You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/06/18 11:13:00 UTC
[jira] [Work logged] (KNOX-2390) Configure SAML using provider
parameters
[ https://issues.apache.org/jira/browse/KNOX-2390?focusedWorklogId=447773&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-447773 ]
ASF GitHub Bot logged work on KNOX-2390:
----------------------------------------
Author: ASF GitHub Bot
Created on: 18/Jun/20 11:12
Start Date: 18/Jun/20 11:12
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request #348:
URL: https://github.com/apache/knox/pull/348
## What changes were proposed in this pull request?
From now on, end-users can set the following SAML 2 configurations using provider parameters (in addition to the already supported params):
- useNameQualifier
- forceAuth
- passive
- nameIdPolicyFormat
Additionally, I refactored the special `Azure AD` client handling to its own class (another implementation of the new interface).
## How was this patch tested?
Added and executed JUnit tests:
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 18:47 min (Wall Clock)
[INFO] Finished at: 2020-06-18T12:40:14+02:00
[INFO] Final Memory: 432M/2028M
[INFO] ------------------------------------------------------------------------
```
Manually tested with different provider parameters set. For instance:
- `useNameQualifier = true`
- `forceAuth = true`
```
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://www.local.com:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client"
Destination="https://$OKTA_HOST/sso/saml"
ForceAuthn="true"
ID="_cef3baeef567461aae87cd95234d2bc38862368"
IsPassive="false"
IssueInstant="2020-06-18T09:17:21.672Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="pac4j-saml"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://www.local.com:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client"
>https://www.local.com:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</saml2:Issuer>
</saml2p:AuthnRequest>
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 447773)
Remaining Estimate: 0h
Time Spent: 10m
> Configure SAML using provider parameters
> ----------------------------------------
>
> Key: KNOX-2390
> URL: https://issues.apache.org/jira/browse/KNOX-2390
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 1.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently, there is a bunch of SAML parameters which the Pac4j federation provider knows about and can be used to update SAML 2 configuration:
> * saml.keystorePassword
> * saml.privateKeyPassword
> * saml.keystorePath
> * saml.keystoreAlias
> * saml.identityProviderMetadataPath
> * saml.maximumAuthenticationLifetime
> * saml.serviceProviderEntityId
> * saml.serviceProviderMetadataPath
> * saml.destinationBindingType
> However, there are other SAML 2 configurations that also should be configurable via provider parameters. For instance: the default value of {{useNameQualifier}} changed from {{'false'}} to {{'true'}} in pac4j {{v3.7.0}} (and changed back to {{'false'}} in {{v3.8.2}}) which may cause an issue with ADFS integration.
> The purpose of this Jira is to identify a list of SAML 2 configuration that should be configurable and make it happen via the Pac4j federation provider parameters.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)