Hi Cris, I would be very happy to see OIDC/SAML2 support in Sling. As mentioned, there were a couple of initiatives, but none of them completed.
If anyone decides to give the implementation a shot, it would be important to: - use vetted libraries that do the bulk of the work. I think this was a problem with some of the earlier approaches - develop as much in the open as possible. The sling whiteboard is a good option, also a personal repo is ok if the intention is to contribute to Sling - make the module easy to test and incorporate in the Sling starter I am available to review and incorporate this contribution, and definitely there are others around. Thanks, Robert On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote: > Hi Robert > > I would like to follow up with you about adding SAML2 SP (Service > Provider) support to Apache Sling. > > Our team reviewed security requirements with the leading identity > provider (IDP) administrator at the University. His suggestion was to > use SAML2 (or OIDC) and skip the LDAP authentication idea. We have > been using SAML2 for many years with other applications. It seems > SAML2 for open and closed source Java Enterprise applications is very > common, so I feel good about requesting SAML2 SP support for Apache > Sling. > > To start, I am studying the eBook OpenSAML V3 mentioned on the > Shibboleth website < > https://wiki.shibboleth.net/confluence/display/OS30/Home>;. The eBook > discusses a sample project < > https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/ > > and covers various aspects of using OpenSaml3 Java library. > > * Authentication request using HTTP Redirect Binding > * Assertion transported using HTTP Artifact Binding > * SAML Artifact transported using HTTP Redirect Binding > > If you or others have thoughts or recommendations for me about how to > make this happen, please let me know. > > Thanks > Cris Rockwell, App Sys Analyst/Programmer Sr > College of Literature, Science, and the Arts | University of > Michigan > LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann > Arbor, MI I 48109 > Desk: 734.763.6818 | Email: cmroc...@umich.edu > > > > > > > > > On Dec 19, 2019, at 12:00 PM, Robert Munteanu <romb...@apache.org> > > wrote: > > > > Hi Cris, > > > > Hopefully the LDAP authentication will fulfill your requirements. > > Once > > you're done, it would be interesting to discuss (privately, if you > > prefer) what gaps you identified in the authentication support we > > offer. > > > > Thanks, > > Robert > > > > On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote: > > > Hi Robert > > > > > > Thank you for your offer to guide an OIDC and/or SAML2 Sling > > > Authentication Handler implementation. Long term, I could also > > > see > > > contributing to a peer reviewed initiative to securely add the > > > features to Sling applications. After some thought, I might > > > follow up > > > with you about this out of band. > > > > > > In the short run, perhaps Oak’s LDAP authentication will support > > > the > > > features we need. > > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html > > > <https://jackrabbit.apache.org/oak/docs/security/authentication/ > > > ldap.html> > > > < > > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap > > > < > > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap > > > > > > > .html> > > > https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html > > > <https://jackrabbit.apache.org/oak/docs/security/authentication/ > > > externalloginmodule.html> > > > < > > > https://jackrabbit.apache.org/oak/docs/security/authentication/exte > > > rnalloginmodule.html> > > > > > > Thanks all. > > > Cris R > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Dec 11, 2019, at 11:58 AM, Robert Munteanu < > > > > romb...@apache.org> > > > > wrote: > > > > > > > > On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: > > > > > "What exactly would you need to manage JCR-based controls? I > > > > > would > > > > > imagine that mapping users to JCR groups based on whatever > > > > > data > > > > > your > > > > > identity solution provides and then creating access based on > > > > > ACLs > > > > > only > > > > > would satisfy your request." > > > > > > > > > > > > > > > We need to manage a few things at the identity provider: > > > > > 1. User attributes: username, name, email, phone, maybe a few > > > > > other > > > > > pieces of data about the user. > > > > > 2. Group membership > > > > > > > > > > When the user signs in, with SAML2 there is encrypted > > > > > metadata > > > > > which > > > > > contains that information. Upon sign in, Sling users should > > > > > be > > > > > created, their user attributes updated and the user should be > > > > > added > > > > > or removed from Sling group membership. Once the user has > > > > > signed > > > > > in, > > > > > then access is granted as usual using JCR-based ACL’s applied > > > > > for > > > > > the > > > > > groups. > > > > > > > > Right, I see that there is no support for that in the keycloak > > > > handler, > > > > as it was presented [1]. > > > > > > > > I don't think there is any out-of-the-box support for what > > > > you're > > > > looking for. > > > > > > > > I would be happy to guide anyone willing to implement such > > > > functionality though. > > > > > > > > Thanks, > > > > Robert > > > > > > > > > > > > [1]: > > > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak > > > > < > > > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak > > > > <https://github.com/netdava/adapt-to-2018-keycloak-sling- > > > > presentation/tree/master/adapt-to-2018-sling-keycloak/org- > > > > apache-sling-auth-keycloak>
