pom.xml, rebuild everything from the root directory via "mvn clean install" or "mvn -Pall clean install", then move back to the enduser subdirectory and start as reported by the Getting Started guide. Regards. On 19-ago-17, at 2:37, Sergio Muriel wrote: Hi again Francesco, I take back part of what I said on the second point. The dependency addition actually works and downloads the drivers, but I did it on enduser/pom.xml instead of core/pom.xml because the Getting Started page [1] suggests to run it from there: " .. then, from the enduser subdirectory, execute: mvn -P embedded,all" Is it okay? [1] https://syncope.apache.org/docs/getting-started.html Apache Syncope 2.0.4 - Getting Started syncope.apache.org Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under the Apache 2 ... From: Sergio Muriel Sent: Friday, August 18, 2017 3:06 PM To: user@syncope.apache.org Subject: Re: Any tutorials? Hi Francesco, First point about AnyTypeClasses worked flawlessly. (Although I'm still trying to figure out why I cannot reuse those schemata pre-loaded there). Second point about dependency still throws same error: " InvalidExternalResource. JDBC Driver is not found on classpath." This is what I added (right before the first occurrence in core/pom.xml ) : mysql mysql-connector-java 5.1.42 com.microsoft.sqlserver sqljdbc4 4.0 Since I'm trying to connect to sqlserver as well. Suggestions will be greatly appreciated. Thank you! Best Regards, Sergio From: Francesco Chicchiriccò Sent: Friday, August 18, 2017 1:32 AM To: user@syncope.apache.org Subject: Re: Any tutorials? Hi Sergio, see my replies embedded below. Regards. On 17/08/2017 23:28, Sergio Muriel wrote: Thank you Francesco. I'm trying to accomplish what you say, however I'm having two issues at the moment: 1. I log in to syncope-console/ as admin, click on Types -> AnyTypeClasses -> New AnyTypeClass but I find no schema to add because all lists are empty. Of course, you need first to create new schemas that are not assigned yet to any AnyTypeClass. 1. I was able to create a connector in Topology -> connid -> Add New Connector, but when I try to create a resource for that connector it shows this error message: InvalidExternalResource. JDBC Driver is not found on classpath. This happens because you are likely attempting to create a DBTable or ScriptedSQL connector for a DBMS (MySQL / MariaDB? PostgreSQL? other?), for which you'll need to include the related JDBC driver. Since it seems you're running the Maven project, just add the related dependency to core/pom.xml (right before the first occurrence): mysql mysql-connector-java 5.1.42 for MySQL, or org.mariadb.jdbc mariadb-java-client 1.6.1 for MariaDB, and so on. I created my project with maven archetype and run it with mvn -P embedded,all Any clue of what I'm doing wrong here? Your help is very appreciated. Sergio From: Francesco Chicchiriccò Sent: Friday, August 11, 2017