Hi Cris, I am away until 9/3, I'll only be able to look into this then. Thanks! Robert
Sent from Nine ________________________________ From: Cris Rockwell <cmroc...@umich.edu> Sent: Monday, 24 February 2020 19:07 To: users@sling.apache.org Subject: Re: OIDC or SAML2 for Sling Hi Robert I sent an email to d...@sling.apache.org <mailto:d...@sling.apache.org> on 2/20/2020, but I can’t find my message in the Dev Sling Mail Archive <http://apache-sling.73963.n3.nabble.com/template/NamlServlet.jtp?macro=search_page&node=73966&query=SAML2&days=0>…. Maybe this email group only allows messages from certain approved people. Whatever the reason, I’m responding to you again over Sling Users. I continue my work on to donate 'SAML2 Authentication Handler for Apache Sling’ to the Apache Sling Whiteboard. The project is is located at... https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler> 1. the implementation of the sample project <https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> from A Guide to OpenSAML V3 eBook <https://payhip.com/b/41Tw> is added and functional as an AuthenticationHandler within Apache Sling, I will open a PR. I can recommend this book to anyone looking for a useful and concise primer for the OpenSAML V3 Java library. 2. next I will try to make use of the Default Sync Handler <https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html> to manage group membership and user attributes 3. also on the todo list, the HTTP POST binding vs SOAP Binding. The implementation in step 1 uses SOAP bindings It would be an honor if any you experienced Sling developers and security professionals would review and contribute your thoughts. Best regards Cris Rockwell Applications Architect Sr College of Literature, Science, and the Arts | University of Michigan LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu > On Feb 17, 2020, at 5:32 AM, Robert Munteanu <romb...@apache.org> wrote: > > Hi Cris, > > (Feel free to send back to dev@sling as well, replying privately as you > wrote privately). > > The POM looks good to me. I would suggest moving to the latest parent > bundle ( sling-bundle-parent 37 I think ) as it gives you Java 11 > support and better tooling. > > Also, we should not introduce new Maven repositories as part of our > bundles, since that does not work for every setup. For instance, > building behind a 'catch-all' Maven mirror that does not have the > custom repository set up will fail. I see that the artifacts you > referenced are already on Maven Central, so it's probably just a > leftover. > > As to your choice of library, I think that is fine. I am not very much > aware of the current landscape anyway, but as long as the license is > fine, it does what we need and has a reasonable community behind it, > all is well. > > What I think would also be helpful is a high-level diagram/explanation > of the goals of the bundle, e.g. > > - will allow Sling applications to authenticate users against Oauth2 > servers such as .... > - will allow sync of user attributes from OIDC providers such as ... > > (I may have gotten these totally wrong due to my lack of knowledge: -) > ) > > Thanks! > > Robert > > > On Fri, 2020-02-14 at 16:33 -0500, Cris Rockwell wrote: >> Hi Robert >> >> I’ve just started the project. Perhaps you can advise about the >> project setup. >> >> The pom.xml >> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/pom.xml >> >> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2- >> service-provider/saml-handler/pom.xml> >> >> One test >> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java >> >> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2- >> service-provider/saml- >> handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java> >> >> Regards >> Cris Rockwell >> Application Architect Senior >> College of Literature, Science, and the Arts | University of >> Michigan >> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann >> Arbor MI 48109 >> p: 734.763.6818 >> >> >> >> >>> On Feb 13, 2020, at 1:16 PM, Cris Rockwell <cmroc...