Hi Dinusha, On Fri, Aug 19, 2016 at 3:59 PM, Dinusha Senanayaka <[email protected]> wrote:
> IMO, there should be a common SSOUtil package with all common SSO > functions client needed, which can use in all products. > - Request/Response signing > - Signature validation > - All other SAML Response related validations (audience, validity period > etc) > > This is something we noticed during the security war room we recently had > as well. Most of the products APIM, AppM, GReg, ES, DS etc (in jagery-apps) > have handled these validations using different methods. Some have write own > utils, some have called *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil > *and so. Effort we had to put was huge and repetitive because of not > having a common code. > +1. The sso.agent was intended to be used as a library. Even the carbon dependencies are optional dependencies. > > For this scenario, I think using all the methods from > *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil > *is cleaner, rather using different dependencies, unless we introduce a > clear common new module. > The sso.saml bundle is not written thinking to be used as a library. It has several dependencies also. Its a server side bundle. > > > Regards, > Dinusha. > > On Fri, Aug 19, 2016 at 3:31 PM, Rushmin Fernando <[email protected]> > wrote: > >> In our case we can re-use *org.wso2.carbon.webapp.mgt *for signature >> validation since it has implemented it with the use of the agent code. >> >> And we can use the agent utils (*org.wso2.carbon.identity.sso.agent) *for >> unmarshelling the response >> >> But didn't see a util to marshall the requests ? Is it missing here ? >> >> >> On Fri, Aug 19, 2016 at 3:24 PM, Johann Nallathamby <[email protected]> >> wrote: >> >>> >>> >>> On Fri, Aug 19, 2016 at 12:26 PM, Darshana Gunawardana < >>> [email protected]> wrote: >>> >>>> >>>> >>>> On Fri, Aug 19, 2016 at 10:25 AM, Johann Nallathamby <[email protected]> >>>> wrote: >>>> >>>>> This is what we have the SSO agent for. >>>>> >>>> >>>> SSO Agent is not carbon specific. Hence it does not have reading >>>> tenant's key and validating the signature. >>>> >>>> SSO Agent have an interface to plug carbon use cases. AS SSO valve >>>> reference shared above have that specific implementation. That >>>> implementation invoked via sso agent. >>>> >>> >>> +1. That should be the way to go here also. >>> >>> >>>> >>>> Thanks >>>> >>>> >>>>> @Rushmin, did you check the SSOAgent code? This was improved recently >>>>> also and is used in AS 6.0. The goal of the implementation was to make it >>>>> a >>>>> library to be used everywhere in the platform. Can you please check on >>>>> that? If there are any limitations we need to fix that library and try to >>>>> use it everywhere we need it. >>>>> >>>>> Please check with Kernel team where to get this and use this. >>>>> >>>>> On Fri, Aug 19, 2016 at 9:56 AM, Ishara Karunarathna <[email protected] >>>>> > wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> On Fri, Aug 19, 2016 at 9:47 AM, Darshana Gunawardana < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Aug 18, 2016 at 4:43 PM, Rushmin Fernando <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> In current App Manager the service providers of tenants are getting >>>>>>>> created in the super tenant space. >>>>>>>> >>>>>>>> We are in the process of creating the service providers in the >>>>>>>> relevant tenants. >>>>>>>> >>>>>>>> In the app manager gateway, we use SAML SSO to authenticate the >>>>>>>> users, and the aforementioned service providers are used. >>>>>>>> >>>>>>>> When it comes to validating the the SAML response signature, I can >>>>>>>> see that we can re-use >>>>>>>> *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil::getX509CredentialImplForTenant()* >>>>>>>> >>>>>>>> As per the code, it uses the tenant key store to get the >>>>>>>> certificates. And we can get the certificate by using the tenant name >>>>>>>> as >>>>>>>> the alias >>>>>>>> >>>>>>>> @IS team, do you see any issues with re-using this code in our >>>>>>>> gateway ? >>>>>>>> >>>>>>> >>>>>>> Using this util makes gateway -which is a client side(sp) component- >>>>>>> depends on the SAML component -which is server side(idp) component- >>>>>>> >>>>>>> IMO, its not nice to have that dependency. Once example is, this >>>>>>> dependency will expose you a samlsso (idp) endpoint from the gateway. >>>>>>> And >>>>>>> also gateway profile would need to have saml components and makes you to >>>>>>> have whole framework related dependencies as well. >>>>>>> >>>>>>> Thinking about client side (sp) components which already doing this >>>>>>> there are two components we have in wso2 platform. >>>>>>> 1. Carbon SAML authenticator : https://github.com/wso2-exte >>>>>>> nsions/identity-carbon-auth-saml2 >>>>>>> 2. AS SSO valve : https://github.com/wso2/carb >>>>>>> on-deployment/blob/4.7.x/components/webapp-mgt/org.wso2.carb >>>>>>> on.webapp.mgt/src/main/java/org/wso2/carbon/webapp/mgt/sso/S >>>>>>> AMLSignatureValidatorImpl.java >>>>>>> >>>>>>> Better to use utls from those two components, if we have such >>>>>>> methods. Most suitable component for gateway is #2, since carbon >>>>>>> authenticator don't have usage in gateway. >>>>>>> >>>>>>> I guess it's even worthy initiate separate component to handle all >>>>>>> these saml utils, given that we have isolated components across the >>>>>>> platform and we have to fix huge number of components if we identified a >>>>>>> core issue. >>>>>>> >>>>>> +1 with darshans idea. And later better to have some common set of >>>>>> libraries to handle this kind of scenarios. >>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>>> @Amila, in a cloud story do we need to configure the key aliases >>>>>>>> for each tenant or can we live with the default alias (which is the >>>>>>>> tenant >>>>>>>> domain name) ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Best Regards* >>>>>>>> >>>>>>>> *Rushmin Fernando* >>>>>>>> *Technical Lead* >>>>>>>> >>>>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>>>>> >>>>>>>> mobile : +94772891266 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> *Darshana Gunawardana*Associate Technical Lead >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> >>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>> Middleware >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> >>>>> *Johann Dilantha Nallathamby* >>>>> Technical Lead & Product Lead of WSO2 Identity Server >>>>> Governance Technologies Team >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile - *+94777776950* >>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Associate Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: [email protected] <[email protected]>* >>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94772891266 >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Dinusha Dilrukshi > Associate Technical Lead > WSO2 Inc.: http://wso2.com/ > Mobile: +94725255071 > Blog: http://dinushasblog.blogspot.com/ > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
