Re: [Architecture] Implementing SAML ECP profile for WSO2 IS

2018-10-09 Thread Johann Nallathamby 
@IAM team  why not we use the inbound framework for
this task. Then we don't need to register a new servlet, just write the
connector to process the SOAP message. The implementation will be much
simpler, and it will save effort in writing JDBC logic in storing
properties, etc.

@Harsha Thirimanna  @Pushpalanka Jayawardhana
 did a similar implementation for a customer successfully.
May be we can get some pointers from it.

@Winma Heenatigala   to overcome the consent issue, I think
we need a way to dynamically suppress the consent page. May be introduce a
new request attribute for this, which can only set by other components by
calling the API (not by the HTTP request).

Regards,
Johann.

On Fri, Sep 28, 2018 at 11:32 AM Winma Heenatigala  wrote:

> Hi all,
>
> As I mentioned in my previous email, I completed my research on the ECP
> profile and started to implement it for WSO2 identity server.
>  For testing purposes I needed an ECP enabled Service Provider and a
> client. For that I used Shibboleth SP and a Simple Bash client[1] provided
> by Shibboleth.
>
> I created a new Servlet called SAMLECPProviderServlet  to capture the
> SOAP binded SAML authentication request sent by the Enhanced Client.The
> basic auth credentials (username and password) were sent by the client to
> the IDP in the http request authorization header. Using a request wrapper,
> basic auth credentials were set to the sectoken parameter, the saml request
> was extracted from the soap envelope and forwarded the new  request to the
> SAMLSSOProviderServlet. Then the request could process in the way that the
> Request Path Authenticator works. Inside the SAMLSSOServlet , for the
> requests from the ECP clients a separate response was created where the
> saml response was enclosed in a soap envelope.
>
> However, since the client is browserless there is an issue in providing
> user consents. When I disabled SSO Consent Management from the server and
> tested the client, the client worked fine.
> Now I am working on finding a way to give the user consents without the
> browser.
>
> [1]
> https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash
>
> Thank you!
> Winma
>
>
> On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala  wrote:
>
>>
>> Hi all,
>>
>> I am working on a project to implement SAML ECP profile for WSO2 IS.
>> Here is a brief summary on my project progress.
>>
>> *Introduction*
>> Web Based SSO profile supports for browser based clients to SSO.In
>> contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser
>> based clients such as desktop clients to SSO.
>>
>> *Progress*
>> I researched on existing IDPs that has SAML ECP profile implemented.From
>> my research results I found that Shibboleth is the best  among the ECP
>> enabled  IDPs. As the initial step to the project I downloaded an existing
>> ECP client and connected it with Shibboleth to examined how the ECP client
>> works.
>>
>> During the discussion held today, we discussed about how the message flow
>> happens in the ECP. During the meeting we verified that although the SP
>> sends a set of IDP s in the Response message, the ECP actually choses the
>> IDP on its own and the client itself must validates whether the choosen IDP
>> is one of the IDPs accepted by the SP. We also discussed on the importance
>> of  having RelayState.
>>
>>
>> The following documents were written on connecting the ECP client with
>> Shibboleth.
>>
>> https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad
>>
>> https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da
>>
>> https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968
>>
>> Thank you!
>> Winma
>>
>>
>> *Winma Heenatigala*
>> *Trainee Software Engineer | WSO2*
>>
>> *Mobile : +94719132444*
>>
>>
>>
>>
>
> --
>
> *Winma Heenatigala*
> *Trainee Software Engineer | WSO2*
>
> *Mobile : +94719132444*
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "WSO2 Engineering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to engineering-group+unsubscr...@wso2.com.
> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>


-- 

*Johann Dilantha Nallathamby*
Senior Lead Solutions Engineer
WSO2, Inc.
lean.enterprise.middleware

Mobile: *+94 77 7776950*
LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
*
Medium: *https://medium.com/@johann_nallathamby
*
Twitter: *@dj_nallaa*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Implementing SAML ECP profile for WSO2 IS

2018-10-03 Thread Winma Heenatigala 
Thank you !

