You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by Cris Rockwell <cm...@umich.edu> on 2020/03/17 20:34:04 UTC
Using Oak External User Sync for a SAML2 Use Case?
Hi Oak and Sling Devs
I am working to make a SAML2 Sling Authentication Handler. This is my project: https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler> It has a demo IDP which returns the SAML Security Assertion via a SOAP binding. The SAML assertion contains username, attributes and groups. I am trying to decide the best way to ...
a) get or create the user
b) add/remove the user to the groups
c) add, change or remove synchronized users attributes.
I am reviewing the Oak External Login Module to see whether it can help with this...
https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html>
It says…
“The external login module has 2 main tasks. One is to authenticate credentials against a 3rd party system, the other is to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager)."
and
“The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.”
In LDAP Auth, user credentials are passed from the user to the Oak-based application to the External LDAP IDP via External Login Module, which then triggers User Sync. In SAML2, authentication happens entirely at the External Identify provider (e.g. Shibboleth), and there is no handling of the users credentials at the Service Provider (Oak-based application) level. Instead, SAML2 Security Assertions are handed to the Sling Authentication Handler / Service Provider after authentication when the user is redirected back to the Assertion Consumer Servlet (ACS). Which is where my project is stalled a little bit.
My Questions..
1. Once my ACS receives the user's SAML2 Assertion (either via SOAP or POST bindings), does it make sense to try using Oak’s User and Group Synchronization? If so, how would one configure or trigger it? Or should write my own user management code?
2. Given my use case, which if any of the Oak External Components should I configure?
ExternalLoginModuleFactory
DefaultSyncHandler
ExternalIDPManagerImpl
SyncManagerImpl
ExternalPrincipalConfiguration
Thank you!
Cris Rockwell
Applications Architect Sr
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | Suite 505 | 301 E. Libery | Ann Arbor, MI I 48109
Re: Using Oak External User Sync for a SAML2 Use Case?
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Cris
I think you have 2 options:
* either you synchronize the users/groups in the authentication handler
* or you delegate the user/group synchronization to the sync-handler
At Adobe we initially used the first option and moved away from it in favor of the second option, because the default sync-handler essentially provides all the functionality needed and additionally comes with a couple of optimization most notably the dynamic membership option that no longer synchronizes groups into the user management but instead just synchronizes the information that is needed to properly populate the Subject with principals upon login. The main rational behind this: users are managed outside of the repository and therefore the repository user management just adds extra complexity, which is not needed for the authorization part, which only deals with principals.
For that second option you would the following rough steps as far as I know:
* write a custom ExternalIdentityProvider, that is able to authenticate your custom crednetials and extract information from it in order to complete the sync-step
* let Sling Authentication handler pass the information to the repository
* register the default (or a custom) SyncHandler
* register your ExternalIdentityProvider
* configure an ExternalLoginModule entry that uses your ExternalIdentityProvider and the SyncHandler you chose to use.
That should do the trick if I am not mistaken. In particular the ExternalPrincipalConfiguration will be enabled if you use the default SyncHandler with the dynamic membership option enabled.
Hope that helps... maybe there are other means to achieve this, but this is more or less what we did at Adobe.
Kind regards
Angela
________________________________
From: Cris Rockwell <cm...@umich.edu>
Sent: Tuesday, March 17, 2020 9:34 PM
To: oak-dev@jackrabbit.apache.org <oa...@jackrabbit.apache.org>; users@sling.apache.org <us...@sling.apache.org>
Subject: Using Oak External User Sync for a SAML2 Use Case?
Hi Oak and Sling Devs
I am working to make a SAML2 Sling Authentication Handler. This is my project: https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler> It has a demo IDP which returns the SAML Security Assertion via a SOAP binding. The SAML assertion contains username, attributes and groups. I am trying to decide the best way to ...
a) get or create the user
b) add/remove the user to the groups
c) add, change or remove synchronized users attributes.
I am reviewing the Oak External Login Module to see whether it can help with this...
https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html>
It says…
“The external login module has 2 main tasks. One is to authenticate credentials against a 3rd party system, the other is to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager)."
and
“The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.”
