Hi Francesco,
Ah. Thanks.
We potentially might be able to leverage either of the approaches you mentioned:
- We are using Oracle OAM to protect Syncope, and we can configure the OAM to
cause a SAML assertion to Syncope in an HTTP header. I was looking at the
article you linked, but in our Syncope (2.1.5), I don't see our (us) IDP
metadata that was mentioned in the article in the Syncope console (Extensions →
SAML 2.0 SP → Identity Providers → click the "+" icon)? I notice that article
is fairly recent, so is that not available in 2.1.5?
- We are also (or can also be) compatible with OpenID, but similar to the SAML
situation above, I don't see where we add the new OIDC Provider ("Extensions"
-> "OIDC Client" and add a new OIDC Provider by clicking on the "+" icon.)?
Please advise.
Thanks,
Jim
On Monday, May 18, 2020, 03:24:24 AM EDT, Francesco Chicchiriccò
<[email protected]> wrote:
Hi Jim,
short answer: no, you cannot log into Syncope Console via the "simple"
REMOTE_USER header, as injected by a reverse-proxy as Apache HTTPD or NGINX.
Long answer follows.
When you log into Console, the credentials are used to obtain a valid JWT from
Core, which allow further REST calls; and, since Console implements all its
features by calling Core via REST, you can understand how much this can be
fundamental.
You have other options, anyway, at least two: configure Syncope Console as SAML
2.0 SP or OpenID Connect 1.0 Provider.
AFAICT there is a couple of relevant blog posts:
*
https://www.tirasa.net/en/blog/apache-syncope-log-in-via-saml-2-0-using-apereo-cas
* https://www.tirasa.net/en/blog/apache-syncope-sso-with-keycloack
Hint: please ensure to have some familiarity with SAML 2.0 or OpenID Connect
1.0 concepts before getting into Syncope configurations.
Regards.
On 17/05/20 11:34, ohaya wrote:
> Hi,
>
> I have been able to configure an Apache proxy in front of Syncope
> (/syncope-console) running under Tomcat. I am using mod_ajp to connect the
> Apache to the Tomcat that Syncope is running under and I configured an AJP
> connector on that Tomcat. Also, I am able to pass a logged-in user ("admin")
> in REMOTE_USER.
>
> I have tested with another webapp on that same Tomcat, and using that other
> webapp, I have confirmed that the user that I am passing in is logged into
> Tomcat itself, but with syncope-console, I still get the Syncope login form.
>
> From some testing, it appears that syncope-console is not leveraging the
> standard Tomcat authentication mechanism and appears to be doing the logging
> "into" the syncope-console app on its own. Can Syncope (/syncope-console) be
> configured to accept that logged-in user automatically (i.e., "identity
> assertion")?
>
> Thanks,
> Jim
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
