commit | 598dcae141f4686badd83d7151b89d731d4e3c12 | [log] [tgz] |
---|---|---|
author | Cris Rockwell <cris@apache.org> | Fri Apr 09 08:35:07 2021 -0400 |
committer | GitHub <noreply@github.com> | Fri Apr 09 08:35:07 2021 -0400 |
tree | a5bede5f76da935538a646c8b34c3163db0a7c77 | |
parent | ba268ca4c053bcabed58335c39d7dbbf07f22245 [diff] |
Sling 9397/update removed saml config service (#69) * removed optional transititve for Spring's org.relaxng.datatype from dom4j, which itself is not needed * saml-handler: pom.xml / bnd usage cleanups * Added method to validate subject confirmation * plugin renamed from maven-sling-plugin to sling-maven-plugin * clean up bugs and code smell * added noticeStatement property * merged upstream master * Upgraded SAML2 Handler to OpenSAML V4. Java 11. Sling 12. Reviewed and optimized embedded OpenSAML dependencies and updated versions. update docs made encryption and signing an optional configuration Backed out SLO for now and moved that to a different branch. Logout in this branch simply drops the credentials for this Service Provider and redirects the client to the URL configured Added error handling runtime exception if the userID is not configured properly. JCR Group ID's now seem to slash in front so added condition to allow that. Updated realm-sling-export.json (for Keycloak demo) adding attribute mappers for client, http://localhost:8080 updated readme and added localhost test package * Added custom runtime exception class for unhandled exceptions. Removed commented and unused code * added license * Removed attribution under license. Refactored JKS password to char[]. Reduced duplication Credentials classes. Removed Notice. Removed JCR test package from resources * removed unused imports. added missing license * started demo saml2 project * updated comments * To get repoinit working, moved configs from /apps/sling/saml/runmodes/config to /apps/runmodes/configs * fix 'catch multiple exceptions at once' code smell * Started Example SAML2 project that will provide faster test setup providing JKS, service user, ACL's, dependencies, and SlingJunit tests * space change * fix pom error * fix sonar bug and smells * Fixed startup problem by setting startLevel to 19 * Refactor example setup and configuration project (saml-example) * moved example realm to example project * Export Package of oak-auth-external dependency simplifies setup * update documentation * Updated READMME Docs for clarifying processes for SSL and SAML credentials * Refactored and removed saml2 config service * fix bugs identified by sonarcloud * added javadocs to Saml2UserMgtService, update usage in AuthenticationHandlerSAML2Impl * Reduce complexity of extractCredentials in AuthenticationHandlerSAML2Impl. Change path to single value property since AuthenticationHandlerSAML2Config is used as a factory * sonarcloud code smell fixes * started junit tests for AuthenticationHandlerSAML2Impl * Started PAX tests for saml-handler. IT tests seem inoperational in this commit * WIP: continuing work to increase test converage * continued struggling with test setup * continuing work on pax tests * cont'd with SAML2 tests after initializing OpenSAML in OsgiSamlTest.java * added tests for issuer and nameIDpolicy * added Endpoint unit tests * Sling 9397/improve test coverage (#70) * Started PAX tests for saml-handler. IT tests seem inoperational in this commit * WIP: continuing work to increase test converage * continued struggling with test setup * continuing work on pax tests * cont'd with SAML2 tests after initializing OpenSAML in OsgiSamlTest.java * added tests for issuer and nameIDpolicy * added Endpoint unit tests * continuing progress on pax exam it tests * continuing progress on pax exam it tests * attempt to fix the paxexam test environment 1. export the org.apache.sling.auth.saml2 package 2. don't change the startlevel in the Activator 3. provide the required configuration for the AuthenticationHandlerSAML2Impl service * SLING-10193 Added test coverage for Saml2User.java and Saml2UserMgtService.java. Moved Saml2User.java into saml2 package so that it accesses by tests * SLING-9397 Updated the example configs to reflect the new PID for configuting AuthenticationHandlerSAML2 * clean up * SLING-9397 Added IT test coverage for Saml2UserMgtService * add java coco to pom * code coverage tool not working, commented out * Added tests for Helpers * trying to get jacoco to report IT test coverage * fixed parent version * SAML Handler manages user sync with Saml2UserSyncService so extending Jackrabbit ExternalUser is not needed * continued doUserManagement testing * Sling 10193/test coverage (#72) * SAML Handler manages user sync with Saml2UserSyncService so extending Jackrabbit ExternalUser is not needed * continued doUserManagement testing * Added setup for Java Keystore tests, added tests for JksCredentials, KeyPairCredentials and VerifySignatureCredentials * Refactor TokenStore.java and AuthenticationHandlerSAML2Impl.java to allow junit tests * remove unimplemented constructor * improve unit test coverage * add one IT test and clean up * updated pom.xml with dependency version ranges * continued improving test coverage * continued improving test coverage * text coverage * SLING-10193 set and remove JAAS config upon bundle activator start and stop * improve testing for user management and sync * Updated properties sync to use a mapping defined in the OSGI configs such that the name and relative path of the save property can be configured (instead of using the saml attribute's Friendly Name) Co-authored-by: Robert Munteanu <rombert@apache.org> Co-authored-by: Eric Norman <enorman@apache.org>
This contribution to the Apache Sling project; provides a SAML2 Web Profile Service Provider Authentication.
https://en.wikipedia.org/wiki/SAML_2.0
Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.
User management is based on the OSGi bundle configuration and SAML2 Assertion
saml2groupMembershipAttr
set with the value of the name of the SAML group membership attribute.syncAttrs
can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.Procedure for localhost testing
docker run -p 8484:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak
saml-example/src/main/resources/sling-realm-export.json
Note. The preconfigured realm contains configuration for the client and the groups, but does not contain users.mvn clean install -P autoInstallBundle
from saml-handler projectmvn clean install -P autoInstallPackage
from saml-example projectNote: the following are contained in localhostExample-1.zip
Provide a JAAS OSGI Config as shown below
Provide a Service User Mapper OSGI Config
Set up the system user “saml2-user-mgt”
jcr:all
to this user on the /home
path Provide a SAML2 OSGI Configuration
Use Composum Users to create the group “pcms-authors” to test automatic group membership assignment
Notes:
Visit http://localhost:8080 and observe login takes place on the http://localhost:8484 Keycloak Server IDP
Enter credentials for the user you created, and observe user is granted access to the system.
This portion discusses encryption which can be very critical for the security of this solution.
Decide a location on the file system for the Keystores. For example, under the sling folder$ mkdir sling/keys
$ cd sling/keys
It's a good idea to configure SSL for Jetty providing https binding.
Aside from the Jetty SSL credentials discussed above, there are two other credentials to consider for a SAML2 Service Provider (SP).
The SP Keypair is used by the IDP and SP to encrypt and decrypt SAML2 responses. It should be unique for each service provider.
Note that the SP Keypair is also used to cryptographically sign SAML requests sent from the SP to the IDP.
openssl req -newkey rsa:2048 -nodes -keyout samlSPkey.pem -x509 -days 365 -out samlSPcert.pem
openssl pkcs12 -inkey samlSPkey.pem -in samlSPcert.pem -export -out samlSPkeystore.p12
$ keytool -list -v -keystore samlSPkeystore.p12
$ keytool -import -file signingCert.pem -keystore samlKeystore.jks -alias idpsigningalias
This module was contributed to Apache Sling by Cris Rockwell and Regents of the University of Michigan.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.