This is an automated email from the ASF dual-hosted git repository.
cris pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-saml2.git
The following commit(s) were added to refs/heads/master by this push:
new 0dfa1d2 add project boilerplate and update README.md
0dfa1d2 is described below
commit 0dfa1d2d92b6a1142d880154f77bec514a52a59c
Author: Cris Rockwell <[email protected]>
AuthorDate: Fri Apr 16 11:48:53 2021 -0400
add project boilerplate and update README.md
---
.asf.yaml | 5 ++++
CODE_OF_CONDUCT.md | 22 +++++++++++++++
CONTRIBUTING.md | 24 ++++++++++++++++
Jenkinsfile | 20 +++++++++++++
README.md | 82 +++++++++++++++++-------------------------------------
5 files changed, 97 insertions(+), 56 deletions(-)
diff --git a/.asf.yaml b/.asf.yaml
new file mode 100644
index 0000000..60272c5
--- /dev/null
+++ b/.asf.yaml
@@ -0,0 +1,5 @@
+github:
+ description: An OSGi bundle that provides a SAML2 Web Profile Service
Provider Authentication for Apache Sling
+ labels:
+ - sling
+ - javascript
\ No newline at end of file
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..0fa18e5
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,22 @@
+<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/-->
+Apache Software Foundation Code of Conduct
+====
+
+Being an Apache project, Apache Sling adheres to the Apache Software
Foundation's [Code of
Conduct](https://www.apache.org/foundation/policies/conduct.html).
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..ac82a1a
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/-->
+Contributing
+====
+
+Thanks for choosing to contribute!
+
+You will find all the necessary details about how you can do this at
https://sling.apache.org/contributing.html.
diff --git a/Jenkinsfile b/Jenkinsfile
new file mode 100644
index 0000000..f582519
--- /dev/null
+++ b/Jenkinsfile
@@ -0,0 +1,20 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+slingOsgiBundleBuild()
diff --git a/README.md b/README.md
index 61fa8c9..96493e6 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,16 @@
-# Apache Sling SAML2 Handler (NOT FOR PRODUCTION)
+[](https://sling.apache.org)
-This contribution to the [Apache Sling](https://sling.apache.org) project;
- provides a SAML2 Web Profile Service Provider Authentication.
+ [](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-saml2/job/master/) [](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-s
[...]
+
+
+
+sling-org-apache-sling-auth-saml2
+
+# Apache Sling SAML2 Handler
+
+An OSGi bundle that provides a SAML2 Web Profile Service Provider
Authentication for [Apache Sling](https://sling.apache.org) using [OpenSAML v4
libraries](https://wiki.shibboleth.net/confluence/display/OSAML/Home)
+
## Overview
https://en.wikipedia.org/wiki/SAML_2.0
@@ -18,7 +26,7 @@ such as Keycloak Server or Shibboleth IDP.
- Java 11
- Sling 11 or 12
- An external SAML2 identity provider
-
+- The
[oak-auth-external](https://mvnrepository.com/artifact/org.apache.jackrabbit/oak-auth-external)
bundle must be installed and active
### User Management
User management is based on the OSGi bundle configuration and SAML2 Assertion
@@ -30,53 +38,9 @@ User management is based on the OSGi bundle configuration
and SAML2 Assertion
- `syncAttrs` can be used to synchronize user properties released by the IDP
for profile properties such as given name, family name, email, and phone.
-
-
-## Localhost Setup
-Procedure for localhost testing
-
-### Start and Configure an External Identity Provider
-1. Start a Keycloak Server
-`docker run -p 8484:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
jboss/keycloak`
-2. Login using http://localhost:8484/auth/admin/
- - username: admin, password: admin
-3. Configure a Realm
- - Click "Add Realm"
- - Select the file located at
`saml-example/src/main/resources/sling-realm-export.json`
-
-Note. The preconfigured realm contains configuration for the client and the
groups, but does not contain users.