@umich.edu> >>> wrote: >>> >>> Thanks for feedback, Robert. I could not agree more with you >>> suggestions. >>> >>> In terms of selecting a vetted library to do the bulk of the work; >>> >>> The University of Michigan is member of Internet2 and the >>> Shibboleth Consortium. These organizations maintain OpenSaml, >>> which is Apache licensed. I am very comfortable with the library’s >>> license, origin and maintenance. >>> https://www.internet2.edu/communities-groups/members/higher-education/all/all/all >>> >>> <https://www.internet2.edu/communities-groups/members/higher- >>> education/all/all/all> >>> https://www.shibboleth.net/consortium/ < >>> https://www.shibboleth.net/consortium/> >>> OpenSaml is a very widely used Java library even outside of higher >>> education. A quick search shows many Apache projects including it >>> as a dependency. Such as: Apache Web Services Security for Java, >>> Apache Service Mix, Apache TomEE, an others. >>> https://issues.apache.org/jira/browse/CXF-5015?jql=text%20~%20%22opensaml%22 >>> >>> <https://issues.apache.org/jira/browse/CXF- >>> 5015?jql=text%20~%20%22opensaml%22> >>> MVN shows usages at least 164 usages of V2 ( >>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages < >>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages>;). >>> Version 3 of the library is modular, and each of the modules (Core, >>> SAML Provider API, etc) are listed separately ( >>> https://mvnrepository.com/artifact/org.opensaml < >>> https://mvnrepository.com/artifact/org.opensaml>;) >>> >>> In terms of selecting a vetted library, I think OpenSaml V3 meets >>> the criteria. But how else would you vet the library? >>> >>> As you probably know, OpenSAML is a low level library useful for >>> building SAML solutions and not complete product by itself. For >>> example, Shibboleth is an open source product implemented in part >>> using OpenSAML. This is good from an open development perspective, >>> because features can be developed using a piecemeal process. The >>> Sling maintainers should not need to take a leap of faith about >>> anything related to the framework's security. >>> >>> >>> Regarding Whiteboard development, I am reviewing the examples about >>> how this works. >>> https://github.com/apache/sling-whiteboard/pull/14 < >>> https://github.com/apache/sling-whiteboard/pull/14> I forked Sling >>> Whiteboard and will create a branch for developing the feature. >>> >>> I have to give more thought about how to make the module easy to >>> test and incorporate in the Sling starter. >>> >>> Regards >>> Cris Rockwell >>> Application Architect Senior >>> College of Literature, Science, and the Arts | University of >>> Michigan >>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann >>> Arbor MI 48109 >>> p: 734.763.6818 >>> >>> >>> >>> >>> >>> >>> >>> >>>> On Feb 13, 2020, at 10:13 AM, Robert Munteanu <romb...@apache.org >>>> <mailto:romb...@apache.org>> wrote: >>>> >>>> Hi Cris, >>>> >>>> I would be very happy to see OIDC/SAML2 support in Sling. As >>>> mentioned, >>>> there were a couple of initiatives, but none of them completed. >>>> >>>> If anyone decides to give the implementation a shot, it would be >>>> important to: >>>> >>>> - use vetted libraries that do the bulk of the work. I think this >>>> was a >>>> problem with some of the earlier approaches >>>> - develop as much in the open as possible. The sling whiteboard >>>> is a >>>> good option, also a personal repo is ok if the intention is to >>>> contribute to Sling >>>> - make the module easy to test and incorporate in the Sling >>>> starter >>>> >>>> I am available to review and incorporate this contribution, and >>>> definitely there are others around. >>>> >>>> Thanks, >>>> Robert >>>> >>>> On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote: >>>>> Hi Robert >>>>> >>>>> I would like to follow up with you about adding SAML2 SP >>>>> (Service >>>>> Provider) support to Apache Sling. >>>>> >>>>> Our team reviewed security requirements with the leading >>>>> identity >>>>> provider (IDP) administrator at the University. His suggestion >>>>> was to >>>>> use SAML2 (or OIDC) and skip the LDAP authentication idea. We >>>>> have >>>>> been using SAML2 for many years with other applications. It >>>>> seems >>>>> SAML2 for open and closed source Java Enterprise applications >>>>> is very >>>>> common, so I feel good about requesting SAML2 SP support for >>>>> Apache >>>>> Sling. >>>>> >>>>> To start, I am studying the eBook OpenSAML V3 mentioned on the >>>>> Shibboleth website < >>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home < >>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home>>;;. >>>>> The eBook >>>>> discusses a sample project < >>>>> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/ >>>>> <https://bitbucket.org/srasmusson/webprofile-ref-project- >>>>> v3/src/master/> >>>>>> and covers various aspects of using OpenSaml3 Java library. >>>>> >>>>> * Authentication request using HTTP Redirect Binding >>>>> * Assertion transported using HTTP Artifact Binding >>>>> * SAML Artifact transported using HTTP Redirect Binding >>>>> >>>>> If you or others have thoughts or recommendations for me about >>>>> how to >>>>> make this happen, please let me know. >>>>> >>>>> Thanks >>>>> Cris Rockwell, App Sys Analyst/Programmer Sr >>>>> College of Literature, Science, and the Arts | University of >>>>> Michigan >>>>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street >>>>> | Ann >>>>> Arbor, MI I 48109 >>>>> Desk: 734.763.6818 | Email: cmroc...