Hi,
first of all, please bear in mind that the suggested way to work with Syncope
deployments, when in need to customize / extend / adjust the default settings,
configurations and logic is via* Maven project*.
All other means - standalone, deb packages, Docker images, etc, - are fine
either for pure evaluation or for deployments with very limited customization.
In all the Syncope projects I have been involved with, the activities spawn
from initial Maven project generation and continue with code changes (possibly
managed by GIT or other versioning systems) and manual or automated builds and
deployments.
This to stress how difficult is to imagine any non-trivial / non-demo Syncope
deployment which does not involve continuously build and deploy.
Having said that, the reference guide provides information about how to add
each extension to the various submodules of the generated Maven project.
Alternatively, you also have an "all" profile which will enable all available
extensions at once.
HTH
Regards.
On 18/05/20 12:44, ohaya wrote:
> Hi,
>
> BTW, so HOW do we add those extensions (I think we would want both the SAML
> and OIDC ones, and also the SCIM extension)?
>
> Can they be added to an already-built Syncope instance, or do they have to
> only be included when building a new Syncope instance?
>
> Sorry for all the questions!
>
> Jim
>
>
> On Monday, May 18, 2020, 06:18:58 AM EDT, ohaya <oh...@yahoo.com> wrote:
>
>
>
> I noted that the OIDC article that you linked was from 2018, so it seems that
> that configuration should be available in Syncope 2.1.5?
>
> Jim
>
> On Monday, May 18, 2020, 06:12:40 AM EDT, ohaya <oh...@yahoo.com> wrote:
>
>
> Hi Francesco,
>
> Ah. Thanks.
>
> We potentially might be able to leverage either of the approaches you
> mentioned:
>
> - We are using Oracle OAM to protect Syncope, and we can configure the OAM to
> cause a SAML assertion to Syncope in an HTTP header. I was looking at the
> article you linked, but in our Syncope (2.1.5), I don't see our (us) IDP
> metadata that was mentioned in the article in the Syncope console (Extensions
> → SAML 2.0 SP → Identity Providers → click the "+" icon)? I notice that
> article is fairly recent, so is that not available in 2.1.5?
>
> - We are also (or can also be) compatible with OpenID, but similar to the
> SAML situation above, I don't see where we add the new OIDC Provider
> ("Extensions" -> "OIDC Client" and add a new OIDC Provider by clicking on the
> "+" icon.)?
>
> Please advise.
>
> Thanks,
> Jim
>
>
> On Monday, May 18, 2020, 03:24:24 AM EDT, Francesco Chicchiriccò
> <ilgro...@apache.org> wrote:
>
>
> Hi Jim,
> short answer: no, you cannot log into Syncope Console via the "simple"
> REMOTE_USER header, as injected by a reverse-proxy as Apache HTTPD or NGINX.
>
> Long answer follows.
> When you log into Console, the credentials are used to obtain a valid JWT
> from Core, which allow further REST calls; and, since Console implements all
> its features by calling Core via REST, you can understand how much this can
> be fundamental.
>
> You have other options, anyway, at least two: configure Syncope Console as
> SAML 2.0 SP or OpenID Connect 1.0 Provider.
>
> AFAICT there is a couple of relevant blog posts:
>
> *
> https://www.tirasa.net/en/blog/apache-syncope-log-in-via-saml-2-0-using-apereo-cas
> * https://www.tirasa.net/en/blog/apache-syncope-sso-with-keycloack
>
> Hint: please ensure to have some familiarity with SAML 2.0 or OpenID Connect
> 1.0 concepts before getting into Syncope configurations.
>
> Regards.
>
> On 17/05/20 11:34, ohaya wrote:
> > Hi,
> >
> > I have been able to configure an Apache proxy in front of Syncope
> > (/syncope-console) running under Tomcat. I am using mod_ajp to connect the
> > Apache to the Tomcat that Syncope is running under and I configured an AJP
> > connector on that Tomcat. Also, I am able to pass a logged-in user
> > ("admin") in REMOTE_USER.
> >
> > I have tested with another webapp on that same Tomcat, and using that other
> > webapp, I have confirmed that the user that I am passing in is logged into
> > Tomcat itself, but with syncope-console, I still get the Syncope login form.
> >
> > From some testing, it appears that syncope-console is not leveraging the
> > standard Tomcat authentication mechanism and appears to be doing the
> > logging "into" the syncope-console app on its own. Can Syncope
> > (/syncope-console) be configured to accept that logged-in user
> > automatically (i.e., "identity assertion")?
> >
> > Thanks,
> > Jim
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