In LDAP Auth, user credentials are passed from the user to the Oak-based application to the External LDAP IDP via External Login Module, which then triggers User Sync. In SAML2, authentication happens entirely at the External Identify provider (e.g. Shibboleth), and there is no handling of the users credentials at the Service Provider (Oak-based application) level. Instead, SAML2 Security Assertions are handed to the Sling Authentication Handler / Service Provider after authentication when the user is redirected back to the Assertion Consumer Servlet (ACS). Which is where my project is stalled a little bit.
My Questions..
1. Once my ACS receives the user's SAML2 Assertion (either via SOAP or POST bindings), does it make sense to try using Oak’s User and Group Synchronization? If so, how would one configure or trigger it? Or should write my own user management code?
2. Given my use case, which if any of the Oak External Components should I configure?
ExternalLoginModuleFactory
DefaultSyncHandler
ExternalIDPManagerImpl
SyncManagerImpl
ExternalPrincipalConfiguration
Thank you!
Cris Rockwell
Applications Architect Sr
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | Suite 505 | 301 E. Libery | Ann Arbor, MI I 48109
Re: Using Oak External User Sync for a SAML2 Use Case?
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Cris
I think you have 2 options:
* either you synchronize the users/groups in the authentication handler
* or you delegate the user/group synchronization to the sync-handler
At Adobe we initially used the first option and moved away from it in favor of the second option, because the default sync-handler essentially provides all the functionality needed and additionally comes with a couple of optimization most notably the dynamic membership option that no longer synchronizes groups into the user management but instead just synchronizes the information that is needed to properly populate the Subject with principals upon login. The main rational behind this: users are managed outside of the repository and therefore the repository user management just adds extra complexity, which is not needed for the authorization part, which only deals with principals.
For that second option you would the following rough steps as far as I know:
* write a custom ExternalIdentityProvider, that is able to authenticate your custom crednetials and extract information from it in order to complete the sync-step
* let Sling Authentication handler pass the information to the repository
* register the default (or a custom) SyncHandler
* register your ExternalIdentityProvider
* configure an ExternalLoginModule entry that uses your ExternalIdentityProvider and the SyncHandler you chose to use.
That should do the trick if I am not mistaken. In particular the ExternalPrincipalConfiguration will be enabled if you use the default SyncHandler with the dynamic membership option enabled.
Hope that helps... maybe there are other means to achieve this, but this is more or less what we did at Adobe.
Kind regards
Angela
________________________________
From: Cris Rockwell <cm...@umich.edu>
Sent: Tuesday, March 17, 2020 9:34 PM
To: oak-dev@jackrabbit.apache.org <oa...@jackrabbit.apache.org>; users@sling.apache.org <us...@sling.apache.org>
Subject: Using Oak External User Sync for a SAML2 Use Case?
Hi Oak and Sling Devs
I am working to make a SAML2 Sling Authentication Handler. This is my project: https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler <https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler> It has a demo IDP which returns the SAML Security Assertion via a SOAP binding. The SAML assertion contains username, attributes and groups. I am trying to decide the best way to ...
a) get or create the user
b) add/remove the user to the groups
c) add, change or remove synchronized users attributes.
I am reviewing the Oak External Login Module to see whether it can help with this...
https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html>
It says…
“The external login module has 2 main tasks. One is to authenticate credentials against a 3rd party system, the other is to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager)."
and
“The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.”
In LDAP Auth, user credentials are passed from the user to the Oak-based application to the External LDAP IDP via External Login Module, which then triggers User Sync. In SAML2, authentication happens entirely at the External Identify provider (e.g. Shibboleth), and there is no handling of the users credentials at the Service Provider (Oak-based application) level. Instead, SAML2 Security Assertions are handed to the Sling Authentication Handler / Service Provider after authentication when the user is redirected back to the Assertion Consumer Servlet (ACS). Which is where my project is stalled a little bit.
My Questions..
1. Once my ACS receives the user's SAML2 Assertion (either via SOAP or POST bindings), does it make sense to try using Oak’s User and Group Synchronization? If so, how would one configure or trigger it? Or should write my own user management code?
2. Given my use case, which if any of the Oak External Components should I configure?
ExternalLoginModuleFactory
DefaultSyncHandler
ExternalIDPManagerImpl
SyncManagerImpl
ExternalPrincipalConfiguration
Thank you!
Cris Rockwell
Applications Architect Sr
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | Suite 505 | 301 E. Libery | Ann Arbor, MI I 48109