An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling

Clone this repo:
  1. 46a91e8 SLING-10676 - remove SECURITY.md which is not needed by Bertrand Delacretaz · 3 days ago master
  2. 94b34ea SLING-10676 - add or update SECURITY.md by Bertrand Delacretaz · 5 days ago
  3. 3ed7c2d SLING-10676 - add or update SECURITY.md by Bertrand Delacretaz · 5 days ago
  4. c98e64c [maven-release-plugin] prepare for next development iteration by Cris Rockwell · 4 weeks ago
  5. 334b8e7 [maven-release-plugin] prepare release org.apache.sling.auth.saml2-0.2.6 by Cris Rockwell · 4 weeks ago org.apache.sling.auth.saml2-0.2.6

Apache Sling

Build Status Test Status Coverage Sonarcloud Status Maven Central auth License

Apache Sling SAML2 Handler

An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling using OpenSAML v4 libraries

Overview

https://en.wikipedia.org/wiki/SAML_2.0

  • The SAMLRequest uses HTTP Redirect Binding, and the contained Authn Request object instructs the IDP to use HTTP Post Binding.

Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.

Requirements

  • Java 11
  • Sling 11 or 12
  • An external SAML2 identity provider
  • The oak-auth-external bundle must be installed and active

User Management

User management is based on the OSGi bundle configuration and SAML2 Assertion

  • Upon successful authentication, a user is created
  • The user may be added to a JCR group membership under certain conditions:
    • This bundle has an OSGI config saml2groupMembershipAttr set with the value of the name of the SAML group membership attribute.
    • The users SAML assertion contains an attribute matching the configuration above
    • The value of the users group membership attribute is a name of an existing JCR group
  • syncAttrs can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.

Configurations, Service User and ACL's

Manual configurations set using /system/console/configMgr

Provide a Service User Mapper OSGI Config

  • org.apache.sling.auth.saml2:Saml2UserMgtService=saml2-user-mgt

Set up the system user “saml2-user-mgt”

  • visit Composum Users as admin
  • Create service user “saml2-user-mgt”
  • Provide an ACL rule for granting jcr:all to this user on the /home path

Provide a SAML2 OSGI Configuration