On Fri, Sep 28, 2018 at 2:42 PM Isura Karunaratne  wrote:

>
>
> On Fri, Sep 28, 2018 at 11:32 AM Winma Heenatigala  wrote:
>
>> Hi all,
>>
>> As I mentioned in my previous email, I completed my research on the ECP
>> profile and started to implement it for WSO2 identity server.
>>  For testing purposes I needed an ECP enabled Service Provider and a
>> client. For that I used Shibboleth SP and a Simple Bash client[1] provided
>> by Shibboleth.
>>
>> I created a new Servlet called SAMLECPProviderServlet  to capture the
>> SOAP binded SAML authentication request sent by the Enhanced Client.The
>> basic auth credentials (username and password) were sent by the client to
>> the IDP in the http request authorization header. Using a request wrapper,
>> basic auth credentials were set to the sectoken parameter, the saml request
>> was extracted from the soap envelope and forwarded the new  request to the
>> SAMLSSOProviderServlet. Then the request could process in the way that the
>> Request Path Authenticator works. Inside the SAMLSSOServlet , for the
>> requests from the ECP clients a separate response was created where the
>> saml response was enclosed in a soap envelope.
>>
>> However, since the client is browserless there is an issue in providing
>> user consents. When I disabled SSO Consent Management from the server and
>> tested the client, the client worked fine.
>> Now I am working on finding a way to give the user consents without the
>> browser.
>>
> Currenty, Identity Server does not support managing consents for non
> browser based authentications.
>
> Thanks
> Isura.
>
>>
>> [1]
>> https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash
>>
>> Thank you!
>> Winma
>>
>>
>> On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala  wrote:
>>
>>>
>>> Hi all,
>>>
>>> I am working on a project to implement SAML ECP profile for WSO2 IS.
>>> Here is a brief summary on my project progress.
>>>
>>> *Introduction*
>>> Web Based SSO profile supports for browser based clients to SSO.In
>>> contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser
>>> based clients such as desktop clients to SSO.
>>>
>>> *Progress*
>>> I researched on existing IDPs that has SAML ECP profile implemented.From
>>> my research results I found that Shibboleth is the best  among the ECP
>>> enabled  IDPs. As the initial step to the project I downloaded an existing
>>> ECP client and connected it with Shibboleth to examined how the ECP client
>>> works.
>>>
>>> During the discussion held today, we discussed about how the message
>>> flow happens in the ECP. During the meeting we verified that although the
>>> SP sends a set of IDP s in the Response message, the ECP actually choses
>>> the IDP on its own and the client itself must validates whether the choosen
>>> IDP is one of the IDPs accepted by the SP. We also discussed on the
>>> importance of  having RelayState.
>>>
>>>
>>> The following documents were written on connecting the ECP client with
>>> Shibboleth.
>>>
>>> https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad
>>>
>>> https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da
>>>
>>> https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968
>>>
>>> Thank you!
>>> Winma
>>>
>>>
>>> *Winma Heenatigala*
>>> *Trainee Software Engineer | WSO2*
>>>
>>> *Mobile : +94719132444*
>>>
>>>
>>>
>>>
>>
>> --
>>
>> *Winma Heenatigala*
>> *Trainee Software Engineer | WSO2*
>>
>> *Mobile : +94719132444*
>>
>>
>>
>>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2 
> *lean.enterprise.middleware*
> Email: is...@wso2.com
> Mob : +94 772 254 810
> Blog : http://isurad.blogspot.com/
>
>
>
>

-- 

*Winma Heenatigala*
*Trainee Software Engineer | WSO2*

*Mobile : +94719132444*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Implementing SAML ECP profile for WSO2 IS

2018-09-28 Thread Isura Karunaratne 
On Fri, Sep 28, 2018 at 11:32 AM Winma Heenatigala  wrote:

> Hi all,
>
> As I mentioned in my previous email, I completed my research on the ECP
> profile and started to implement it for WSO2 identity server.
>  For testing purposes I needed an ECP enabled Service Provider and a
> client. For that I used Shibboleth SP and a Simple Bash client[1] provided
> by Shibboleth.
>
> I created a new Servlet called SAMLECPProviderServlet  to capture the
> SOAP binded SAML authentication request sent by the Enhanced Client.The
> basic auth credentials (username and password) were sent by the client to
> the IDP in the http request authorization header. Using a request wrapper,
> basic auth credentials were set to the sectoken parameter, the saml request
> was extracted from the soap envelope and forwarded the new  request to the
> SAMLSSOProviderServlet. Then the request could process in the way that the
> Request Path Authenticator works. Inside the SAMLSSOServlet , for the
> requests from the ECP clients a separate response was created where the
> saml response was enclosed in a soap envelope.
>
> However, since the client is browserless there is an issue in providing
> user consents. When I disabled SSO Consent Management from the server and
> tested the client, the client worked fine.
> Now I am working on finding a way to give the user consents without the
> browser.
>
Currenty, Identity Server does not support managing consents for non
browser based authentications.