@umich.edu <mailto: >>>>> cmroc...@umich.edu> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Dec 19, 2019, at 12:00 PM, Robert Munteanu < >>>>>> romb...@apache.org <mailto:romb...@apache.org>> >>>>>> wrote: >>>>>> >>>>>> Hi Cris, >>>>>> >>>>>> Hopefully the LDAP authentication will fulfill your >>>>>> requirements. >>>>>> Once >>>>>> you're done, it would be interesting to discuss (privately, >>>>>> if you >>>>>> prefer) what gaps you identified in the authentication >>>>>> support we >>>>>> offer. >>>>>> >>>>>> Thanks, >>>>>> Robert >>>>>> >>>>>> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote: >>>>>>> Hi Robert >>>>>>> >>>>>>> Thank you for your offer to guide an OIDC and/or SAML2 >>>>>>> Sling >>>>>>> Authentication Handler implementation. Long term, I could >>>>>>> also >>>>>>> see >>>>>>> contributing to a peer reviewed initiative to securely add >>>>>>> the >>>>>>> features to Sling applications. After some thought, I might >>>>>>> follow up >>>>>>> with you about this out of band. >>>>>>> >>>>>>> In the short run, perhaps Oak’s LDAP authentication will >>>>>>> support >>>>>>> the >>>>>>> features we need. >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html >>>>>>> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>> ation/ldap.html> >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>>> >>>>>>> ldap.html> >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>> ation/ldap> >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>> ation/ldap> >>>>>>> .html> >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html >>>>>>> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>> ation/externalloginmodule.html> >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>>> >>>>>>> externalloginmodule.html> >>>>>>> < >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/exte >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>> ation/exte> >>>>>>> rnalloginmodule.html> >>>>>>> >>>>>>> Thanks all. >>>>>>> Cris R >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu < >>>>>>>> romb...@apache.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: >>>>>>>>> "What exactly would you need to manage JCR-based >>>>>>>>> controls? I >>>>>>>>> would >>>>>>>>> imagine that mapping users to JCR groups based on >>>>>>>>> whatever >>>>>>>>> data >>>>>>>>> your >>>>>>>>> identity solution provides and then creating access >>>>>>>>> based on >>>>>>>>> ACLs >>>>>>>>> only >>>>>>>>> would satisfy your request." >>>>>>>>> >>>>>>>>> >>>>>>>>> We need to manage a few things at the identity >>>>>>>>> provider: >>>>>>>>> 1. User attributes: username, name, email, phone, maybe >>>>>>>>> a few >>>>>>>>> other >>>>>>>>> pieces of data about the user. >>>>>>>>> 2. Group membership >>>>>>>>> >>>>>>>>> When the user signs in, with SAML2 there is encrypted >>>>>>>>> metadata >>>>>>>>> which >>>>>>>>> contains that information. Upon sign in, Sling users >>>>>>>>> should >>>>>>>>> be >>>>>>>>> created, their user attributes updated and the user >>>>>>>>> should be >>>>>>>>> added >>>>>>>>> or removed from Sling group membership. Once the user >>>>>>>>> has >>>>>>>>> signed >>>>>>>>> in, >>>>>>>>> then access is granted as usual using JCR-based ACL’s >>>>>>>>> applied >>>>>>>>> for >>>>>>>>> the >>>>>>>>> groups. >>>>>>>> >>>>>>>> Right, I see that there is no support for that in the >>>>>>>> keycloak >>>>>>>> handler, >>>>>>>> as it was presented [1]. >>>>>>>> >>>>>>>> I don't think there is any out-of-the-box support for >>>>>>>> what >>>>>>>> you're >>>>>>>> looking for. >>>>>>>> >>>>>>>> I would be happy to guide anyone willing to implement >>>>>>>> such >>>>>>>> functionality though. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Robert >>>>>>>> >>>>>>>> >>>>>>>> [1]: >>>>>>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak >>>>>>>> >>>>>>>> < >>>>>>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak >>>>>>>> >>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak- >>>>>>>> sling-presentation/tree/master/adapt-to-2018-sling- >>>>>>>> keycloak/org-apache-sling-auth-keycloak> >>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling- >>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling- >>>>>>>>> >>>>>>>> presentation/tree/master/adapt-to-2018-sling- >>>>>>>> keycloak/org- >>>>>>>> apache-sling-auth-keycloak> >
