commit | 9357b5fdd2941e50c3e253a3aeef3fd071917703 | [log] [tgz] |
---|---|---|
author | Cris Rockwell, College of LSA University of Michigan <cmrockwe@umich.edu> | Thu Jun 25 08:59:19 2020 -0400 |
committer | Cris Rockwell, College of LSA University of Michigan <cmrockwe@umich.edu> | Thu Jun 25 08:59:19 2020 -0400 |
tree | 1a784758bb063189b93493de4c36ff69fc359ea3 | |
parent | 27120d8109487c06445ab238c571d9a99f3f02a0 [diff] |
Removed attribution under license. Refactored JKS password to char[]. Reduced duplication Credentials classes. Removed Notice. Removed JCR test package from resources
This contribution to the Apache Sling project; provides a SAML2 Web Profile Service Provider Authentication.
https://en.wikipedia.org/wiki/SAML_2.0
Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.
User management is based on the OSGi bundle configuration and SAML2 Assertion
saml2groupMembershipAttr
with the value of the group membership attributesaml2groupMembershipAttr
and the attribute value is an existing JCR group. Note that if the assertion group membership attribute value contains values that are not existing JCR groups, then the value is ignored.syncAttrs
to the corresponding attribute keys.Procedure for localhost testing
docker run -p 8484:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:10.0.2
saml-handler/src/main/resources/sling-realm-export.json
Note. The preconfigured realm contains configuration for the client and the groups, but does not contain users.mvn clean install -P autoInstallBundle
to the SAML2 Bundle. Verify the state is ActiveNote: the following are contained in localhostExample-1.zip
Provide a JAAS OSGI Config as shown below
Provide a Service User Mapper OSGI Config
Set up the system user “saml2-user-mgt”
jcr:all
to this user on the /home
path Provide a SAML2 OSGI Configuration
Use Composum Users to create the group “pcms-authors” to test automatic group membership assignment
Notes:
Visit http://localhost:8080 and observe login takes place on the http://localhost:8484 Keycloak Server IDP
Enter credentials for the user you created, and observe user is granted access to the system.
This portion discusses
Just as Jetty requires a JKS to enable https, the SAML2 SP bundle requires a JKS to hold the IDP's signing certificate and to hold the SAML2 Service providers encryption key-pair. One suggestion is to locate these under the sling folder...
$ cd sling
$ mkdir keys
$ cd keys
Create KeyStore & Generate Self Signed Cert (not for prod). While https on Jetty is technically not required, it serves a few purposes here: provides better security for direct access, and confirms the Java Keystore is configured properly and accessible by the sling system user.
$ keytool -genkeypair -keyalg RSA -validity 365 -alias sslstore -keystore sslKeystore.jks -keypass jettykeypass -storepass JKSPassord -dname "CN=localhost, OU=LSA Technology Services, O=University of Michigan,L=Ann Arbor, S=MI, C=US"
Note: Make note of the JKS filename and path, storepass, keypass, and cert alias.
The following are based on the example sslKeystore contained under resources.
org.apache.felix.https.enable=B“true”
org.osgi.service.http.port.secure=I“443”
org.apache.felix.https.keystore=“./sling/keys/sslKeystore.jks”
org.apache.felix.https.keystore.password=“JKSPassord”
org.apache.felix.https.keystore.key.password=“jettykeypass” org.apache.felix.https.truststore.password=“JKSPassord”
Note: To use the example sslKeystore.jks, copy it to your Sling folder ./sling/keys/sslKeystore.jks
After enabling Jetty to use https over port 2443, you will need to accept the browser security warning when accessing https://localhost:2443/ due to the use of a self-signed certificate.
Option 1: Generate using Keytool$ keytool -genkey -alias samlKeys -keyalg RSA -keystore samlKeystore.jks
Make note of the storepass, alias, filename, and key password.
These will all be needed to configure SP encryption.
The generated JKS should be imported into your Keycloak localhost Client “SAML Keys”
Option 2: Import Existing into jks$ keytool -importkeystore -srckeystore serviceProviderKeys.p12 -destkeystore samlKeystore.jks -srcstoretype pkcs12 -alias spKeysAlias
Get the cert.pem from Realm Setting > Keys Copy pem cert and paste into a text file
-----BEGIN CERTIFICATE-----
MIICoTCCAYkCBgFxqKn5fjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlsb2Nh
bGhvc3QwHhcNMjAwNDIzMjAwOTAzWhcNMzAwNDIzMjAxMDQzWjAUMRIwEAYDVQQD
....
-----END CERTIFICATE-----
$ keytool -import -file idp-signing.pem -keystore samlKeystore.jks -alias IDPSigningAlias
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This module was contributed to Apache Sling by Cris Rockwell and Regents of the University of Michigan.