commit | 3890fa96875d0db8e61cf852264907e2d37a472b | [log] [tgz] |
---|---|---|
author | Cris Rockwell <cmrockwe@umich.edu> | Wed May 06 16:05:58 2020 -0400 |
committer | Robert Munteanu <robert.munteanu@gmail.com> | Thu May 07 09:25:55 2020 +0200 |
tree | 09b930fa2aee1a91c4cba3e4876bccfc78d5522e | |
parent | d1c03ecde02fd39b07542b56bcbc78c2ea1fe1b3 [diff] |
Added method to validate subject confirmation
This project is intended to be a contribution to the Apache Sling project; it has a SAML2 Service Provider Authentication Handler and the associated SAML2 servlets and utilities. It is a work in progress and not production ready!
https://en.wikipedia.org/wiki/SAML_2.0
Sling applications to authenticate users against Identity Providers (idp) such as Keycloak or Shibboleth using SAML2 protocols.
Synchronize user management based on the SAML2 Assertion and OSGi bundle configs
sp
is the package for service provider classesHelpers
hold static utility methods used with the OpenSAML V3 library
The parent saml2
package has interface definitions, the bundle Activator
It is assumed the Sling environment provides certain bundles. The SAML2 bundle will not activate without:
Just as Jetty requires a JKS to enable https, the SAML2 SP bundle requires a JKS to hold the IDP's signing certificate and to hold the SAML2 Service providers encryption key-pair. One suggestion is to locate these under the sling folder...
$ cd sling
$ mkdir keys
$ cd keys
Create KeyStore & Generate Self Signed Cert (not for prod). While https on Jetty is technically not required, it serves a few purposes here: provides better security for direct access, and confirms the Java Keystore is configured properly and accessible by the sling system user.
$ keytool -genkeypair -keyalg RSA -validity 365 -alias sslstore -keystore sslKeystore.jks -keypass jettykeypass -storepass JKSPassord -dname "CN=localhost, OU=LSA Technology Services, O=University of Michigan,L=Ann Arbor, S=MI, C=US"
Note: Make note of the JKS filename and path, storepass, keypass, and cert alias.
The following are based on the example sslKeystore contained under resources.
org.apache.felix.https.enable=B“true”
org.osgi.service.http.port.secure=I“443”
org.apache.felix.https.keystore=“./sling/keys/sslKeystore.jks”
org.apache.felix.https.keystore.password=“JKSPassord”
org.apache.felix.https.keystore.key.password=“jettykeypass” org.apache.felix.https.truststore.password=“JKSPassord”
Note: To use the example sslKeystore.jks, copy it to your Sling folder ./sling/keys/sslKeystore.jks
After enabling Jetty to use https over port 2443, you will need to accept the browser security warning when accessing https://localhost:2443/ due to the use of a self-signed certificate.
Run an IDP locally.
docker run -p 8088:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:9.0.2
References https://www.keycloak.org/getting-started/getting-started-docker
Links
admin:admin log-in http://localhost:8088/auth/admin
localhost realm http://localhost:8088/auth/admin/master/console/#/realms/localhost/clients
Option 1: Generate using Keytool$ keytool -genkey -alias samlKeys -keyalg RSA -keystore samlKeystore.jks
Make note of the storepass, alias, filename, and key password.
These will all be needed to configure SP encryption.
The generated JKS should be imported into your Keycloak localhost Client “SAML Keys”
Option 2: Import Existing into jks$ keytool -importkeystore -srckeystore serviceProviderKeys.p12 -destkeystore samlKeystore.jks -srcstoretype pkcs12 -alias spKeysAlias
Get the cert.pem from Realm Setting > Keys Copy pem cert and paste into a text file
-----BEGIN CERTIFICATE-----
MIICoTCCAYkCBgFxqKn5fjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlsb2Nh
bGhvc3QwHhcNMjAwNDIzMjAwOTAzWhcNMzAwNDIzMjAxMDQzWjAUMRIwEAYDVQQD
....
-----END CERTIFICATE-----
$ keytool -import -file idp-signing.pem -keystore samlKeystore.jks -alias IDPSigningAlias
jaas.controlFlag=Sufficient
jaas.ranking=110
jaas.realmName=jackrabbit.oak
jaas.classname=org.apache.sling.auth.saml2.sp.Saml2LoginModule
Configure a Service User to handle the User Management.
org.apache.sling.auth.saml2:Saml2UserMgtService=saml2-user-mgt
Grant the system user saml2-user-mgt
sufficient ACL's to create and write to users home.
path=https://localhost:2443/
service.ranking=1000
entityID=https://localhost:2443/
acsPath=/sp/consumer
saml2userIDAttr=urn:oid:2.5.4.42
saml2userHome=/home/users/saml
saml2groupMembershipAttr=
saml2SessionAttr=saml2AuthInfo
saml2IDPDestination=https://localhost:8088/idp/profile/SAML2/Rediect/SSO
saml2SPEnabled=true
jksFileLocation=./sling/keys/slingSP.jks
jksStorePassword=storepass
idpCertAlias=localhost spKeysAlias=slingSP spKeysPassword=encPassword
Note: After configuring the SAML2 authentication handler, the Sling Form login can still be accessed directly http://localhost:8080/system/sling/form/login?resource=%2F
Optionally, configure Keycloak to release a group to the Sling Client and create that group within Sling. Add the group ID (from the assetion) to the OSGI configuration.
Visit https://localhost:2443 and observe login takes place on the http://localhost:8088 Keycloak Identity Provider.
Enter the credentials saml2-example:password, and observe user is granted access to the system.