Hi Robert I would like to follow up with you about adding SAML2 SP (Service Provider) support to Apache Sling.
Our team reviewed security requirements with the leading identity provider (IDP) administrator at the University. His suggestion was to use SAML2 (or OIDC) and skip the LDAP authentication idea. We have been using SAML2 for many years with other applications. It seems SAML2 for open and closed source Java Enterprise applications is very common, so I feel good about requesting SAML2 SP support for Apache Sling. To start, I am studying the eBook OpenSAML V3 mentioned on the Shibboleth website <https://wiki.shibboleth.net/confluence/display/OS30/Home>. The eBook discusses a sample project <https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> and covers various aspects of using OpenSaml3 Java library. * Authentication request using HTTP Redirect Binding * Assertion transported using HTTP Artifact Binding * SAML Artifact transported using HTTP Redirect Binding If you or others have thoughts or recommendations for me about how to make this happen, please let me know. Thanks Cris Rockwell, App Sys Analyst/Programmer Sr College of Literature, Science, and the Arts | University of Michigan LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu > On Dec 19, 2019, at 12:00 PM, Robert Munteanu <romb...@apache.org> wrote: > > Hi Cris, > > Hopefully the LDAP authentication will fulfill your requirements. Once > you're done, it would be interesting to discuss (privately, if you > prefer) what gaps you identified in the authentication support we > offer. > > Thanks, > Robert > > On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote: >> Hi Robert >> >> Thank you for your offer to guide an OIDC and/or SAML2 Sling >> Authentication Handler implementation. Long term, I could also see >> contributing to a peer reviewed initiative to securely add the >> features to Sling applications. After some thought, I might follow up >> with you about this out of band. >> >> In the short run, perhaps Oak’s LDAP authentication will support the >> features we need. >> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html >> <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html> >> <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap >> <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap> >> .html> >> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html >> >> <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html> >> <https://jackrabbit.apache.org/oak/docs/security/authentication/exte >> rnalloginmodule.html> >> >> Thanks all. >> Cris R >> >> >> >> >> >> >> >> >> >>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <romb...@apache.org> >>> wrote: >>> >>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: >>>> "What exactly would you need to manage JCR-based controls? I >>>> would >>>> imagine that mapping users to JCR groups based on whatever data >>>> your >>>> identity solution provides and then creating access based on ACLs >>>> only >>>> would satisfy your request." >>>> >>>> >>>> We need to manage a few things at the identity provider: >>>> 1. User attributes: username, name, email, phone, maybe a few >>>> other >>>> pieces of data about the user. >>>> 2. Group membership >>>> >>>> When the user signs in, with SAML2 there is encrypted metadata >>>> which >>>> contains that information. Upon sign in, Sling users should be >>>> created, their user attributes updated and the user should be >>>> added >>>> or removed from Sling group membership. Once the user has signed >>>> in, >>>> then access is granted as usual using JCR-based ACL’s applied for >>>> the >>>> groups. >>> >>> Right, I see that there is no support for that in the keycloak >>> handler, >>> as it was presented [1]. >>> >>> I don't think there is any out-of-the-box support for what you're >>> looking for. >>> >>> I would be happy to guide anyone willing to implement such >>> functionality though. >>> >>> Thanks, >>> Robert >>> >>> >>> [1]: >>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak >>> < >>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak >>> >>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak>
