You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Cris Rockwell <cm...@umich.edu> on 2020/02/12 21:27:09 UTC
Re: OIDC or SAML2 for Sling
Hi Robert
I would like to follow up with you about adding SAML2 SP (Service Provider) support to Apache Sling.
Our team reviewed security requirements with the leading identity provider (IDP) administrator at the University. His suggestion was to use SAML2 (or OIDC) and skip the LDAP authentication idea. We have been using SAML2 for many years with other applications. It seems SAML2 for open and closed source Java Enterprise applications is very common, so I feel good about requesting SAML2 SP support for Apache Sling.
To start, I am studying the eBook OpenSAML V3 mentioned on the Shibboleth website <https://wiki.shibboleth.net/confluence/display/OS30/Home>. The eBook discusses a sample project <https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> and covers various aspects of using OpenSaml3 Java library.
* Authentication request using HTTP Redirect Binding
* Assertion transported using HTTP Artifact Binding
* SAML Artifact transported using HTTP Redirect Binding
If you or others have thoughts or recommendations for me about how to make this happen, please let me know.
Thanks
Cris Rockwell, App Sys Analyst/Programmer Sr
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109
Desk: 734.763.6818 | Email: cmrockwe@umich.edu
> On Dec 19, 2019, at 12:00 PM, Robert Munteanu <ro...@apache.org> wrote:
>
> Hi Cris,
>
> Hopefully the LDAP authentication will fulfill your requirements. Once
> you're done, it would be interesting to discuss (privately, if you
> prefer) what gaps you identified in the authentication support we
> offer.
>
> Thanks,
> Robert
>
> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
>> Hi Robert
>>
>> Thank you for your offer to guide an OIDC and/or SAML2 Sling
>> Authentication Handler implementation. Long term, I could also see
>> contributing to a peer reviewed initiative to securely add the
>> features to Sling applications. After some thought, I might follow up
>> with you about this out of band.
>>
>> In the short run, perhaps Oak’s LDAP authentication will support the
>> features we need.
>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html>
>> <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap>
>> .html>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html>
>> <https://jackrabbit.apache.org/oak/docs/security/authentication/exte
>> rnalloginmodule.html>
>>
>> Thanks all.
>> Cris R
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <ro...@apache.org>
>>> wrote:
>>>
>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
>>>> "What exactly would you need to manage JCR-based controls? I
>>>> would
>>>> imagine that mapping users to JCR groups based on whatever data
>>>> your
>>>> identity solution provides and then creating access based on ACLs
>>>> only
>>>> would satisfy your request."
>>>>
>>>>
>>>> We need to manage a few things at the identity provider:
>>>> 1. User attributes: username, name, email, phone, maybe a few
>>>> other
>>>> pieces of data about the user.
>>>> 2. Group membership
>>>>
>>>> When the user signs in, with SAML2 there is encrypted metadata
>>>> which
>>>> contains that information. Upon sign in, Sling users should be
>>>> created, their user attributes updated and the user should be
>>>> added
>>>> or removed from Sling group membership. Once the user has signed
>>>> in,
>>>> then access is granted as usual using JCR-based ACL’s applied for
>>>> the
>>>> groups.
>>>
>>> Right, I see that there is no support for that in the keycloak
>>> handler,
>>> as it was presented [1].
>>>
>>> I don't think there is any out-of-the-box support for what you're
>>> looking for.
>>>
>>> I would be happy to guide anyone willing to implement such
>>> functionality though.
>>>
>>> Thanks,
>>> Robert
>>>
>>>
>>> [1]:
>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>> <
>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak <https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak>
Re: OIDC or SAML2 for Sling
Posted by Cris Rockwell <cm...@umich.edu>.
Hi Dan
Thank you for the feedback! I will look into your comments, and might follow up with you later.
- Cris
> On Feb 25, 2020, at 9:52 PM, Daniel Klco <da...@gmail.com> wrote:
>
> Hey Chris,
>
> This looks like a really good start! A couple of thoughts:
>
> - It looks like a lot of exceptions are re-thrown as Runtime exceptions
> which IMO tends to obscure expected exception handling, it looks like this
> is WIP, but wanted to call it out
> - You may want to look at the Dynamic Class Loader Manager:
> https://sling.apache.org/apidocs/sling8/org/apache/sling/commons/classloader/DynamicClassLoaderManager.html
> - One thing to think about is how to store group membership. Due to a
> certain project that some of the Jackrabbit folks are aware of, I've found
> out quite painfully that the default Jackrabbit group membership has a hard
> limit to the number of user -> group associations before performance gets
> geometrically worse. You'll want to make sure your implementation supports
> dynamic group membership if your user count is going to get into the
> hundreds of thousands:
> https://jackrabbit.apache.org/oak/docs/security/authentication/external/dynamic.html
>
> Hope this helps and thanks for taking this on!
>
> On Tue, Feb 25, 2020 at 5:14 AM Robert Munteanu <ro...@apache.org> wrote:
>
>> Hi Cris,
>>
>> I am away until 9/3, I'll only be able to look into this then. Thanks!
>> Robert
>>
>> Sent from Nine
>> ________________________________
>> From: Cris Rockwell <cm...@umich.edu>
>> Sent: Monday, 24 February 2020 19:07
>> To: users@sling.apache.org
>> Subject: Re: OIDC or SAML2 for Sling
>>
>> Hi Robert
>>
>> I sent an email to dev@sling.apache.org <ma...@sling.apache.org> on
>> 2/20/2020, but I can’t find my message in the Dev Sling Mail Archive <
>> http://apache-sling.73963.n3.nabble.com/template/NamlServlet.jtp?macro=search_page&node=73966&query=SAML2&days=0>….
>> Maybe this email group only allows messages from certain approved people.
>> Whatever the reason, I’m responding to you again over Sling Users.
>>
>> I continue my work on to donate 'SAML2 Authentication Handler for Apache
>> Sling’ to the Apache Sling Whiteboard. The project is is located at...
>>
>> https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler
>> <
>> https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler>
>>
>>
>> 1. the implementation of the sample project <
>> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/>
>> from A Guide to OpenSAML V3 eBook <https://payhip.com/b/41Tw> is added
>> and functional as an AuthenticationHandler within Apache Sling, I will open
>> a PR. I can recommend this book to anyone looking for a useful and concise
>> primer for the OpenSAML V3 Java library.
>> 2. next I will try to make use of the Default Sync Handler <
>> https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html>
>> to manage group membership and user attributes
>> 3. also on the todo list, the HTTP POST binding vs SOAP Binding. The
>> implementation in step 1 uses SOAP bindings
>>
>> It would be an honor if any you experienced Sling developers and security
>> professionals would review and contribute your thoughts.
>>
>> Best regards
>> Cris Rockwell
>> Applications Architect Sr
>> College of Literature, Science, and the Arts | University of Michigan
>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann
>> Arbor, MI I 48109
>> Desk: 734.763.6818 | Email: cmrockwe@umich.edu
>>
>>
>>
>>> On Feb 17, 2020, at 5:32 AM, Robert Munteanu <ro...@apache.org>
>> wrote:
>>>
>>> Hi Cris,
>>>
>>> (Feel free to send back to dev@sling as well, replying privately as you
>>> wrote privately).
>>>
>>> The POM looks good to me. I would suggest moving to the latest parent
>>> bundle ( sling-bundle-parent 37 I think ) as it gives you Java 11
>>> support and better tooling.
>>>
>>> Also, we should not introduce new Maven repositories as part of our
>>> bundles, since that does not work for every setup. For instance,
>>> building behind a 'catch-all' Maven mirror that does not have the
>>> custom repository set up will fail. I see that the artifacts you
>>> referenced are already on Maven Central, so it's probably just a
>>> leftover.
>>>
>>> As to your choice of library, I think that is fine. I am not very much
>>> aware of the current landscape anyway, but as long as the license is
>>> fine, it does what we need and has a reasonable community behind it,
>>> all is well.
>>>
>>> What I think would also be helpful is a high-level diagram/explanation
>>> of the goals of the bundle, e.g.
>>>
>>> - will allow Sling applications to authenticate users against Oauth2
>>> servers such as ....
>>> - will allow sync of user attributes from OIDC providers such as ...
>>>
>>> (I may have gotten these totally wrong due to my lack of knowledge: -)
>>> )
>>>
>>> Thanks!
>>>
>>> Robert
>>>
>>>
>>> On Fri, 2020-02-14 at 16:33 -0500, Cris Rockwell wrote:
>>>> Hi Robert
>>>>
>>>> I’ve just started the project. Perhaps you can advise about the
>>>> project setup.
>>>>
>>>> The pom.xml
>>>>
>> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/pom.xml
>>>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
>>>> service-provider/saml-handler/pom.xml>
>>>>
>>>> One test
>>>>
>> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java
>>>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
>>>> service-provider/saml-
>>>> handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java>
>>>>
>>>> Regards
>>>> Cris Rockwell
>>>> Application Architect Senior
>>>> College of Literature, Science, and the Arts | University of
>>>> Michigan
>>>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
>>>> Arbor MI 48109
>>>> p: 734.763.6818
>>>>
>>>>
>>>>
>>>>
>>>>> On Feb 13, 2020, at 1:16 PM, Cris Rockwell <cm...@umich.edu>
>>>>> wrote:
>>>>>
>>>>> Thanks for feedback, Robert. I could not agree more with you
>>>>> suggestions.
>>>>>
>>>>> In terms of selecting a vetted library to do the bulk of the work;
>>>>>
>>>>> The University of Michigan is member of Internet2 and the
>>>>> Shibboleth Consortium. These organizations maintain OpenSaml,
>>>>> which is Apache licensed. I am very comfortable with the library’s
>>>>> license, origin and maintenance.
>>>>>
>> https://www.internet2.edu/communities-groups/members/higher-education/all/all/all
>>>>> <https://www.internet2.edu/communities-groups/members/higher-
>>>>> education/all/all/all>
>>>>> https://www.shibboleth.net/consortium/ <
>>>>> https://www.shibboleth.net/consortium/>
>>>>> OpenSaml is a very widely used Java library even outside of higher
>>>>> education. A quick search shows many Apache projects including it
>>>>> as a dependency. Such as: Apache Web Services Security for Java,
>>>>> Apache Service Mix, Apache TomEE, an others.
>>>>>
>> https://issues.apache.org/jira/browse/CXF-5015?jql=text%20~%20%22opensaml%22
>>>>> <https://issues.apache.org/jira/browse/CXF-
>>>>> 5015?jql=text%20~%20%22opensaml%22>
>>>>> MVN shows usages at least 164 usages of V2 (
>>>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages <
>>>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages>;).
>>>>> Version 3 of the library is modular, and each of the modules (Core,
>>>>> SAML Provider API, etc) are listed separately (
>>>>> https://mvnrepository.com/artifact/org.opensaml <
>>>>> https://mvnrepository.com/artifact/org.opensaml>;)
>>>>>
>>>>> In terms of selecting a vetted library, I think OpenSaml V3 meets
>>>>> the criteria. But how else would you vet the library?
>>>>>
>>>>> As you probably know, OpenSAML is a low level library useful for
>>>>> building SAML solutions and not complete product by itself. For
>>>>> example, Shibboleth is an open source product implemented in part
>>>>> using OpenSAML. This is good from an open development perspective,
>>>>> because features can be developed using a piecemeal process. The
>>>>> Sling maintainers should not need to take a leap of faith about
>>>>> anything related to the framework's security.
>>>>>
>>>>>
>>>>> Regarding Whiteboard development, I am reviewing the examples about
>>>>> how this works.
>>>>> https://github.com/apache/sling-whiteboard/pull/14 <
>>>>> https://github.com/apache/sling-whiteboard/pull/14> I forked Sling
>>>>> Whiteboard and will create a branch for developing the feature.
>>>>>
>>>>> I have to give more thought about how to make the module easy to
>>>>> test and incorporate in the Sling starter.
>>>>>
>>>>> Regards
>>>>> Cris Rockwell
>>>>> Application Architect Senior
>>>>> College of Literature, Science, and the Arts | University of
>>>>> Michigan
>>>>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
>>>>> Arbor MI 48109
>>>>> p: 734.763.6818
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Feb 13, 2020, at 10:13 AM, Robert Munteanu <rombert@apache.org
>>>>>> <ma...@apache.org>> wrote:
>>>>>>
>>>>>> Hi Cris,
>>>>>>
>>>>>> I would be very happy to see OIDC/SAML2 support in Sling. As
>>>>>> mentioned,
>>>>>> there were a couple of initiatives, but none of them completed.
>>>>>>
>>>>>> If anyone decides to give the implementation a shot, it would be
>>>>>> important to:
>>>>>>
>>>>>> - use vetted libraries that do the bulk of the work. I think this
>>>>>> was a
>>>>>> problem with some of the earlier approaches
>>>>>> - develop as much in the open as possible. The sling whiteboard
>>>>>> is a
>>>>>> good option, also a personal repo is ok if the intention is to
>>>>>> contribute to Sling
>>>>>> - make the module easy to test and incorporate in the Sling
>>>>>> starter
>>>>>>
>>>>>> I am available to review and incorporate this contribution, and
>>>>>> definitely there are others around.
>>>>>>
>>>>>> Thanks,
>>>>>> Robert
>>>>>>
>>>>>> On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote:
>>>>>>> Hi Robert
>>>>>>>
>>>>>>> I would like to follow up with you about adding SAML2 SP
>>>>>>> (Service
>>>>>>> Provider) support to Apache Sling.
>>>>>>>
>>>>>>> Our team reviewed security requirements with the leading
>>>>>>> identity
>>>>>>> provider (IDP) administrator at the University. His suggestion
>>>>>>> was to
>>>>>>> use SAML2 (or OIDC) and skip the LDAP authentication idea. We
>>>>>>> have
>>>>>>> been using SAML2 for many years with other applications. It
>>>>>>> seems
>>>>>>> SAML2 for open and closed source Java Enterprise applications
>>>>>>> is very
>>>>>>> common, so I feel good about requesting SAML2 SP support for
>>>>>>> Apache
>>>>>>> Sling.
>>>>>>>
>>>>>>> To start, I am studying the eBook OpenSAML V3 mentioned on the
>>>>>>> Shibboleth website <
>>>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home <
>>>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home>>;;.
>>>>>>> The eBook
>>>>>>> discusses a sample project <
>>>>>>>
>> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/
>>>>>>> <https://bitbucket.org/srasmusson/webprofile-ref-project-
>>>>>>> v3/src/master/>
>>>>>>>> and covers various aspects of using OpenSaml3 Java library.
>>>>>>>
>>>>>>> * Authentication request using HTTP Redirect Binding
>>>>>>> * Assertion transported using HTTP Artifact Binding
>>>>>>> * SAML Artifact transported using HTTP Redirect Binding
>>>>>>>
>>>>>>> If you or others have thoughts or recommendations for me about
>>>>>>> how to
>>>>>>> make this happen, please let me know.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Cris Rockwell, App Sys Analyst/Programmer Sr
>>>>>>> College of Literature, Science, and the Arts | University of
>>>>>>> Michigan
>>>>>>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street
>>>>>>> | Ann
>>>>>>> Arbor, MI I 48109
>>>>>>> Desk: 734.763.6818 | Email: cmrockwe@umich.edu <mailto:
>>>>>>> cmrockwe@umich.edu>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Dec 19, 2019, at 12:00 PM, Robert Munteanu <
>>>>>>>> rombert@apache.org <ma...@apache.org>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi Cris,
>>>>>>>>
>>>>>>>> Hopefully the LDAP authentication will fulfill your
>>>>>>>> requirements.
>>>>>>>> Once
>>>>>>>> you're done, it would be interesting to discuss (privately,
>>>>>>>> if you
>>>>>>>> prefer) what gaps you identified in the authentication
>>>>>>>> support we
>>>>>>>> offer.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Robert
>>>>>>>>
>>>>>>>> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
>>>>>>>>> Hi Robert
>>>>>>>>>
>>>>>>>>> Thank you for your offer to guide an OIDC and/or SAML2
>>>>>>>>> Sling
>>>>>>>>> Authentication Handler implementation. Long term, I could
>>>>>>>>> also
>>>>>>>>> see
>>>>>>>>> contributing to a peer reviewed initiative to securely add
>>>>>>>>> the
>>>>>>>>> features to Sling applications. After some thought, I might
>>>>>>>>> follow up
>>>>>>>>> with you about this out of band.
>>>>>>>>>
>>>>>>>>> In the short run, perhaps Oak’s LDAP authentication will
>>>>>>>>> support
>>>>>>>>> the
>>>>>>>>> features we need.
>>>>>>>>>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
>>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>>>> ation/ldap.html>
>>>>>>>>> <
>>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>> <
>>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>>>
>>>>>>>>> ldap.html>
>>>>>>>>> <
>>>>>>>>>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
>>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>>>> ation/ldap>
>>>>>>>>> <
>>>>>>>>>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
>>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>>>> ation/ldap>
>>>>>>>>> .html>
>>>>>>>>>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
>>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>>>> ation/externalloginmodule.html>
>>>>>>>>> <
>>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>> <
>>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>>>
>>>>>>>>> externalloginmodule.html>
>>>>>>>>> <
>>>>>>>>>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/exte
>>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>>>> ation/exte>
>>>>>>>>> rnalloginmodule.html>
>>>>>>>>>
>>>>>>>>> Thanks all.
>>>>>>>>> Cris R
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <
>>>>>>>>>> rombert@apache.org>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
>>>>>>>>>>> "What exactly would you need to manage JCR-based
>>>>>>>>>>> controls? I
>>>>>>>>>>> would
>>>>>>>>>>> imagine that mapping users to JCR groups based on
>>>>>>>>>>> whatever
>>>>>>>>>>> data
>>>>>>>>>>> your
>>>>>>>>>>> identity solution provides and then creating access
>>>>>>>>>>> based on
>>>>>>>>>>> ACLs
>>>>>>>>>>> only
>>>>>>>>>>> would satisfy your request."
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> We need to manage a few things at the identity
>>>>>>>>>>> provider:
>>>>>>>>>>> 1. User attributes: username, name, email, phone, maybe
>>>>>>>>>>> a few
>>>>>>>>>>> other
>>>>>>>>>>> pieces of data about the user.
>>>>>>>>>>> 2. Group membership
>>>>>>>>>>>
>>>>>>>>>>> When the user signs in, with SAML2 there is encrypted
>>>>>>>>>>> metadata
>>>>>>>>>>> which
>>>>>>>>>>> contains that information. Upon sign in, Sling users
>>>>>>>>>>> should
>>>>>>>>>>> be
>>>>>>>>>>> created, their user attributes updated and the user
>>>>>>>>>>> should be
>>>>>>>>>>> added
>>>>>>>>>>> or removed from Sling group membership. Once the user
>>>>>>>>>>> has
>>>>>>>>>>> signed
>>>>>>>>>>> in,
>>>>>>>>>>> then access is granted as usual using JCR-based ACL’s
>>>>>>>>>>> applied
>>>>>>>>>>> for
>>>>>>>>>>> the
>>>>>>>>>>> groups.
>>>>>>>>>>
>>>>>>>>>> Right, I see that there is no support for that in the
>>>>>>>>>> keycloak
>>>>>>>>>> handler,
>>>>>>>>>> as it was presented [1].
>>>>>>>>>>
>>>>>>>>>> I don't think there is any out-of-the-box support for
>>>>>>>>>> what
>>>>>>>>>> you're
>>>>>>>>>> looking for.
>>>>>>>>>>
>>>>>>>>>> I would be happy to guide anyone willing to implement
>>>>>>>>>> such
>>>>>>>>>> functionality though.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Robert
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [1]:
>>>>>>>>>>
>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>>>>>>>>> <
>>>>>>>>>>
>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-
>>>>>>>>>> sling-presentation/tree/master/adapt-to-2018-sling-
>>>>>>>>>> keycloak/org-apache-sling-auth-keycloak>
>>>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
>>>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
>>>>>>>>>>>
>>>>>>>>>> presentation/tree/master/adapt-to-2018-sling-
>>>>>>>>>> keycloak/org-
>>>>>>>>>> apache-sling-auth-keycloak>
>>>
>>
>>
Re: OIDC or SAML2 for Sling
Posted by Daniel Klco <da...@gmail.com>.
Hey Chris,
This looks like a really good start! A couple of thoughts:
- It looks like a lot of exceptions are re-thrown as Runtime exceptions
which IMO tends to obscure expected exception handling, it looks like this
is WIP, but wanted to call it out
- You may want to look at the Dynamic Class Loader Manager:
https://sling.apache.org/apidocs/sling8/org/apache/sling/commons/classloader/DynamicClassLoaderManager.html
- One thing to think about is how to store group membership. Due to a
certain project that some of the Jackrabbit folks are aware of, I've found
out quite painfully that the default Jackrabbit group membership has a hard
limit to the number of user -> group associations before performance gets
geometrically worse. You'll want to make sure your implementation supports
dynamic group membership if your user count is going to get into the
hundreds of thousands:
https://jackrabbit.apache.org/oak/docs/security/authentication/external/dynamic.html
Hope this helps and thanks for taking this on!
On Tue, Feb 25, 2020 at 5:14 AM Robert Munteanu <ro...@apache.org> wrote:
> Hi Cris,
>
> I am away until 9/3, I'll only be able to look into this then. Thanks!
> Robert
>
> Sent from Nine
> ________________________________
> From: Cris Rockwell <cm...@umich.edu>
> Sent: Monday, 24 February 2020 19:07
> To: users@sling.apache.org
> Subject: Re: OIDC or SAML2 for Sling
>
> Hi Robert
>
> I sent an email to dev@sling.apache.org <ma...@sling.apache.org> on
> 2/20/2020, but I can’t find my message in the Dev Sling Mail Archive <
> http://apache-sling.73963.n3.nabble.com/template/NamlServlet.jtp?macro=search_page&node=73966&query=SAML2&days=0>….
> Maybe this email group only allows messages from certain approved people.
> Whatever the reason, I’m responding to you again over Sling Users.
>
> I continue my work on to donate 'SAML2 Authentication Handler for Apache
> Sling’ to the Apache Sling Whiteboard. The project is is located at...
>
> https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler
> <
> https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler>
>
>
> 1. the implementation of the sample project <
> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/>
> from A Guide to OpenSAML V3 eBook <https://payhip.com/b/41Tw> is added
> and functional as an AuthenticationHandler within Apache Sling, I will open
> a PR. I can recommend this book to anyone looking for a useful and concise
> primer for the OpenSAML V3 Java library.
> 2. next I will try to make use of the Default Sync Handler <
> https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html>
> to manage group membership and user attributes
> 3. also on the todo list, the HTTP POST binding vs SOAP Binding. The
> implementation in step 1 uses SOAP bindings
>
> It would be an honor if any you experienced Sling developers and security
> professionals would review and contribute your thoughts.
>
> Best regards
> Cris Rockwell
> Applications Architect Sr
> College of Literature, Science, and the Arts | University of Michigan
> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann
> Arbor, MI I 48109
> Desk: 734.763.6818 | Email: cmrockwe@umich.edu
>
>
>
> > On Feb 17, 2020, at 5:32 AM, Robert Munteanu <ro...@apache.org>
> wrote:
> >
> > Hi Cris,
> >
> > (Feel free to send back to dev@sling as well, replying privately as you
> > wrote privately).
> >
> > The POM looks good to me. I would suggest moving to the latest parent
> > bundle ( sling-bundle-parent 37 I think ) as it gives you Java 11
> > support and better tooling.
> >
> > Also, we should not introduce new Maven repositories as part of our
> > bundles, since that does not work for every setup. For instance,
> > building behind a 'catch-all' Maven mirror that does not have the
> > custom repository set up will fail. I see that the artifacts you
> > referenced are already on Maven Central, so it's probably just a
> > leftover.
> >
> > As to your choice of library, I think that is fine. I am not very much
> > aware of the current landscape anyway, but as long as the license is
> > fine, it does what we need and has a reasonable community behind it,
> > all is well.
> >
> > What I think would also be helpful is a high-level diagram/explanation
> > of the goals of the bundle, e.g.
> >
> > - will allow Sling applications to authenticate users against Oauth2
> > servers such as ....
> > - will allow sync of user attributes from OIDC providers such as ...
> >
> > (I may have gotten these totally wrong due to my lack of knowledge: -)
> > )
> >
> > Thanks!
> >
> > Robert
> >
> >
> > On Fri, 2020-02-14 at 16:33 -0500, Cris Rockwell wrote:
> >> Hi Robert
> >>
> >> I’ve just started the project. Perhaps you can advise about the
> >> project setup.
> >>
> >> The pom.xml
> >>
> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/pom.xml
> >> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
> >> service-provider/saml-handler/pom.xml>
> >>
> >> One test
> >>
> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java
> >> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
> >> service-provider/saml-
> >> handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java>
> >>
> >> Regards
> >> Cris Rockwell
> >> Application Architect Senior
> >> College of Literature, Science, and the Arts | University of
> >> Michigan
> >> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
> >> Arbor MI 48109
> >> p: 734.763.6818
> >>
> >>
> >>
> >>
> >>> On Feb 13, 2020, at 1:16 PM, Cris Rockwell <cm...@umich.edu>
> >>> wrote:
> >>>
> >>> Thanks for feedback, Robert. I could not agree more with you
> >>> suggestions.
> >>>
> >>> In terms of selecting a vetted library to do the bulk of the work;
> >>>
> >>> The University of Michigan is member of Internet2 and the
> >>> Shibboleth Consortium. These organizations maintain OpenSaml,
> >>> which is Apache licensed. I am very comfortable with the library’s
> >>> license, origin and maintenance.
> >>>
> https://www.internet2.edu/communities-groups/members/higher-education/all/all/all
> >>> <https://www.internet2.edu/communities-groups/members/higher-
> >>> education/all/all/all>
> >>> https://www.shibboleth.net/consortium/ <
> >>> https://www.shibboleth.net/consortium/>
> >>> OpenSaml is a very widely used Java library even outside of higher
> >>> education. A quick search shows many Apache projects including it
> >>> as a dependency. Such as: Apache Web Services Security for Java,
> >>> Apache Service Mix, Apache TomEE, an others.
> >>>
> https://issues.apache.org/jira/browse/CXF-5015?jql=text%20~%20%22opensaml%22
> >>> <https://issues.apache.org/jira/browse/CXF-
> >>> 5015?jql=text%20~%20%22opensaml%22>
> >>> MVN shows usages at least 164 usages of V2 (
> >>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages <
> >>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages>;).
> >>> Version 3 of the library is modular, and each of the modules (Core,
> >>> SAML Provider API, etc) are listed separately (
> >>> https://mvnrepository.com/artifact/org.opensaml <
> >>> https://mvnrepository.com/artifact/org.opensaml>;)
> >>>
> >>> In terms of selecting a vetted library, I think OpenSaml V3 meets
> >>> the criteria. But how else would you vet the library?
> >>>
> >>> As you probably know, OpenSAML is a low level library useful for
> >>> building SAML solutions and not complete product by itself. For
> >>> example, Shibboleth is an open source product implemented in part
> >>> using OpenSAML. This is good from an open development perspective,
> >>> because features can be developed using a piecemeal process. The
> >>> Sling maintainers should not need to take a leap of faith about
> >>> anything related to the framework's security.
> >>>
> >>>
> >>> Regarding Whiteboard development, I am reviewing the examples about
> >>> how this works.
> >>> https://github.com/apache/sling-whiteboard/pull/14 <
> >>> https://github.com/apache/sling-whiteboard/pull/14> I forked Sling
> >>> Whiteboard and will create a branch for developing the feature.
> >>>
> >>> I have to give more thought about how to make the module easy to
> >>> test and incorporate in the Sling starter.
> >>>
> >>> Regards
> >>> Cris Rockwell
> >>> Application Architect Senior
> >>> College of Literature, Science, and the Arts | University of
> >>> Michigan
> >>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
> >>> Arbor MI 48109
> >>> p: 734.763.6818
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> On Feb 13, 2020, at 10:13 AM, Robert Munteanu <rombert@apache.org
> >>>> <ma...@apache.org>> wrote:
> >>>>
> >>>> Hi Cris,
> >>>>
> >>>> I would be very happy to see OIDC/SAML2 support in Sling. As
> >>>> mentioned,
> >>>> there were a couple of initiatives, but none of them completed.
> >>>>
> >>>> If anyone decides to give the implementation a shot, it would be
> >>>> important to:
> >>>>
> >>>> - use vetted libraries that do the bulk of the work. I think this
> >>>> was a
> >>>> problem with some of the earlier approaches
> >>>> - develop as much in the open as possible. The sling whiteboard
> >>>> is a
> >>>> good option, also a personal repo is ok if the intention is to
> >>>> contribute to Sling
> >>>> - make the module easy to test and incorporate in the Sling
> >>>> starter
> >>>>
> >>>> I am available to review and incorporate this contribution, and
> >>>> definitely there are others around.
> >>>>
> >>>> Thanks,
> >>>> Robert
> >>>>
> >>>> On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote:
> >>>>> Hi Robert
> >>>>>
> >>>>> I would like to follow up with you about adding SAML2 SP
> >>>>> (Service
> >>>>> Provider) support to Apache Sling.
> >>>>>
> >>>>> Our team reviewed security requirements with the leading
> >>>>> identity
> >>>>> provider (IDP) administrator at the University. His suggestion
> >>>>> was to
> >>>>> use SAML2 (or OIDC) and skip the LDAP authentication idea. We
> >>>>> have
> >>>>> been using SAML2 for many years with other applications. It
> >>>>> seems
> >>>>> SAML2 for open and closed source Java Enterprise applications
> >>>>> is very
> >>>>> common, so I feel good about requesting SAML2 SP support for
> >>>>> Apache
> >>>>> Sling.
> >>>>>
> >>>>> To start, I am studying the eBook OpenSAML V3 mentioned on the
> >>>>> Shibboleth website <
> >>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home <
> >>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home>>;;.
> >>>>> The eBook
> >>>>> discusses a sample project <
> >>>>>
> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/
> >>>>> <https://bitbucket.org/srasmusson/webprofile-ref-project-
> >>>>> v3/src/master/>
> >>>>>> and covers various aspects of using OpenSaml3 Java library.
> >>>>>
> >>>>> * Authentication request using HTTP Redirect Binding
> >>>>> * Assertion transported using HTTP Artifact Binding
> >>>>> * SAML Artifact transported using HTTP Redirect Binding
> >>>>>
> >>>>> If you or others have thoughts or recommendations for me about
> >>>>> how to
> >>>>> make this happen, please let me know.
> >>>>>
> >>>>> Thanks
> >>>>> Cris Rockwell, App Sys Analyst/Programmer Sr
> >>>>> College of Literature, Science, and the Arts | University of
> >>>>> Michigan
> >>>>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street
> >>>>> | Ann
> >>>>> Arbor, MI I 48109
> >>>>> Desk: 734.763.6818 | Email: cmrockwe@umich.edu <mailto:
> >>>>> cmrockwe@umich.edu>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On Dec 19, 2019, at 12:00 PM, Robert Munteanu <
> >>>>>> rombert@apache.org <ma...@apache.org>>
> >>>>>> wrote:
> >>>>>>
> >>>>>> Hi Cris,
> >>>>>>
> >>>>>> Hopefully the LDAP authentication will fulfill your
> >>>>>> requirements.
> >>>>>> Once
> >>>>>> you're done, it would be interesting to discuss (privately,
> >>>>>> if you
> >>>>>> prefer) what gaps you identified in the authentication
> >>>>>> support we
> >>>>>> offer.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Robert
> >>>>>>
> >>>>>> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
> >>>>>>> Hi Robert
> >>>>>>>
> >>>>>>> Thank you for your offer to guide an OIDC and/or SAML2
> >>>>>>> Sling
> >>>>>>> Authentication Handler implementation. Long term, I could
> >>>>>>> also
> >>>>>>> see
> >>>>>>> contributing to a peer reviewed initiative to securely add
> >>>>>>> the
> >>>>>>> features to Sling applications. After some thought, I might
> >>>>>>> follow up
> >>>>>>> with you about this out of band.
> >>>>>>>
> >>>>>>> In the short run, perhaps Oak’s LDAP authentication will
> >>>>>>> support
> >>>>>>> the
> >>>>>>> features we need.
> >>>>>>>
> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
> >>>>>>> ation/ldap.html>
> >>>>>>> <
> >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
> >>>>>>> <
> >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
> >>>>>>>>
> >>>>>>> ldap.html>
> >>>>>>> <
> >>>>>>>
> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
> >>>>>>> ation/ldap>
> >>>>>>> <
> >>>>>>>
> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
> >>>>>>> ation/ldap>
> >>>>>>> .html>
> >>>>>>>
> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
> >>>>>>> ation/externalloginmodule.html>
> >>>>>>> <
> >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
> >>>>>>> <
> >>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
> >>>>>>>>
> >>>>>>> externalloginmodule.html>
> >>>>>>> <
> >>>>>>>
> https://jackrabbit.apache.org/oak/docs/security/authentication/exte
> >>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
> >>>>>>> ation/exte>
> >>>>>>> rnalloginmodule.html>
> >>>>>>>
> >>>>>>> Thanks all.
> >>>>>>> Cris R
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <
> >>>>>>>> rombert@apache.org>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
> >>>>>>>>> "What exactly would you need to manage JCR-based
> >>>>>>>>> controls? I
> >>>>>>>>> would
> >>>>>>>>> imagine that mapping users to JCR groups based on
> >>>>>>>>> whatever
> >>>>>>>>> data
> >>>>>>>>> your
> >>>>>>>>> identity solution provides and then creating access
> >>>>>>>>> based on
> >>>>>>>>> ACLs
> >>>>>>>>> only
> >>>>>>>>> would satisfy your request."
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> We need to manage a few things at the identity
> >>>>>>>>> provider:
> >>>>>>>>> 1. User attributes: username, name, email, phone, maybe
> >>>>>>>>> a few
> >>>>>>>>> other
> >>>>>>>>> pieces of data about the user.
> >>>>>>>>> 2. Group membership
> >>>>>>>>>
> >>>>>>>>> When the user signs in, with SAML2 there is encrypted
> >>>>>>>>> metadata
> >>>>>>>>> which
> >>>>>>>>> contains that information. Upon sign in, Sling users
> >>>>>>>>> should
> >>>>>>>>> be
> >>>>>>>>> created, their user attributes updated and the user
> >>>>>>>>> should be
> >>>>>>>>> added
> >>>>>>>>> or removed from Sling group membership. Once the user
> >>>>>>>>> has
> >>>>>>>>> signed
> >>>>>>>>> in,
> >>>>>>>>> then access is granted as usual using JCR-based ACL’s
> >>>>>>>>> applied
> >>>>>>>>> for
> >>>>>>>>> the
> >>>>>>>>> groups.
> >>>>>>>>
> >>>>>>>> Right, I see that there is no support for that in the
> >>>>>>>> keycloak
> >>>>>>>> handler,
> >>>>>>>> as it was presented [1].
> >>>>>>>>
> >>>>>>>> I don't think there is any out-of-the-box support for
> >>>>>>>> what
> >>>>>>>> you're
> >>>>>>>> looking for.
> >>>>>>>>
> >>>>>>>> I would be happy to guide anyone willing to implement
> >>>>>>>> such
> >>>>>>>> functionality though.
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>> Robert
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> [1]:
> >>>>>>>>
> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> >>>>>>>> <
> >>>>>>>>
> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> >>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-
> >>>>>>>> sling-presentation/tree/master/adapt-to-2018-sling-
> >>>>>>>> keycloak/org-apache-sling-auth-keycloak>
> >>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
> >>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
> >>>>>>>>>
> >>>>>>>> presentation/tree/master/adapt-to-2018-sling-
> >>>>>>>> keycloak/org-
> >>>>>>>> apache-sling-auth-keycloak>
> >
>
>
Re: OIDC or SAML2 for Sling
Posted by Robert Munteanu <ro...@apache.org>.
Hi Cris,
I am away until 9/3, I'll only be able to look into this then. Thanks!
Robert
Sent from Nine
________________________________
From: Cris Rockwell <cm...@umich.edu>
Sent: Monday, 24 February 2020 19:07
To: users@sling.apache.org
Subject: Re: OIDC or SAML2 for Sling
Hi Robert
I sent an email to dev@sling.apache.org <ma...@sling.apache.org> on 2/20/2020, but I can’t find my message in the Dev Sling Mail Archive <http://apache-sling.73963.n3.nabble.com/template/NamlServlet.jtp?macro=search_page&node=73966&query=SAML2&days=0>…. Maybe this email group only allows messages from certain approved people. Whatever the reason, I’m responding to you again over Sling Users.
I continue my work on to donate 'SAML2 Authentication Handler for Apache Sling’ to the Apache Sling Whiteboard. The project is is located at...
https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler>
1. the implementation of the sample project <https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> from A Guide to OpenSAML V3 eBook <https://payhip.com/b/41Tw> is added and functional as an AuthenticationHandler within Apache Sling, I will open a PR. I can recommend this book to anyone looking for a useful and concise primer for the OpenSAML V3 Java library.
2. next I will try to make use of the Default Sync Handler <https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html> to manage group membership and user attributes
3. also on the todo list, the HTTP POST binding vs SOAP Binding. The implementation in step 1 uses SOAP bindings
It would be an honor if any you experienced Sling developers and security professionals would review and contribute your thoughts.
Best regards
Cris Rockwell
Applications Architect Sr
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109
Desk: 734.763.6818 | Email: cmrockwe@umich.edu
> On Feb 17, 2020, at 5:32 AM, Robert Munteanu <ro...@apache.org> wrote:
>
> Hi Cris,
>
> (Feel free to send back to dev@sling as well, replying privately as you
> wrote privately).
>
> The POM looks good to me. I would suggest moving to the latest parent
> bundle ( sling-bundle-parent 37 I think ) as it gives you Java 11
> support and better tooling.
>
> Also, we should not introduce new Maven repositories as part of our
> bundles, since that does not work for every setup. For instance,
> building behind a 'catch-all' Maven mirror that does not have the
> custom repository set up will fail. I see that the artifacts you
> referenced are already on Maven Central, so it's probably just a
> leftover.
>
> As to your choice of library, I think that is fine. I am not very much
> aware of the current landscape anyway, but as long as the license is
> fine, it does what we need and has a reasonable community behind it,
> all is well.
>
> What I think would also be helpful is a high-level diagram/explanation
> of the goals of the bundle, e.g.
>
> - will allow Sling applications to authenticate users against Oauth2
> servers such as ....
> - will allow sync of user attributes from OIDC providers such as ...
>
> (I may have gotten these totally wrong due to my lack of knowledge: -)
> )
>
> Thanks!
>
> Robert
>
>
> On Fri, 2020-02-14 at 16:33 -0500, Cris Rockwell wrote:
>> Hi Robert
>>
>> I’ve just started the project. Perhaps you can advise about the
>> project setup.
>>
>> The pom.xml
>> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/pom.xml
>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
>> service-provider/saml-handler/pom.xml>
>>
>> One test
>> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java
>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
>> service-provider/saml-
>> handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java>
>>
>> Regards
>> Cris Rockwell
>> Application Architect Senior
>> College of Literature, Science, and the Arts | University of
>> Michigan
>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
>> Arbor MI 48109
>> p: 734.763.6818
>>
>>
>>
>>
>>> On Feb 13, 2020, at 1:16 PM, Cris Rockwell <cm...@umich.edu>
>>> wrote:
>>>
>>> Thanks for feedback, Robert. I could not agree more with you
>>> suggestions.
>>>
>>> In terms of selecting a vetted library to do the bulk of the work;
>>>
>>> The University of Michigan is member of Internet2 and the
>>> Shibboleth Consortium. These organizations maintain OpenSaml,
>>> which is Apache licensed. I am very comfortable with the library’s
>>> license, origin and maintenance.
>>> https://www.internet2.edu/communities-groups/members/higher-education/all/all/all
>>> <https://www.internet2.edu/communities-groups/members/higher-
>>> education/all/all/all>
>>> https://www.shibboleth.net/consortium/ <
>>> https://www.shibboleth.net/consortium/>
>>> OpenSaml is a very widely used Java library even outside of higher
>>> education. A quick search shows many Apache projects including it
>>> as a dependency. Such as: Apache Web Services Security for Java,
>>> Apache Service Mix, Apache TomEE, an others.
>>> https://issues.apache.org/jira/browse/CXF-5015?jql=text%20~%20%22opensaml%22
>>> <https://issues.apache.org/jira/browse/CXF-
>>> 5015?jql=text%20~%20%22opensaml%22>
>>> MVN shows usages at least 164 usages of V2 (
>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages <
>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages>;).
>>> Version 3 of the library is modular, and each of the modules (Core,
>>> SAML Provider API, etc) are listed separately (
>>> https://mvnrepository.com/artifact/org.opensaml <
>>> https://mvnrepository.com/artifact/org.opensaml>;)
>>>
>>> In terms of selecting a vetted library, I think OpenSaml V3 meets
>>> the criteria. But how else would you vet the library?
>>>
>>> As you probably know, OpenSAML is a low level library useful for
>>> building SAML solutions and not complete product by itself. For
>>> example, Shibboleth is an open source product implemented in part
>>> using OpenSAML. This is good from an open development perspective,
>>> because features can be developed using a piecemeal process. The
>>> Sling maintainers should not need to take a leap of faith about
>>> anything related to the framework's security.
>>>
>>>
>>> Regarding Whiteboard development, I am reviewing the examples about
>>> how this works.
>>> https://github.com/apache/sling-whiteboard/pull/14 <
>>> https://github.com/apache/sling-whiteboard/pull/14> I forked Sling
>>> Whiteboard and will create a branch for developing the feature.
>>>
>>> I have to give more thought about how to make the module easy to
>>> test and incorporate in the Sling starter.
>>>
>>> Regards
>>> Cris Rockwell
>>> Application Architect Senior
>>> College of Literature, Science, and the Arts | University of
>>> Michigan
>>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
>>> Arbor MI 48109
>>> p: 734.763.6818
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On Feb 13, 2020, at 10:13 AM, Robert Munteanu <rombert@apache.org
>>>> <ma...@apache.org>> wrote:
>>>>
>>>> Hi Cris,
>>>>
>>>> I would be very happy to see OIDC/SAML2 support in Sling. As
>>>> mentioned,
>>>> there were a couple of initiatives, but none of them completed.
>>>>
>>>> If anyone decides to give the implementation a shot, it would be
>>>> important to:
>>>>
>>>> - use vetted libraries that do the bulk of the work. I think this
>>>> was a
>>>> problem with some of the earlier approaches
>>>> - develop as much in the open as possible. The sling whiteboard
>>>> is a
>>>> good option, also a personal repo is ok if the intention is to
>>>> contribute to Sling
>>>> - make the module easy to test and incorporate in the Sling
>>>> starter
>>>>
>>>> I am available to review and incorporate this contribution, and
>>>> definitely there are others around.
>>>>
>>>> Thanks,
>>>> Robert
>>>>
>>>> On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote:
>>>>> Hi Robert
>>>>>
>>>>> I would like to follow up with you about adding SAML2 SP
>>>>> (Service
>>>>> Provider) support to Apache Sling.
>>>>>
>>>>> Our team reviewed security requirements with the leading
>>>>> identity
>>>>> provider (IDP) administrator at the University. His suggestion
>>>>> was to
>>>>> use SAML2 (or OIDC) and skip the LDAP authentication idea. We
>>>>> have
>>>>> been using SAML2 for many years with other applications. It
>>>>> seems
>>>>> SAML2 for open and closed source Java Enterprise applications
>>>>> is very
>>>>> common, so I feel good about requesting SAML2 SP support for
>>>>> Apache
>>>>> Sling.
>>>>>
>>>>> To start, I am studying the eBook OpenSAML V3 mentioned on the
>>>>> Shibboleth website <
>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home <
>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home>>;;.
>>>>> The eBook
>>>>> discusses a sample project <
>>>>> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/
>>>>> <https://bitbucket.org/srasmusson/webprofile-ref-project-
>>>>> v3/src/master/>
>>>>>> and covers various aspects of using OpenSaml3 Java library.
>>>>>
>>>>> * Authentication request using HTTP Redirect Binding
>>>>> * Assertion transported using HTTP Artifact Binding
>>>>> * SAML Artifact transported using HTTP Redirect Binding
>>>>>
>>>>> If you or others have thoughts or recommendations for me about
>>>>> how to
>>>>> make this happen, please let me know.
>>>>>
>>>>> Thanks
>>>>> Cris Rockwell, App Sys Analyst/Programmer Sr
>>>>> College of Literature, Science, and the Arts | University of
>>>>> Michigan
>>>>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street
>>>>> | Ann
>>>>> Arbor, MI I 48109
>>>>> Desk: 734.763.6818 | Email: cmrockwe@umich.edu <mailto:
>>>>> cmrockwe@umich.edu>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Dec 19, 2019, at 12:00 PM, Robert Munteanu <
>>>>>> rombert@apache.org <ma...@apache.org>>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Cris,
>>>>>>
>>>>>> Hopefully the LDAP authentication will fulfill your
>>>>>> requirements.
>>>>>> Once
>>>>>> you're done, it would be interesting to discuss (privately,
>>>>>> if you
>>>>>> prefer) what gaps you identified in the authentication
>>>>>> support we
>>>>>> offer.
>>>>>>
>>>>>> Thanks,
>>>>>> Robert
>>>>>>
>>>>>> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
>>>>>>> Hi Robert
>>>>>>>
>>>>>>> Thank you for your offer to guide an OIDC and/or SAML2
>>>>>>> Sling
>>>>>>> Authentication Handler implementation. Long term, I could
>>>>>>> also
>>>>>>> see
>>>>>>> contributing to a peer reviewed initiative to securely add
>>>>>>> the
>>>>>>> features to Sling applications. After some thought, I might
>>>>>>> follow up
>>>>>>> with you about this out of band.
>>>>>>>
>>>>>>> In the short run, perhaps Oak’s LDAP authentication will
>>>>>>> support
>>>>>>> the
>>>>>>> features we need.
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/ldap.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>
>>>>>>> ldap.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/ldap>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/ldap>
>>>>>>> .html>
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/externalloginmodule.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>
>>>>>>> externalloginmodule.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/exte
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/exte>
>>>>>>> rnalloginmodule.html>
>>>>>>>
>>>>>>> Thanks all.
>>>>>>> Cris R
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <
>>>>>>>> rombert@apache.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
>>>>>>>>> "What exactly would you need to manage JCR-based
>>>>>>>>> controls? I
>>>>>>>>> would
>>>>>>>>> imagine that mapping users to JCR groups based on
>>>>>>>>> whatever
>>>>>>>>> data
>>>>>>>>> your
>>>>>>>>> identity solution provides and then creating access
>>>>>>>>> based on
>>>>>>>>> ACLs
>>>>>>>>> only
>>>>>>>>> would satisfy your request."
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We need to manage a few things at the identity
>>>>>>>>> provider:
>>>>>>>>> 1. User attributes: username, name, email, phone, maybe
>>>>>>>>> a few
>>>>>>>>> other
>>>>>>>>> pieces of data about the user.
>>>>>>>>> 2. Group membership
>>>>>>>>>
>>>>>>>>> When the user signs in, with SAML2 there is encrypted
>>>>>>>>> metadata
>>>>>>>>> which
>>>>>>>>> contains that information. Upon sign in, Sling users
>>>>>>>>> should
>>>>>>>>> be
>>>>>>>>> created, their user attributes updated and the user
>>>>>>>>> should be
>>>>>>>>> added
>>>>>>>>> or removed from Sling group membership. Once the user
>>>>>>>>> has
>>>>>>>>> signed
>>>>>>>>> in,
>>>>>>>>> then access is granted as usual using JCR-based ACL’s
>>>>>>>>> applied
>>>>>>>>> for
>>>>>>>>> the
>>>>>>>>> groups.
>>>>>>>>
>>>>>>>> Right, I see that there is no support for that in the
>>>>>>>> keycloak
>>>>>>>> handler,
>>>>>>>> as it was presented [1].
>>>>>>>>
>>>>>>>> I don't think there is any out-of-the-box support for
>>>>>>>> what
>>>>>>>> you're
>>>>>>>> looking for.
>>>>>>>>
>>>>>>>> I would be happy to guide anyone willing to implement
>>>>>>>> such
>>>>>>>> functionality though.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Robert
>>>>>>>>
>>>>>>>>
>>>>>>>> [1]:
>>>>>>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>>>>>>> <
>>>>>>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-
>>>>>>>> sling-presentation/tree/master/adapt-to-2018-sling-
>>>>>>>> keycloak/org-apache-sling-auth-keycloak>
>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
>>>>>>>>>
>>>>>>>> presentation/tree/master/adapt-to-2018-sling-
>>>>>>>> keycloak/org-
>>>>>>>> apache-sling-auth-keycloak>
>
Re: OIDC or SAML2 for Sling
Posted by Cris Rockwell <cm...@umich.edu>.
Hi Robert
I sent an email to dev@sling.apache.org <ma...@sling.apache.org> on 2/20/2020, but I can’t find my message in the Dev Sling Mail Archive <http://apache-sling.73963.n3.nabble.com/template/NamlServlet.jtp?macro=search_page&node=73966&query=SAML2&days=0>…. Maybe this email group only allows messages from certain approved people. Whatever the reason, I’m responding to you again over Sling Users.
I continue my work on to donate 'SAML2 Authentication Handler for Apache Sling’ to the Apache Sling Whiteboard. The project is is located at...
https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler>
1. the implementation of the sample project <https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> from A Guide to OpenSAML V3 eBook <https://payhip.com/b/41Tw> is added and functional as an AuthenticationHandler within Apache Sling, I will open a PR. I can recommend this book to anyone looking for a useful and concise primer for the OpenSAML V3 Java library.
2. next I will try to make use of the Default Sync Handler <https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html> to manage group membership and user attributes
3. also on the todo list, the HTTP POST binding vs SOAP Binding. The implementation in step 1 uses SOAP bindings
It would be an honor if any you experienced Sling developers and security professionals would review and contribute your thoughts.
Best regards
Cris Rockwell
Applications Architect Sr
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109
Desk: 734.763.6818 | Email: cmrockwe@umich.edu
> On Feb 17, 2020, at 5:32 AM, Robert Munteanu <ro...@apache.org> wrote:
>
> Hi Cris,
>
> (Feel free to send back to dev@sling as well, replying privately as you
> wrote privately).
>
> The POM looks good to me. I would suggest moving to the latest parent
> bundle ( sling-bundle-parent 37 I think ) as it gives you Java 11
> support and better tooling.
>
> Also, we should not introduce new Maven repositories as part of our
> bundles, since that does not work for every setup. For instance,
> building behind a 'catch-all' Maven mirror that does not have the
> custom repository set up will fail. I see that the artifacts you
> referenced are already on Maven Central, so it's probably just a
> leftover.
>
> As to your choice of library, I think that is fine. I am not very much
> aware of the current landscape anyway, but as long as the license is
> fine, it does what we need and has a reasonable community behind it,
> all is well.
>
> What I think would also be helpful is a high-level diagram/explanation
> of the goals of the bundle, e.g.
>
> - will allow Sling applications to authenticate users against Oauth2
> servers such as ....
> - will allow sync of user attributes from OIDC providers such as ...
>
> (I may have gotten these totally wrong due to my lack of knowledge: -)
> )
>
> Thanks!
>
> Robert
>
>
> On Fri, 2020-02-14 at 16:33 -0500, Cris Rockwell wrote:
>> Hi Robert
>>
>> I’ve just started the project. Perhaps you can advise about the
>> project setup.
>>
>> The pom.xml
>> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/pom.xml
>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
>> service-provider/saml-handler/pom.xml>
>>
>> One test
>> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java
>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-
>> service-provider/saml-
>> handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java>
>>
>> Regards
>> Cris Rockwell
>> Application Architect Senior
>> College of Literature, Science, and the Arts | University of
>> Michigan
>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
>> Arbor MI 48109
>> p: 734.763.6818
>>
>>
>>
>>
>>> On Feb 13, 2020, at 1:16 PM, Cris Rockwell <cm...@umich.edu>
>>> wrote:
>>>
>>> Thanks for feedback, Robert. I could not agree more with you
>>> suggestions.
>>>
>>> In terms of selecting a vetted library to do the bulk of the work;
>>>
>>> The University of Michigan is member of Internet2 and the
>>> Shibboleth Consortium. These organizations maintain OpenSaml,
>>> which is Apache licensed. I am very comfortable with the library’s
>>> license, origin and maintenance.
>>> https://www.internet2.edu/communities-groups/members/higher-education/all/all/all
>>> <https://www.internet2.edu/communities-groups/members/higher-
>>> education/all/all/all>
>>> https://www.shibboleth.net/consortium/ <
>>> https://www.shibboleth.net/consortium/>
>>> OpenSaml is a very widely used Java library even outside of higher
>>> education. A quick search shows many Apache projects including it
>>> as a dependency. Such as: Apache Web Services Security for Java,
>>> Apache Service Mix, Apache TomEE, an others.
>>> https://issues.apache.org/jira/browse/CXF-5015?jql=text%20~%20%22opensaml%22
>>> <https://issues.apache.org/jira/browse/CXF-
>>> 5015?jql=text%20~%20%22opensaml%22>
>>> MVN shows usages at least 164 usages of V2 (
>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages <
>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages>;).
>>> Version 3 of the library is modular, and each of the modules (Core,
>>> SAML Provider API, etc) are listed separately (
>>> https://mvnrepository.com/artifact/org.opensaml <
>>> https://mvnrepository.com/artifact/org.opensaml>;)
>>>
>>> In terms of selecting a vetted library, I think OpenSaml V3 meets
>>> the criteria. But how else would you vet the library?
>>>
>>> As you probably know, OpenSAML is a low level library useful for
>>> building SAML solutions and not complete product by itself. For
>>> example, Shibboleth is an open source product implemented in part
>>> using OpenSAML. This is good from an open development perspective,
>>> because features can be developed using a piecemeal process. The
>>> Sling maintainers should not need to take a leap of faith about
>>> anything related to the framework's security.
>>>
>>>
>>> Regarding Whiteboard development, I am reviewing the examples about
>>> how this works.
>>> https://github.com/apache/sling-whiteboard/pull/14 <
>>> https://github.com/apache/sling-whiteboard/pull/14> I forked Sling
>>> Whiteboard and will create a branch for developing the feature.
>>>
>>> I have to give more thought about how to make the module easy to
>>> test and incorporate in the Sling starter.
>>>
>>> Regards
>>> Cris Rockwell
>>> Application Architect Senior
>>> College of Literature, Science, and the Arts | University of
>>> Michigan
>>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann
>>> Arbor MI 48109
>>> p: 734.763.6818
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On Feb 13, 2020, at 10:13 AM, Robert Munteanu <rombert@apache.org
>>>> <ma...@apache.org>> wrote:
>>>>
>>>> Hi Cris,
>>>>
>>>> I would be very happy to see OIDC/SAML2 support in Sling. As
>>>> mentioned,
>>>> there were a couple of initiatives, but none of them completed.
>>>>
>>>> If anyone decides to give the implementation a shot, it would be
>>>> important to:
>>>>
>>>> - use vetted libraries that do the bulk of the work. I think this
>>>> was a
>>>> problem with some of the earlier approaches
>>>> - develop as much in the open as possible. The sling whiteboard
>>>> is a
>>>> good option, also a personal repo is ok if the intention is to
>>>> contribute to Sling
>>>> - make the module easy to test and incorporate in the Sling
>>>> starter
>>>>
>>>> I am available to review and incorporate this contribution, and
>>>> definitely there are others around.
>>>>
>>>> Thanks,
>>>> Robert
>>>>
>>>> On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote:
>>>>> Hi Robert
>>>>>
>>>>> I would like to follow up with you about adding SAML2 SP
>>>>> (Service
>>>>> Provider) support to Apache Sling.
>>>>>
>>>>> Our team reviewed security requirements with the leading
>>>>> identity
>>>>> provider (IDP) administrator at the University. His suggestion
>>>>> was to
>>>>> use SAML2 (or OIDC) and skip the LDAP authentication idea. We
>>>>> have
>>>>> been using SAML2 for many years with other applications. It
>>>>> seems
>>>>> SAML2 for open and closed source Java Enterprise applications
>>>>> is very
>>>>> common, so I feel good about requesting SAML2 SP support for
>>>>> Apache
>>>>> Sling.
>>>>>
>>>>> To start, I am studying the eBook OpenSAML V3 mentioned on the
>>>>> Shibboleth website <
>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home <
>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home>>;;.
>>>>> The eBook
>>>>> discusses a sample project <
>>>>> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/
>>>>> <https://bitbucket.org/srasmusson/webprofile-ref-project-
>>>>> v3/src/master/>
>>>>>> and covers various aspects of using OpenSaml3 Java library.
>>>>>
>>>>> * Authentication request using HTTP Redirect Binding
>>>>> * Assertion transported using HTTP Artifact Binding
>>>>> * SAML Artifact transported using HTTP Redirect Binding
>>>>>
>>>>> If you or others have thoughts or recommendations for me about
>>>>> how to
>>>>> make this happen, please let me know.
>>>>>
>>>>> Thanks
>>>>> Cris Rockwell, App Sys Analyst/Programmer Sr
>>>>> College of Literature, Science, and the Arts | University of
>>>>> Michigan
>>>>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street
>>>>> | Ann
>>>>> Arbor, MI I 48109
>>>>> Desk: 734.763.6818 | Email: cmrockwe@umich.edu <mailto:
>>>>> cmrockwe@umich.edu>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Dec 19, 2019, at 12:00 PM, Robert Munteanu <
>>>>>> rombert@apache.org <ma...@apache.org>>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Cris,
>>>>>>
>>>>>> Hopefully the LDAP authentication will fulfill your
>>>>>> requirements.
>>>>>> Once
>>>>>> you're done, it would be interesting to discuss (privately,
>>>>>> if you
>>>>>> prefer) what gaps you identified in the authentication
>>>>>> support we
>>>>>> offer.
>>>>>>
>>>>>> Thanks,
>>>>>> Robert
>>>>>>
>>>>>> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
>>>>>>> Hi Robert
>>>>>>>
>>>>>>> Thank you for your offer to guide an OIDC and/or SAML2
>>>>>>> Sling
>>>>>>> Authentication Handler implementation. Long term, I could
>>>>>>> also
>>>>>>> see
>>>>>>> contributing to a peer reviewed initiative to securely add
>>>>>>> the
>>>>>>> features to Sling applications. After some thought, I might
>>>>>>> follow up
>>>>>>> with you about this out of band.
>>>>>>>
>>>>>>> In the short run, perhaps Oak’s LDAP authentication will
>>>>>>> support
>>>>>>> the
>>>>>>> features we need.
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/ldap.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>
>>>>>>> ldap.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/ldap>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/ldap>
>>>>>>> .html>
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/externalloginmodule.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/
>>>>>>>>
>>>>>>> externalloginmodule.html>
>>>>>>> <
>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/exte
>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic
>>>>>>> ation/exte>
>>>>>>> rnalloginmodule.html>
>>>>>>>
>>>>>>> Thanks all.
>>>>>>> Cris R
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <
>>>>>>>> rombert@apache.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
>>>>>>>>> "What exactly would you need to manage JCR-based
>>>>>>>>> controls? I
>>>>>>>>> would
>>>>>>>>> imagine that mapping users to JCR groups based on
>>>>>>>>> whatever
>>>>>>>>> data
>>>>>>>>> your
>>>>>>>>> identity solution provides and then creating access
>>>>>>>>> based on
>>>>>>>>> ACLs
>>>>>>>>> only
>>>>>>>>> would satisfy your request."
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We need to manage a few things at the identity
>>>>>>>>> provider:
>>>>>>>>> 1. User attributes: username, name, email, phone, maybe
>>>>>>>>> a few
>>>>>>>>> other
>>>>>>>>> pieces of data about the user.
>>>>>>>>> 2. Group membership
>>>>>>>>>
>>>>>>>>> When the user signs in, with SAML2 there is encrypted
>>>>>>>>> metadata
>>>>>>>>> which
>>>>>>>>> contains that information. Upon sign in, Sling users
>>>>>>>>> should
>>>>>>>>> be
>>>>>>>>> created, their user attributes updated and the user
>>>>>>>>> should be
>>>>>>>>> added
>>>>>>>>> or removed from Sling group membership. Once the user
>>>>>>>>> has
>>>>>>>>> signed
>>>>>>>>> in,
>>>>>>>>> then access is granted as usual using JCR-based ACL’s
>>>>>>>>> applied
>>>>>>>>> for
>>>>>>>>> the
>>>>>>>>> groups.
>>>>>>>>
>>>>>>>> Right, I see that there is no support for that in the
>>>>>>>> keycloak
>>>>>>>> handler,
>>>>>>>> as it was presented [1].
>>>>>>>>
>>>>>>>> I don't think there is any out-of-the-box support for
>>>>>>>> what
>>>>>>>> you're
>>>>>>>> looking for.
>>>>>>>>
>>>>>>>> I would be happy to guide anyone willing to implement
>>>>>>>> such
>>>>>>>> functionality though.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Robert
>>>>>>>>
>>>>>>>>
>>>>>>>> [1]:
>>>>>>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>>>>>>> <
>>>>>>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-
>>>>>>>> sling-presentation/tree/master/adapt-to-2018-sling-
>>>>>>>> keycloak/org-apache-sling-auth-keycloak>
>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling-
>>>>>>>>>
>>>>>>>> presentation/tree/master/adapt-to-2018-sling-
>>>>>>>> keycloak/org-
>>>>>>>> apache-sling-auth-keycloak>
>
Re: OIDC or SAML2 for Sling
Posted by Robert Munteanu <ro...@apache.org>.
Hi Cris,
I would be very happy to see OIDC/SAML2 support in Sling. As mentioned,
there were a couple of initiatives, but none of them completed.
If anyone decides to give the implementation a shot, it would be
important to:
- use vetted libraries that do the bulk of the work. I think this was a
problem with some of the earlier approaches
- develop as much in the open as possible. The sling whiteboard is a
good option, also a personal repo is ok if the intention is to
contribute to Sling
- make the module easy to test and incorporate in the Sling starter
I am available to review and incorporate this contribution, and
definitely there are others around.
Thanks,
Robert
On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote:
> Hi Robert
>
> I would like to follow up with you about adding SAML2 SP (Service
> Provider) support to Apache Sling.
>
> Our team reviewed security requirements with the leading identity
> provider (IDP) administrator at the University. His suggestion was to
> use SAML2 (or OIDC) and skip the LDAP authentication idea. We have
> been using SAML2 for many years with other applications. It seems
> SAML2 for open and closed source Java Enterprise applications is very
> common, so I feel good about requesting SAML2 SP support for Apache
> Sling.
>
> To start, I am studying the eBook OpenSAML V3 mentioned on the
> Shibboleth website <
> https://wiki.shibboleth.net/confluence/display/OS30/Home>;. The eBook
> discusses a sample project <
> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/
> > and covers various aspects of using OpenSaml3 Java library.
>
> * Authentication request using HTTP Redirect Binding
> * Assertion transported using HTTP Artifact Binding
> * SAML Artifact transported using HTTP Redirect Binding
>
> If you or others have thoughts or recommendations for me about how to
> make this happen, please let me know.
>
> Thanks
> Cris Rockwell, App Sys Analyst/Programmer Sr
> College of Literature, Science, and the Arts | University of
> Michigan
> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann
> Arbor, MI I 48109
> Desk: 734.763.6818 | Email: cmrockwe@umich.edu
>
>
>
>
>
>
>
> > On Dec 19, 2019, at 12:00 PM, Robert Munteanu <ro...@apache.org>
> > wrote:
> >
> > Hi Cris,
> >
> > Hopefully the LDAP authentication will fulfill your requirements.
> > Once
> > you're done, it would be interesting to discuss (privately, if you
> > prefer) what gaps you identified in the authentication support we
> > offer.
> >
> > Thanks,
> > Robert
> >
> > On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
> > > Hi Robert
> > >
> > > Thank you for your offer to guide an OIDC and/or SAML2 Sling
> > > Authentication Handler implementation. Long term, I could also
> > > see
> > > contributing to a peer reviewed initiative to securely add the
> > > features to Sling applications. After some thought, I might
> > > follow up
> > > with you about this out of band.
> > >
> > > In the short run, perhaps Oak’s LDAP authentication will support
> > > the
> > > features we need.
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
> > > <https://jackrabbit.apache.org/oak/docs/security/authentication/
> > > ldap.html>
> > > <
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> > > <
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> > > >
> > > .html>
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
> > > <https://jackrabbit.apache.org/oak/docs/security/authentication/
> > > externalloginmodule.html>
> > > <
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/exte
> > > rnalloginmodule.html>
> > >
> > > Thanks all.
> > > Cris R
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On Dec 11, 2019, at 11:58 AM, Robert Munteanu <
> > > > rombert@apache.org>
> > > > wrote:
> > > >
> > > > On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
> > > > > "What exactly would you need to manage JCR-based controls? I
> > > > > would
> > > > > imagine that mapping users to JCR groups based on whatever
> > > > > data
> > > > > your
> > > > > identity solution provides and then creating access based on
> > > > > ACLs
> > > > > only
> > > > > would satisfy your request."
> > > > >
> > > > >
> > > > > We need to manage a few things at the identity provider:
> > > > > 1. User attributes: username, name, email, phone, maybe a few
> > > > > other
> > > > > pieces of data about the user.
> > > > > 2. Group membership
> > > > >
> > > > > When the user signs in, with SAML2 there is encrypted
> > > > > metadata
> > > > > which
> > > > > contains that information. Upon sign in, Sling users should
> > > > > be
> > > > > created, their user attributes updated and the user should be
> > > > > added
> > > > > or removed from Sling group membership. Once the user has
> > > > > signed
> > > > > in,
> > > > > then access is granted as usual using JCR-based ACL’s applied
> > > > > for
> > > > > the
> > > > > groups.
> > > >
> > > > Right, I see that there is no support for that in the keycloak
> > > > handler,
> > > > as it was presented [1].
> > > >
> > > > I don't think there is any out-of-the-box support for what
> > > > you're
> > > > looking for.
> > > >
> > > > I would be happy to guide anyone willing to implement such
> > > > functionality though.
> > > >
> > > > Thanks,
> > > > Robert
> > > >
> > > >
> > > > [1]:
> > > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> > > > <
> > > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> > > > <https://github.com/netdava/adapt-to-2018-keycloak-sling-
> > > > presentation/tree/master/adapt-to-2018-sling-keycloak/org-
> > > > apache-sling-auth-keycloak>