Re: Bearer authentication for SCIM v2 extension endpoints?

2022-12-09 Thread Francesco Chicchiriccò 

On 09/12/22 11:40, Philipp Trenz wrote:

Dear Syncope community,

I’m searching for a solution to provision users from Azure AD into a local 
Windows AD. Syncope looks very promising for this use case and I’m about to 
setup a Proof of Concept. For configuring Azure AD against the SCIMv2 
extension, a static bearer authentication token is required. The default 
authentication method for the scim endpoints seem to be JWT, though.

TL;DR: How can I configure a static Bearer token for authentication against the 
SCIM v2 extension?


Hi Philipp,
glad of your interest in Apache Syncope.

The authentication configuration for all REST endpoints exposed by Core is 
defined by [1] so, in case you really want to dig into this topic or override 
some bean definition(s) into your project, that is definitely the starting 
point.

I am reading from [2] that Azure AD  is using an OAuth 2.0 bearer token, which 
should still be in JWT format.
If this is the case, my suggestion is to add to your project an implementation 
of JWTSSOProvider [3].

The purpose of a JWTSSOProvider is to:

1. validate the provided "Authorization: Bearer" value, in the verify() method
2. resolve the extracted claims into an internal Syncope User, in the resolve() 
method

You can look at a sample implementation [4] or the one that is actually in use 
by default [5].

The typical use case for additional JWTSSOProvider implementations is to allow 
to use JWT values not generated by Syncope itself to authorize access to 
Syncope REST endpoints.

HTH
Regards.

[1] 
https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java
[2] 
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication
[3] https://syncope.apache.org/docs/3.0/reference-guide.html#jwtssoprovider
[4] 
https://github.com/apache/syncope/blob/master/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
[5] 
https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

role with "dynMembershipCond"

2022-12-09 Thread Lionel SCHWARZ 
Dear all,

Could someone explain me how dynRoles works? because I found something strange 
and am not sure if I missed sthg or not...

I have created a role with "dynMembershipCond" based on users having a certain 
relationship. This works fine as after creating the role, all users that have 
this relationship got the role in "dynRoles".

However, when I then create a new user with such a relationship, it does not 
get the the role (and if I then update the role, the new user gets it!)

Is there anything more I need to do at creation, or something I misconfigured?

Cheers
Lionel

smime.p7s
Description: S/MIME Cryptographic Signature

Bearer authentication for SCIM v2 extension endpoints?

2022-12-09 Thread Philipp Trenz 
Dear Syncope community,

I’m searching for a solution to provision users from Azure AD into a local 
Windows AD. Syncope looks very promising for this use case and I’m about to 
setup a Proof of Concept. For configuring Azure AD against the SCIMv2 
extension, a static bearer authentication token is required. The default 
authentication method for the scim endpoints seem to be JWT, though.

TL;DR: How can I configure a static Bearer token for authentication against the 
SCIM v2 extension?

Many thanks

—
Philipp Trenz
Luisenplatz 3
14471 Potsdam
GERMANY

Mail: m...@philipptrenz.de
Phone: +49 176 44553932
Web: https://philipptrenz.de



signature.asc
Description: Message signed with OpenPGP