On 09/12/22 11:40, Philipp Trenz wrote:
Dear Syncope community,
I’m searching for a solution to provision users from Azure AD into a local
Windows AD. Syncope looks very promising for this use case and I’m about to
setup a Proof of Concept. For configuring Azure AD against the SCIMv2
extension, a static bearer authentication token is required. The default
authentication method for the scim endpoints seem to be JWT, though.
TL;DR: How can I configure a static Bearer token for authentication against the
SCIM v2 extension?
Hi Philipp,
glad of your interest in Apache Syncope.
The authentication configuration for all REST endpoints exposed by Core is
defined by [1] so, in case you really want to dig into this topic or override
some bean definition(s) into your project, that is definitely the starting
point.
I am reading from [2] that Azure AD is using an OAuth 2.0 bearer token, which
should still be in JWT format.
If this is the case, my suggestion is to add to your project an implementation
of JWTSSOProvider [3].
The purpose of a JWTSSOProvider is to:
1. validate the provided "Authorization: Bearer" value, in the verify() method
2. resolve the extracted claims into an internal Syncope User, in the resolve()
method
You can look at a sample implementation [4] or the one that is actually in use
by default [5].
The typical use case for additional JWTSSOProvider implementations is to allow
to use JWT values not generated by Syncope itself to authorize access to
Syncope REST endpoints.
HTH
Regards.
[1]
https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java
[2]
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication
[3] https://syncope.apache.org/docs/3.0/reference-guide.html#jwtssoprovider
[4]
https://github.com/apache/syncope/blob/master/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
[5]
https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/