If that is really the case then sticking xwiki in a tomcat container and
fronting with apache / mod_shib and using http authenticator is by far the
simplest way to get SAML auth to your Xwiki.. this would take about a
day or two assuming you have a working SAML environment Identity Provider /
Federation wise.
re/writing a true SAML compliant authenticator is (im going to bet) far
more time consuming.. you have to deal with all the constraints and bit
level SAML which is where the brunt of the security comes from.. and the
registration and management of metadata.. etc.. etc..
------
thanks
kevin.foote
On Fri, 29 Mar 2013, Valdis Vītoliņš wrote:
I agree in general,
but devil is in details.
If I have usual time constrained project, and have to ship something in,
say, two months; then I have to develop anything that works, not the
best solution. I have looked to some of these projects, though currently
integration with these requires too much learning project internalities
to be achievable in short-term project.
I'd like to help build something, that could be deployable by putting
some jar file and writing settings in xwiki.cfg, but I'm not experienced
enough and have no time to go in long and deep custom development.
Valdis
Just a comment.. (I'm a list watcher 99.9% of the time)
XWIKI will work just fine with SAML products that engage at the
container level.. You just use a HTTP auth type authenticator which
there are a few out there in the contributions area.
My advice would be to NOT write to the SAML protocol where this gets
really intricate.. but to just let the known to work SAML products do
their thing. Pulling the SAML bits into XWIKI does not buy you anything
intricate to the product and just adds much more room for error on the
authenticator.
People wanting to implement their own SAML stack inside 'web appX'
is a topic that always comes up on some of the lists I'm on and the
SAML people always say there is really no reason to do this.. o
IMO leave the SAML bits to saml products** and use a http authenticator
that you like.
** Just to name a few:
- http://simplesamlphp.org/ ,
- http://shibboleth.net/ ,
- https://github.com/guanxi/guanxi-sp-guard ,
------
thanks
kevin.foote
On Fri, 29 Mar 2013, Valdis Vītoliņš wrote:
> Nicolas,
> If you'd be able to rebuild this module that it at least compiles and
> does something, I'd also be interested in trying it and contributing to
> its development.
>
> Valdis
>> Hi Nicolas,
>>
>> If I remember correctly I wrote this authenticator and I think it requires
>> some code in XWiki pages to manage the redirects but I don't think I have
>> this code anymore.
>> Plus it was for one custom SAML server and has not been tested with
>> multiple ones.
>>
>> In any case it's a good basis for starting a SAML authenticator.
>> If you are coding against a more widespread SAML server, do contribute your
>> code :)
>> You can takeover the module fully as no backwards compatibility is needed.
>>
>> Ludovic
> ...
>
> _______________________________________________
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>
_______________________________________________ users mailing list
users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
