Re: Release Maggiore and authentication modules

2013-09-23 Thread Colm O hEigeartaigh 
+1.

Colm.


On Mon, Sep 23, 2013 at 1:01 PM, Francesco Chicchiriccò  wrote:

>  Hi all,
> if there is some interest around enhancing Syncope with access management
> features - as it seems to me when reading this thread - I'd suggest to
> start a [DISCUSS] thread on dev@ ML; such features are currently planned
> for 3.0.0 Maggiore (i.e. in the far future) but can be shortly moved back
> to 1.3.0 or even 1.2.0 if there are few volunteers.
>
> WDYT?
>
>
> On 23/09/2013 13:56, Fabio Martelli wrote:
>
> Il 23/09/2013 13:51, Strunk, Wolfgang ha scritto:
>
>  Hi Fabio,
>
> You also should consider oAuth for SSO and might have a look at Apache
> Oltu (http://oltu.apache.org/).
>
> Hi Wolfgang, sounds really interesting.
> Thank you for your contribution.
>
> Regards,
> F.
>
>  
>
> ** **
>
> Regards
>
> Wolfgang
>
> ** **
>
> *From:* Fabio Martelli 
> [mailto:fabio.marte...@gmail.com]
>
> *Sent:* Monday, September 23, 2013 1:42 PM
> *To:* user@syncope.apache.org
> *Subject:* Re: Release Maggiore and authentication modules
>
> ** **
>
> Il 23/09/2013 11:37, Oliver Wulff ha scritto:
>
>  Hi Fabio
>
>  
>
> I sent this mail in the mailing list because I didn't really get much
> information from the jira tickets.
>
>  
>
> Right now, I'm looking into add SSO capabilities to Syncope with Apache
> CXF Fediz IDP. I noticed that security in the console is done with
> wicket whereas in the core you use spring security. I noticed also the JIRA
> to probably use Apache Shiro which is very close to Spring Security. Where
> do you want to use Shiro - console and/or core?
>
>   
>
> Apache CXF Fediz uses WS-Federation and SAML tokens for authentication
> which means the console gets a SAML token which contains the roles of the
> user. Due to the fact that the same roles are used for the core, this SAML
> token could be sent to the REST services. CXF JAX-RS supports SAML as
> described in [2].
>
>  
>
> WDYT?
>
> Hi Oliver, as per SYNCOPE-160 it should be investigate the way to add the
> basis to provide access management features.
> I think that Shiro can be used onto the core, mainly. The console would be
> a generic client of Apache Syncope that will have to communicate with it in
> respect of authentication/authorization mechanism configured.
>
> Currently, I don't know which will be the auth solution to be implemented
> for the console.
> I don't exclude to protect the console via an Apache Syncope (AM) agent
> writen ad-hoc.
>
> Apache Shiro is just an idea; CXF Fediz could be avaluated as well.
>
> Best regards,
> F.
>
> 
>
> Thanks
>
> Oli
>
>  
>
> [2]
> http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader
> 
>
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC 
> Memberhttp://people.apache.org/~ilgrosso/
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Release Maggiore and authentication modules

2013-09-23 Thread Strunk, Wolfgang 
Hi all,
Starting a discussion thread in the developer sounds good.

We have to consider that there actually will be three things to consider:

-  Login to Syncope (this is where Shiro could come into play)

-  SSO to Syncope

-  Provide access management features via Syncope.

I would not mix things up and propose to keep discussion about the latter out 
of Syncope. Probably there will be customers combining Syncope with SSO 
products (e.g. CAS http://www.jasig.org/cas or OpenAM 
http://openam.forgerock.org/) , but building it in to Syncope bears the risk to 
lose focus.

Wolfgang

Re: Release Maggiore and authentication modules

2013-09-23 Thread Francesco Chicchiriccò 

Hi all,
if there is some interest around enhancing Syncope with access 
management features - as it seems to me when reading this thread - I'd 
suggest to start a [DISCUSS] thread on dev@ ML; such features are 
currently planned for 3.0.0 Maggiore (i.e. in the far future) but can be 
shortly moved back to 1.3.0 or even 1.2.0 if there are few volunteers.


WDYT?

On 23/09/2013 13:56, Fabio Martelli wrote:

Il 23/09/2013 13:51, Strunk, Wolfgang ha scritto:


Hi Fabio,

You also should consider oAuth for SSO and might have a look at 
Apache Oltu (http://oltu.apache.org/).



Hi Wolfgang, sounds really interesting.
Thank you for your contribution.

Regards,
F.


Regards

Wolfgang

*From:*Fabio Martelli [mailto:fabio.marte...@gmail.com]
*Sent:* Monday, September 23, 2013 1:42 PM
*To:* user@syncope.apache.org
*Subject:* Re: Release Maggiore and authentication modules

Il 23/09/2013 11:37, Oliver Wulff ha scritto:

Hi Fabio

I sent this mail in the mailing list because I didn't really get
much information from the jira tickets.

