Hi Oak and Sling Devs I am working to make a SAML2 Sling Authentication Handler. This is my project: https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler> It has a demo IDP which returns the SAML Security Assertion via a SOAP binding. The SAML assertion contains username, attributes and groups. I am trying to decide the best way to ... a) get or create the user b) add/remove the user to the groups c) add, change or remove synchronized users attributes.
I am reviewing the Oak External Login Module to see whether it can help with this... https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html> It says… “The external login module has 2 main tasks. One is to authenticate credentials against a 3rd party system, the other is to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager)." and “The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.” In LDAP Auth, user credentials are passed from the user to the Oak-based application to the External LDAP IDP via External Login Module, which then triggers User Sync. In SAML2, authentication happens entirely at the External Identify provider (e.g. Shibboleth), and there is no handling of the users credentials at the Service Provider (Oak-based application) level. Instead, SAML2 Security Assertions are handed to the Sling Authentication Handler / Service Provider after authentication when the user is redirected back to the Assertion Consumer Servlet (ACS). Which is where my project is stalled a little bit. My Questions.. 1. Once my ACS receives the user's SAML2 Assertion (either via SOAP or POST bindings), does it make sense to try using Oak’s User and Group Synchronization? If so, how would one configure or trigger it? Or should write my own user management code? 2. Given my use case, which if any of the Oak External Components should I configure? ExternalLoginModuleFactory DefaultSyncHandler ExternalIDPManagerImpl SyncManagerImpl ExternalPrincipalConfiguration Thank you! Cris Rockwell Applications Architect Sr College of Literature, Science, and the Arts | University of Michigan LSA Technology Services | Suite 505 | 301 E. Libery | Ann Arbor, MI I 48109
