Hi Nicolas,
and glad of your interest in Apache Syncope.
See my replies embedded below.
Regards.
On 2017-08-19 20:41 Nicholas Folse wrote:
Greetings,
I'm researching digital identity management frameworks and found Apache
Syncope.
I have two main questions. The first is about implementing support for
new authenticators (e.g. U2F, hardware tokens, etc.). The second
question is about using Syncope for IoT applications.
FIRST: Does Syncope support multi-factor authentication? The
documentation references OAuth, but I can't seem to find any details
about how this is done.
AFAICT the only place where OAuth is referenced in the documentation is
when it introduces the Access Management technology:
https://syncope.apache.org/docs/reference-guide.html#access-managers
but this does not apply to Syncope, being mainly - at least in the
current version - rather a Provisioning Engine:
https://syncope.apache.org/docs/reference-guide.html#provisioning-engines
How could I implement support for new authenticators? For example,
would it be possible to implement a U2F module?
The NIST digital identity guidelines
(https://pages.nist.gov/800-63-3/sp800-63b.html) detail a number of
different authenticators and I'm curious how these could be integrated
into Syncope.
Other libraries like pac4j also include support for a variety of
different authenticators. Could Syncope be adapted to support pac4j?
The authentication and authorization process in Syncope is based on
Spring Security, and features JWT:
https://syncope.apache.org/docs/reference-guide.html#rest-authentication-and-authorization
The current authentication methods include only username / password and
SAML 2.0 SSO, but the service design built for the latter can be
definitely replicated for other mechanisms, including OAuth 2.0:
https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature
FYI, the SAML 2.0 SP feature
https://syncope.apache.org/docs/reference-guide.html#saml-2-0-service-provider
was built on the support provided by Apache CXF, and there are already
plans for OAuth 2.0:
https://issues.apache.org/jira/browse/SYNCOPE-534
https://issues.apache.org/jira/browse/SYNCOPE-1018
I'd say that integration with pac4j is definitely possible, but requires
some integration work.
On a side note, my company has some experience in integration with CAS:
http://blog.tirasa.net/cas-rest-authentication.html
SECOND: A recent post on opensource forum mentions Syncope's potential
regarding IoT, but I couldn't find any mention of this in the reference
guide. Can you point me to some documentation regarding IoT use-cases
and scenarios?
The only aspect that could bind Syncope an IoT is ATM its native support
for Any Objects, e.g. for modeling new identity types, their attributes
and relationships. Please bare in mind that anything regarding Syncope
is currently bound to the provisioning domain.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/