Right now, I'm looking into add SSO capabilities to Syncope with
Apache CXF Fediz IDP. I noticed that security in the console is
done with wicket whereas in the core you use spring security. I
noticed also the JIRA to probably use Apache Shiro which is very
close to Spring Security. Where do you want to use Shiro -
console and/or core?

Apache CXF Fediz uses WS-Federation and SAML tokens for
authentication which means the console gets a SAML token which
contains the roles of the user. Due to the fact that the same
roles are used for the core, this SAML token could be sent to the
REST services. CXF JAX-RS supports SAML as described in [2].

WDYT?

Hi Oliver, as per SYNCOPE-160 it should be investigate the way to add 
the basis to provide access management features.
I think that Shiro can be used onto the core, mainly. The console 
would be a generic client of Apache Syncope that will have to 
communicate with it in respect of authentication/authorization 
mechanism configured.


Currently, I don't know which will be the auth solution to be 
implemented for the console.
I don't exclude to protect the console via an Apache Syncope (AM) 
agent writen ad-hoc.


Apache Shiro is just an idea; CXF Fediz could be avaluated as well.

Best regards,
F.

Thanks

Oli

[2] 
http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader




--
Francesco Chicchiriccò

ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/

Re: Release Maggiore and authentication modules

2013-09-23 Thread Fabio Martelli 

Il 23/09/2013 13:51, Strunk, Wolfgang ha scritto:


Hi Fabio,

You also should consider oAuth for SSO and might have a look at Apache 
Oltu (http://oltu.apache.org/).



Hi Wolfgang, sounds really interesting.
Thank you for your contribution.

Regards,
F.


Regards

Wolfgang

*From:*Fabio Martelli [mailto:fabio.marte...@gmail.com]
*Sent:* Monday, September 23, 2013 1:42 PM
*To:* user@syncope.apache.org
*Subject:* Re: Release Maggiore and authentication modules

Il 23/09/2013 11:37, Oliver Wulff ha scritto:

Hi Fabio

I sent this mail in the mailing list because I didn't really get
much information from the jira tickets.

Right now, I'm looking into add SSO capabilities to Syncope with
Apache CXF Fediz IDP. I noticed that security in the console is
done with wicket whereas in the core you use spring security. I
noticed also the JIRA to probably use Apache Shiro which is very
close to Spring Security. Where do you want to use Shiro - console
and/or core?

Apache CXF Fediz uses WS-Federation and SAML tokens for
authentication which means the console gets a SAML token which
contains the roles of the user. Due to the fact that the same
roles are used for the core, this SAML token could be sent to the
REST services. CXF JAX-RS supports SAML as described in [2].

WDYT?

Hi Oliver, as per SYNCOPE-160 it should be investigate the way to add 
the basis to provide access management features.
I think that Shiro can be used onto the core, mainly. The console 
would be a generic client of Apache Syncope that will have to 
communicate with it in respect of authentication/authorization 
mechanism configured.


Currently, I don't know which will be the auth solution to be 
implemented for the console.
I don't exclude to protect the console via an Apache Syncope (AM) 
agent writen ad-hoc.


Apache Shiro is just an idea; CXF Fediz could be avaluated as well.

Best regards,
F.


Thanks

Oli

[2] 
http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader

RE: Release Maggiore and authentication modules

2013-09-23 Thread Strunk, Wolfgang 
Hi Fabio,
You also should consider oAuth for SSO and might have a look at Apache Oltu 
(http://oltu.apache.org/).

Regards
Wolfgang

From: Fabio Martelli [mailto:fabio.marte...@gmail.com]
Sent: Monday, September 23, 2013 1:42 PM
To: user@syncope.apache.org
Subject: Re: Release Maggiore and authentication modules

Il 23/09/2013 11:37, Oliver Wulff ha scritto:

Hi Fabio



I sent this mail in the mailing list because I didn't really get much 
information from the jira tickets.



Right now, I'm looking into add SSO capabilities to Syncope with Apache CXF 
Fediz IDP. I noticed that security in the console is done with wicket whereas 
in the core you use spring security. I noticed also the JIRA to probably use 
Apache Shiro which is very close to Spring Security. Where do you want to use 
Shiro - console and/or core?



Apache CXF Fediz uses WS-Federation and SAML tokens for authentication which 
means the console gets a SAML token which contains the roles of the user. Due 
to the fact that the same roles are used for the core, this SAML token could be 
sent to the REST services. CXF JAX-RS supports SAML as described in [2].