-4. Add user(s)
- - Select Users under the "Sling" Realm
- 
- - Set user attributes; specifically "userid"
- 
- - Set user password
- 
- - Set user groups; specifically join "pcms-authors"
- 
-
-
-
-
-### Sling SAML2 Service Provider Setup
-
-1. Start Sling (Assuming a new instance of Sling 12-SNAPSHOT)
-2. Run `mvn clean install -P autoInstallBundle` from saml-handler project
-Note: saml-handler is the core bundle offering SAML2 Sign on
-3. Run `mvn clean install -P autoInstallPackage` from saml-example project
-Note: saml-example is example setup package containing: OSGI configurations,
service-user and ACL's.
-This setup is detailed in the section below.
-
-
#### Configurations, Service User and ACL's
-Note: the following are contained in localhostExample-1.zip
-Provide a [JAAS OSGI
Config](http://localhost:8080/system/console/configMgr/org.apache.felix.jaas.Configuration.factory)
as shown below
-- jaas.controlFlag=Sufficient
-- jaas.ranking=110
-- jaas.realmName=jackrabbit.oak
-- jaas.classname=org.apache.sling.auth.saml2.sp.Saml2LoginModule
-
+##### Manual configurations set using /system/console/configMgr
Provide a [Service User Mapper OSGI
Config](http://localhost:8080/system/console/configMgr/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended)
- org.apache.sling.auth.saml2:Saml2UserMgtService=saml2-user-mgt
@@ -89,7 +53,7 @@ Set up the system user "saml2-user-mgt"
-Provide a [SAML2 OSGI
Configuration](http://localhost:8080/system/console/configMgr/org.apache.sling.auth.saml2.impl.SAML2ConfigServiceImpl)
+Provide a [SAML2 OSGI
Configuration](http://localhost:8080/system/console/configMgr/org.apache.sling.auth.saml2.AuthenticationHandlerSAML2)
- path=http://localhost:8080/
- service.ranking=1000
- entityID=http://localhost:8080/
@@ -114,17 +78,23 @@ Notes:
- After configuring the SAML2 authentication handler, the Sling Form login
can still be accessed directly
http://localhost:8080/system/sling/form/login?resource=%2F
- See below technical notes for certificate, keys, signing and encryption
+
+[JAAS OSGI
Config](http://localhost:8080/system/console/configMgr/org.apache.felix.jaas.Configuration.factory)
is automatically created and removed upon bundle activation and deactivation
as shown below
+- jaas.controlFlag=Sufficient
+- jaas.ranking=110
+- jaas.realmName=jackrabbit.oak
+- jaas.classname=org.apache.sling.auth.saml2.sp.Saml2LoginModule
+
+
+
## Test
Visit http://localhost:8080 and observe login takes place on the
http://localhost:8484 Keycloak Server IDP
-Enter credentials for the user you created, and observe user is granted access
to the system.
+Enter credentials for the user you created. After the user authenticates at
the IDP, they are redirected to the orginally requested resource.
-
-
-
## Certificates, SSL, Signing and Encryption
This portion discusses encryption which can be very critical for the security
of this solution.
@@ -132,7 +102,7 @@ Decide a location on the file system for the Keystores. For
example, under the s
`$ mkdir sling/keys`
`$ cd sling/keys`
-### Enable Jetty HTTPS
+### Enable Jetty HTTPS (Localhost example only, Not for prod)
It's a good idea to configure SSL for Jetty providing https binding.
1. Create KeyStore & generate a self-signed certificate (not for production).
@@ -162,7 +132,7 @@ Aside from the Jetty SSL credentials discussed above, there
are two other creden
* Identity Provider (IDP) Signing Certificate
-#### Keystore Setup (Localhost) Example
+#### Keystore Setup (Localhost example only, Not for prod)
The SP Keypair is used by the IDP and SP to encrypt and decrypt SAML2
responses. It should be unique for each service provider.
Note that the SP Keypair is also used to cryptographically sign SAML requests
sent from the SP to the IDP.
