After discussing with Colm on IRC, I went ahead and merged the PR.
Regards.
On 30/03/2017 14:30, Francesco Chicchiriccò wrote:
On 30/03/2017 11:42, Colm O hEigeartaigh wrote:
Hi Francesco,
Good work!
Thanks sir :-)
A few questions for you:
a) Is there any documentation available on how to set this up for a
Syncope
deployment? I'll give it a try once there is.
There is something in the (updated) reference guide:
https://github.com/Tirasa/syncopeSAML2SP/blob/SYNCOPE-1041/src/main/asciidoc/reference-guide/concepts/extensions.adoc#saml-20-service-provider
Essentially, you need to download the IdP metadata into one XML file,
then go into Admin Console > Extensions > SAML 2.0 and import.
Then, edit the created IdP entry to set the appropriate mapping; I
have been using:
* username -> uid for TestShib
* email -> EmailAddress for SSO Circle
Now download SP metadata from the second tab from the same page:
please be aware to access the Syncope deployment with some FQDN and
localhost, so that metadata URLs are generated accordingly.
SP metadata for Admin Console is also downloadable from
http://your.host.name:9080/syncope-console/saml2sp/metadata
Once downloaded, import such SP metadata into your SAML IdP.
Then edit one of the users so that the mapping above is verified; I
did it by:
* setting username to 'myself' for TestShib (the test user available
there)
* setting email value to the one for the user I created at SSO circle
Finally, log out from Admin Console: a new combo box is shown at the
bottom of the login screen, from which you can choose one of
configured IdPs: by selecting one, the SAML SSO process is triggered
and - if all goes well - you will end up by logging into the Admin
Console as the user authenticated via SAML.
The same feature is available for Enduser UI, but requires to
download / import into IdP some slightly different metadata:
http://your.host.name:9080/syncope-enduser/saml2sp/metadata
b) Does the code support both the "RP" and "IdP" initiated flows? Both
would be useful, although we could always add the other at a later
stage if
not.
At the moment only SP-initiated is supported.
c) I see CXF's SAMLProtocolResponseValidator in the code but not the
SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of
validating the SAML Response against the web SSO profile, or are you
doing
this manually somewhere?
Exactly: most of checks performed by SAMLSSOResponsevalidator are done
through SAML2SPLogic methods.
d) There are some TransformerFactory instances that need to have the
secure
processing feature enabled.
"some"? There should be only one, actually: please suggest the
modifications and I'll push a commit for that.
Thanks for reporting!
Regards.
On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccò
<[email protected]> wrote:
Hi all,
I have just submitted the PR #45 containing my work for
SYNCOPE-1041: it
basically introduces a new extension which allows to:
1. import IdP metadata and configure mapping to match internal users
(also
via admin console)
2. export SP metadata
3. enable Admin Console and Enduser to perform SAML-based SSO
I have tested the feature with both
https://www.testshib.org/
and
http://www.ssocircle.com/en/
Please note that, as kindly suggested by Colm and Sergey, I did not
re-implement the SAML assertion validation, but I did re-use
cxf-rt-rs-security-sso-saml.
At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9
should
be close enough.
Please let me have your feedback.
Regards.
On 07/03/2017 17:25, Francesco Chicchiriccò wrote:
On 07/03/2017 17:19, Colm O hEigeartaigh wrote:
Hi Francesco,
It's good to see support for SAML coming to Syncope. I'd encourage
you to
re-use the functionality developed in CXF to validate the SAML
Response
from the IdP:
https://github.com/apache/cxf/blob/master/rt/rs/security/sso
/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML
ProtocolResponseValidator.java
https://github.com/apache/cxf/blob/master/rt/rs/security/sso
/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/
SAMLSSOResponseValidator.java
I spent a lot of time reading the specs and making sure the
validation
rules were all followed :-)
That's very nice, thanks for the pointers!
Regards.
On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò <
[email protected]
wrote:
On 07/03/2017 11:56, Sergey Beryozkin wrote:
Hi Francesco
Not sure if it can be relevant for this work but at the CXF
level we
have
this SAML SP support:
http://cxf.apache.org/docs/saml-web-sso.html,
something Colm and myself worked upon earlier on.
Thanks for the pointer, Sergey: I did already find it, though.
This does not completely fit in our scenario since here the idea
is to
split the responsibilities in two: from one side the front-end
web-fragment
takes care of the SAML exchange, from the other side the Syncope
core
(e.g.
the CXF application) works as back-end for the effective SAML
assertion
validation and generation.
I'll look at the provided page and related implementation,
anyway, thank
you very much indeed.
FYI, this class
https://github.com/apache/wss4j/blob/trunk/ws-security-commo
n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java
has been already extremely useful to me, since OpenSAML 3
documentation
is
practically absent.
Regards.
On 07/03/17 10:49, Francesco Chicchiriccò wrote:
Hi all,
I have made a proposal at [1] and opened SYNCOPE-1041 for the
purpose.
I am already working on it, and it should be ready on time for
Syncope
2.0.3.
The idea is to embed the whole implementation in a PR, with
option of
further discussing before merge.
Also, I would like to include, in the 2.0.3 release notes, a
public
"thank you" statement to the University of Helsinki similar to
the one
we made for 1.1.0 [2].
WDYT?
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU
SS%5D+SAML+2.0+Service+Provider+feature
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit
um#Adlibitum-1.1.0(April5th,2013)
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