WDYT?
Hi Oliver, as per SYNCOPE-160 it should be investigate the way to add the basis 
to provide access management features.
I think that Shiro can be used onto the core, mainly. The console would be a 
generic client of Apache Syncope that will have to communicate with it in 
respect of authentication/authorization mechanism configured.

Currently, I don't know which will be the auth solution to be implemented for 
the console.
I don't exclude to protect the console via an Apache Syncope (AM) agent writen 
ad-hoc.

Apache Shiro is just an idea; CXF Fediz could be avaluated as well.

Best regards,
F.





Thanks

Oli







[2] 
http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader

Re: Release Maggiore and authentication modules

2013-09-23 Thread Fabio Martelli 

Il 23/09/2013 11:37, Oliver Wulff ha scritto:


Hi Fabio

I sent this mail in the mailing list because I didn't really get much 
information from the jira tickets.


Right now, I'm looking into add SSO capabilities to Syncope with 
Apache CXF Fediz IDP. I noticed that security in the console is done 
with wicket whereas in the core you use spring security. I noticed 
also the JIRA to probably use Apache Shiro which is very close to 
Spring Security. Where do you want to use Shiro - console and/or core?


Apache CXF Fediz uses WS-Federation and SAML tokens for authentication 
which means the console gets a SAML token which contains the roles of 
the user. Due to the fact that the same roles are used for the core, 
this SAML token could be sent to the REST services. CXF JAX-RS 
supports SAML as described in [2].


WDYT?

Hi Oliver, as per SYNCOPE-160 it should be investigate the way to add 
the basis to provide access management features.
I think that Shiro can be used onto the core, mainly. The console would 
be a generic client of Apache Syncope that will have to communicate with 
it in respect of authentication/authorization mechanism configured.


Currently, I don't know which will be the auth solution to be 
implemented for the console.
I don't exclude to protect the console via an Apache Syncope (AM) agent 
writen ad-hoc.


Apache Shiro is just an idea; CXF Fediz could be avaluated as well.

Best regards,
F.


Thanks

Oli

[2] 
http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader



*From:* Fabio Martelli [fabio.marte...@gmail.com]
*Sent:* 23 September 2013 10:09
*To:* user@syncope.apache.org
*Subject:* Re: Release Maggiore and authentication modules

Il 21/09/2013 13:56, Oliver Wulff ha scritto:


Hi there

I'm wondering what is meant with authentication modules in the 
Maggiore release?


Is the idea to authenticate users accessing the syncope console and 
provide different options to authenticate?



Hi Oliver,
yes it is.
Take a looka at [1] for more details.

Best regards,
F.

[1] https://issues.apache.org/jira/browse/SYNCOPE-160


Thanks

Oli

--

Oliver Wulff

Blog: http://owulff.blogspot.com <http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

RE: Release Maggiore and authentication modules

2013-09-23 Thread Oliver Wulff 
Hi Fabio



I sent this mail in the mailing list because I didn't really get much 
information from the jira tickets.



Right now, I'm looking into add SSO capabilities to Syncope with Apache CXF 
Fediz IDP. I noticed that security in the console is done with wicket whereas 
in the core you use spring security. I noticed also the JIRA to probably use 
Apache Shiro which is very close to Spring Security. Where do you want to use 
Shiro - console and/or core?



Apache CXF Fediz uses WS-Federation and SAML tokens for authentication which 
means the console gets a SAML token which contains the roles of the user. Due 
to the fact that the same roles are used for the core, this SAML token could be 
sent to the REST services. CXF JAX-RS supports SAML as described in [2].



WDYT?



Thanks

Oli







[2] 
http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader







From: Fabio Martelli [fabio.marte...@gmail.com]
Sent: 23 September 2013 10:09
To: user@syncope.apache.org
Subject: Re: Release Maggiore and authentication modules

Il 21/09/2013 13:56, Oliver Wulff ha scritto:

Hi there



I'm wondering what is meant with authentication modules in the Maggiore release?



Is the idea to authenticate users accessing the syncope console and provide 
different options to authenticate?

Hi Oliver,
yes it is.
Take a looka at [1] for more details.

Best regards,
F.

[1] https://issues.apache.org/jira/browse/SYNCOPE-160




Thanks

Oli





--

Oliver Wulff

Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

Re: Release Maggiore and authentication modules

2013-09-23 Thread Fabio Martelli 

Il 21/09/2013 13:56, Oliver Wulff ha scritto:


Hi there

I'm wondering what is meant with authentication modules in the 
Maggiore release?


Is the idea to authenticate users accessing the syncope console and 
provide different options to authenticate?



Hi Oliver,
yes it is.
Take a looka at [1] for more details.

Best regards,
F.

[1] https://issues.apache.org/jira/browse/SYNCOPE-160


Thanks

Oli

--

Oliver Wulff

Blog: http://owulff.blogspot.com 
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com