You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Cris Rockwell (Jira)" <ji...@apache.org> on 2020/05/06 17:57:00 UTC

[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]

    [ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101051#comment-17101051 ] 

Cris Rockwell commented on SLING-9397:
--------------------------------------

WRT the Web Profile SSO Profile specification, line 396 states...
??SAML Confirmation Method Identifiers: The SAML V2.0 "bearer" confirmation method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer, is used by this profile.??

 

And this is manifested in the saml2 response

{{<saml:Subject>}}

{{..}}
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData InResponseTo="_498f728a71735ba28bbc19d634517c18" NotOnOrAfter="2020-04-14T14:33:01.995Z" Recipient="[https://localhost:2443/sp/consumer"/|https://localhost:2443/sp/consumer]>
        </saml:SubjectConfirmation>
 
Line 364 gives an example about how to use this data. The data above was taken from an example from my localhost tests on April 14th
 
The bearer of the assertion can confirm itself as the subject, provided the assertion is delivered in a message sent to " [https://localhost:2443/sp/consumer]" before 14:33 GMT on April 14th , 2020, in response to a request with ID "_498f728a71735ba28bbc19d634517c18".
When processing the SAML2 Response, this relying party code needs to validate these three conditions.
 

> SAML2 Authentication Handler [initial submission]
> -------------------------------------------------
>
>                 Key: SLING-9397
>                 URL: https://issues.apache.org/jira/browse/SLING-9397
>             Project: Sling
>          Issue Type: New Feature
>          Components: Authentication
>         Environment: localhost
>            Reporter: Cris Rockwell
>            Priority: Major
>              Labels: SAML, authentification, security, user_management
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>  
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution 
> "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license"
>  
> *TODO After Initial* 
> [ ] Get confirmation the project builds and operates as expected
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects 
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little, unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is required
> [ ] Find and fix any bugs
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)