Hi Robert Thank you for your offer to guide an OIDC and/or SAML2 Sling Authentication Handler implementation. Long term, I could also see contributing to a peer reviewed initiative to securely add the features to Sling applications. After some thought, I might follow up with you about this out of band.
In the short run, perhaps Oak’s LDAP authentication will support the features we need. https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html> Thanks all. Cris R > On Dec 11, 2019, at 11:58 AM, Robert Munteanu <romb...@apache.org> wrote: > > On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: >> "What exactly would you need to manage JCR-based controls? I would >> imagine that mapping users to JCR groups based on whatever data your >> identity solution provides and then creating access based on ACLs >> only >> would satisfy your request." >> >> >> We need to manage a few things at the identity provider: >> 1. User attributes: username, name, email, phone, maybe a few other >> pieces of data about the user. >> 2. Group membership >> >> When the user signs in, with SAML2 there is encrypted metadata which >> contains that information. Upon sign in, Sling users should be >> created, their user attributes updated and the user should be added >> or removed from Sling group membership. Once the user has signed in, >> then access is granted as usual using JCR-based ACL’s applied for the >> groups. > > Right, I see that there is no support for that in the keycloak handler, > as it was presented [1]. > > I don't think there is any out-of-the-box support for what you're > looking for. > > I would be happy to guide anyone willing to implement such > functionality though. > > Thanks, > Robert > > > [1]: > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak > > <https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak>
