[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140558#comment-17140558
]
Cris Rockwell edited comment on SLING-9397 at 6/19/20, 1:43 PM:
----------------------------------------------------------------
[~rombert] I've started some updates on this bundle: Switch build source and
target to Java 11, Updated OpenSAML to V4, and Clarified processes the README
for local testing. I'm in the process of making SSL, encryption and signing
optional. Keycloak Server has an option to do partial realm imports and
exports, which contain the realm "clients" and groups, but does not include
users (I assume for security reasons).
Here is a draft of the new README
https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler
As you can see some things are configured manually.
* JAAS OSGI
* SAML2 OSGI
* Service User
** Service User Mapping
** Service User Creation
** Service User ACL
A Composum package could be used to package the Service User and Service User
ACL's. I don't know how include include OSGI configs in a Composum. I may be
wrong but the UI doesn't seem to allow it.
was (Author: cris_rockwell):
[~rombert] I've started some updates on this bundle: Switch build source and
target to Java 11, Updated OpenSAML to V4, and Clarified processes the README
for local testing. I'm in the process of making SSL, encryption and signing
optional. Keycloak Server has an option to do partial realm imports and
exports, which contain the realm "clients" and groups, but does not include
users (I assume for security reasons).
Here is a draft of the new README
https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler
As you can see some things are configured manually.
* JAAS OSGI
* SAML2 OSGI
* Service User
** Service User Mapping
** Service User Creation
** Service User ACL
A Composum package could be used to package the Service User and Service User
ACL's. I don't know how include include a OSGI configs in a Composum. I may be
wrong but the UI doesn't seem to allow it.
> SAML2 Authentication Handler [initial submission]
> -------------------------------------------------
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
> Reporter: Cris Rockwell
> Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