Thanks
Isura.

>
> [1]
> https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash
>
> Thank you!
> Winma
>
>
> On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala  wrote:
>
>>
>> Hi all,
>>
>> I am working on a project to implement SAML ECP profile for WSO2 IS.
>> Here is a brief summary on my project progress.
>>
>> *Introduction*
>> Web Based SSO profile supports for browser based clients to SSO.In
>> contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser
>> based clients such as desktop clients to SSO.
>>
>> *Progress*
>> I researched on existing IDPs that has SAML ECP profile implemented.From
>> my research results I found that Shibboleth is the best  among the ECP
>> enabled  IDPs. As the initial step to the project I downloaded an existing
>> ECP client and connected it with Shibboleth to examined how the ECP client
>> works.
>>
>> During the discussion held today, we discussed about how the message flow
>> happens in the ECP. During the meeting we verified that although the SP
>> sends a set of IDP s in the Response message, the ECP actually choses the
>> IDP on its own and the client itself must validates whether the choosen IDP
>> is one of the IDPs accepted by the SP. We also discussed on the importance
>> of  having RelayState.
>>
>>
>> The following documents were written on connecting the ECP client with
>> Shibboleth.
>>
>> https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad
>>
>> https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da
>>
>> https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968
>>
>> Thank you!
>> Winma
>>
>>
>> *Winma Heenatigala*
>> *Trainee Software Engineer | WSO2*
>>
>> *Mobile : +94719132444*
>>
>>
>>
>>
>
> --
>
> *Winma Heenatigala*
> *Trainee Software Engineer | WSO2*
>
> *Mobile : +94719132444*
>
>
>
>

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Implementing SAML ECP profile for WSO2 IS

2018-09-28 Thread Winma Heenatigala 
Hi all,

As I mentioned in my previous email, I completed my research on the ECP
profile and started to implement it for WSO2 identity server.
 For testing purposes I needed an ECP enabled Service Provider and a
client. For that I used Shibboleth SP and a Simple Bash client[1] provided
by Shibboleth.

I created a new Servlet called SAMLECPProviderServlet  to capture the  SOAP
binded SAML authentication request sent by the Enhanced Client.The basic
auth credentials (username and password) were sent by the client to the IDP
in the http request authorization header. Using a request wrapper, basic
auth credentials were set to the sectoken parameter, the saml request was
extracted from the soap envelope and forwarded the new  request to the
SAMLSSOProviderServlet. Then the request could process in the way that the
Request Path Authenticator works. Inside the SAMLSSOServlet , for the
requests from the ECP clients a separate response was created where the
saml response was enclosed in a soap envelope.

However, since the client is browserless there is an issue in providing
user consents. When I disabled SSO Consent Management from the server and
tested the client, the client worked fine.
Now I am working on finding a way to give the user consents without the
browser.

[1]
https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash

Thank you!
Winma


On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala  wrote:

>
> Hi all,
>
> I am working on a project to implement SAML ECP profile for WSO2 IS.
> Here is a brief summary on my project progress.
>
> *Introduction*
> Web Based SSO profile supports for browser based clients to SSO.In
> contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser
> based clients such as desktop clients to SSO.
>
> *Progress*
> I researched on existing IDPs that has SAML ECP profile implemented.From
> my research results I found that Shibboleth is the best  among the ECP
> enabled  IDPs. As the initial step to the project I downloaded an existing
> ECP client and connected it with Shibboleth to examined how the ECP client
> works.
>
> During the discussion held today, we discussed about how the message flow
> happens in the ECP. During the meeting we verified that although the SP
> sends a set of IDP s in the Response message, the ECP actually choses the
> IDP on its own and the client itself must validates whether the choosen IDP
> is one of the IDPs accepted by the SP. We also discussed on the importance
> of  having RelayState.
>
>
> The following documents were written on connecting the ECP client with
> Shibboleth.
>
> https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad
>
> https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da
>
> https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968
>
> Thank you!
> Winma
>
>
> *Winma Heenatigala*
> *Trainee Software Engineer | WSO2*
>
> *Mobile : +94719132444*
>
>
>
>

-- 

*Winma Heenatigala*
*Trainee Software Engineer | WSO2*

*Mobile : +94719132444*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture