You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cr...@apache.org on 2021/04/16 15:49:13 UTC
[sling-org-apache-sling-auth-saml2] branch master updated: add
project boilerplate and update README.md
This is an automated email from the ASF dual-hosted git repository.
cris pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-saml2.git
The following commit(s) were added to refs/heads/master by this push:
new 0dfa1d2 add project boilerplate and update README.md
0dfa1d2 is described below
commit 0dfa1d2d92b6a1142d880154f77bec514a52a59c
Author: Cris Rockwell <cm...@umich.edu>
AuthorDate: Fri Apr 16 11:48:53 2021 -0400
add project boilerplate and update README.md
---
.asf.yaml | 5 ++++
CODE_OF_CONDUCT.md | 22 +++++++++++++++
CONTRIBUTING.md | 24 ++++++++++++++++
Jenkinsfile | 20 +++++++++++++
README.md | 82 +++++++++++++++++-------------------------------------
5 files changed, 97 insertions(+), 56 deletions(-)
diff --git a/.asf.yaml b/.asf.yaml
new file mode 100644
index 0000000..60272c5
--- /dev/null
+++ b/.asf.yaml
@@ -0,0 +1,5 @@
+github:
+ description: An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling
+ labels:
+ - sling
+ - javascript
\ No newline at end of file
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..0fa18e5
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,22 @@
+<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/-->
+Apache Software Foundation Code of Conduct
+====
+
+Being an Apache project, Apache Sling adheres to the Apache Software Foundation's [Code of Conduct](https://www.apache.org/foundation/policies/conduct.html).
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..ac82a1a
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/-->
+Contributing
+====
+
+Thanks for choosing to contribute!
+
+You will find all the necessary details about how you can do this at https://sling.apache.org/contributing.html.
diff --git a/Jenkinsfile b/Jenkinsfile
new file mode 100644
index 0000000..f582519
--- /dev/null
+++ b/Jenkinsfile
@@ -0,0 +1,20 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+slingOsgiBundleBuild()
diff --git a/README.md b/README.md
index 61fa8c9..96493e6 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,16 @@
-# Apache Sling SAML2 Handler (NOT FOR PRODUCTION)
+[](https://sling.apache.org)
-This contribution to the [Apache Sling](https://sling.apache.org) project;
- provides a SAML2 Web Profile Service Provider Authentication.
+ [](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-saml2/job/master/) [](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-s [...]
+
+
+
+sling-org-apache-sling-auth-saml2
+
+# Apache Sling SAML2 Handler
+
+An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for [Apache Sling](https://sling.apache.org) using [OpenSAML v4 libraries](https://wiki.shibboleth.net/confluence/display/OSAML/Home)
+
## Overview
https://en.wikipedia.org/wiki/SAML_2.0
@@ -18,7 +26,7 @@ such as Keycloak Server or Shibboleth IDP.
- Java 11
- Sling 11 or 12
- An external SAML2 identity provider
-
+- The [oak-auth-external](https://mvnrepository.com/artifact/org.apache.jackrabbit/oak-auth-external) bundle must be installed and active
### User Management
User management is based on the OSGi bundle configuration and SAML2 Assertion
@@ -30,53 +38,9 @@ User management is based on the OSGi bundle configuration and SAML2 Assertion
- `syncAttrs` can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.
-
-
-## Localhost Setup
-Procedure for localhost testing
-
-### Start and Configure an External Identity Provider
-1. Start a Keycloak Server
-`docker run -p 8484:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak`
-2. Login using http://localhost:8484/auth/admin/
- - username: admin, password: admin
-3. Configure a Realm
- - Click "Add Realm"
- - Select the file located at `saml-example/src/main/resources/sling-realm-export.json`
-
-Note. The preconfigured realm contains configuration for the client and the groups, but does not contain users.
-4. Add user(s)
- - Select Users under the "Sling" Realm
- 
- - Set user attributes; specifically "userid"
- 
- - Set user password
- 
- - Set user groups; specifically join "pcms-authors"
- 
-
-
-
-
-### Sling SAML2 Service Provider Setup
-
-1. Start Sling (Assuming a new instance of Sling 12-SNAPSHOT)
-2. Run `mvn clean install -P autoInstallBundle` from saml-handler project
-Note: saml-handler is the core bundle offering SAML2 Sign on
-3. Run `mvn clean install -P autoInstallPackage` from saml-example project
-Note: saml-example is example setup package containing: OSGI configurations, service-user and ACL's.
-This setup is detailed in the section below.
-
-
#### Configurations, Service User and ACL's
-Note: the following are contained in localhostExample-1.zip
-Provide a [JAAS OSGI Config](http://localhost:8080/system/console/configMgr/org.apache.felix.jaas.Configuration.factory) as shown below
-- jaas.controlFlag=Sufficient
-- jaas.ranking=110
-- jaas.realmName=jackrabbit.oak
-- jaas.classname=org.apache.sling.auth.saml2.sp.Saml2LoginModule
-
+##### Manual configurations set using /system/console/configMgr
Provide a [Service User Mapper OSGI Config](http://localhost:8080/system/console/configMgr/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended)
- org.apache.sling.auth.saml2:Saml2UserMgtService=saml2-user-mgt
@@ -89,7 +53,7 @@ Set up the system user "saml2-user-mgt"
-Provide a [SAML2 OSGI Configuration](http://localhost:8080/system/console/configMgr/org.apache.sling.auth.saml2.impl.SAML2ConfigServiceImpl)
+Provide a [SAML2 OSGI Configuration](http://localhost:8080/system/console/configMgr/org.apache.sling.auth.saml2.AuthenticationHandlerSAML2)
- path=http://localhost:8080/
- service.ranking=1000
- entityID=http://localhost:8080/
@@ -114,17 +78,23 @@ Notes:
- After configuring the SAML2 authentication handler, the Sling Form login can still be accessed directly http://localhost:8080/system/sling/form/login?resource=%2F
- See below technical notes for certificate, keys, signing and encryption
+
+[JAAS OSGI Config](http://localhost:8080/system/console/configMgr/org.apache.felix.jaas.Configuration.factory) is automatically created and removed upon bundle activation and deactivation as shown below
+- jaas.controlFlag=Sufficient
+- jaas.ranking=110
+- jaas.realmName=jackrabbit.oak
+- jaas.classname=org.apache.sling.auth.saml2.sp.Saml2LoginModule
+
+
+
## Test
Visit http://localhost:8080 and observe login takes place on the http://localhost:8484 Keycloak Server IDP
-Enter credentials for the user you created, and observe user is granted access to the system.
+Enter credentials for the user you created. After the user authenticates at the IDP, they are redirected to the orginally requested resource.
-
-
-
## Certificates, SSL, Signing and Encryption
This portion discusses encryption which can be very critical for the security of this solution.
@@ -132,7 +102,7 @@ Decide a location on the file system for the Keystores. For example, under the s
`$ mkdir sling/keys`
`$ cd sling/keys`
-### Enable Jetty HTTPS
+### Enable Jetty HTTPS (Localhost example only, Not for prod)
It's a good idea to configure SSL for Jetty providing https binding.
1. Create KeyStore & generate a self-signed certificate (not for production).
@@ -162,7 +132,7 @@ Aside from the Jetty SSL credentials discussed above, there are two other creden
* Identity Provider (IDP) Signing Certificate
-#### Keystore Setup (Localhost) Example
+#### Keystore Setup (Localhost example only, Not for prod)
The SP Keypair is used by the IDP and SP to encrypt and decrypt SAML2 responses. It should be unique for each service provider.
Note that the SP Keypair is also used to cryptographically sign SAML requests sent from the SP to the IDP.