commit | ffd81fe95eeb67fdc2a6c8656e24a72759cfc6e7 | [log] [tgz] |
---|---|---|
author | Cris Rockwell <cmrockwe@umich.edu> | Tue Apr 14 20:54:56 2020 -0400 |
committer | Cris Rockwell <cmrockwe@umich.edu> | Tue Apr 14 20:54:56 2020 -0400 |
tree | 0e70751bb862f58888bb13a67b0391b449f7063d | |
parent | 715947bbaa430797eb394ff74f1a78d286f92efb [diff] |
Added SAML2 configs that allow admins to specify which attributes to copy from users' IDP Assertion to the JCR users properties
This project is intended to be a contribution to the Apache Sling project; it has a SAML2 Service Provider Authentication Handler and the associated SAML2 servlets and utilities. It is a work in progress and not production ready!
https://en.wikipedia.org/wiki/SAML_2.0
###Features
Sling applications to authenticate users against Identity Providers (idp) such as Keycloak or Shibboleth using SAML2 protocols.
Synchronize user management based on the SAML2 Assertion and OSGi bundle configs
sp
is the package for service provider classesHelpers
hold static utility methods used with the OpenSAML V3 library
The parent saml2
package has interface definitions, the bundle Activator
Just as Jetty requires a JKS to enable https, the SAML2 SP bundle requires a JKS to hold the IDP's signing certificate and to hold the SAML2 Service providers encryption key-pair. One suggestion is to locate these under the sling folder...
$ cd sling
$ mkdir keys
$ cd keys
Create KeyStore & Generate Self Signed Cert (not for prod). While https on Jetty is technically not required, it serves a few purposes here: provides better security for direct access, and confirms the Java Keystore is configured properly and accessible by the sling system user.
$ keytool -genkeypair -keyalg RSA -validity 365 -alias sslstore -keystore sslKeystore.jks -keypass jettykeypass -storepass JKSPassord -dname "CN=localhost, OU=LSA Technology Services, O=University of Michigan,L=Ann Arbor, S=MI, C=US"
Note: Make note of the JKS filename and path, storepass, keypass, and cert alias.
The following are based on the example sslKeystore contained under resources.
org.apache.felix.https.enable=B“true”
org.osgi.service.http.port.secure=I“443”
org.apache.felix.https.keystore=“./sling/keys/sslKeystore.jks”
org.apache.felix.https.keystore.password=“JKSPassord”
org.apache.felix.https.keystore.key.password=“jettykeypass” org.apache.felix.https.truststore.password=“JKSPassord”
Note: To use the example sslKeystore.jks, copy it to your Sling folder ./sling/keys/sslKeystore.jks
After enabling Jetty to use https over port 2443, you will need to accept the browser security warning when accessing https://localhost:2443/ due to the use of a self-signed certificate.
Run an IDP locally.
docker run -p 8088:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:9.0.2
localhost
realm signing certificate is contained.https://localhost:2443
and the encryption keypair is contained; alias = slingSP, password = encPasswordhttps://localhost:2443
has one user defined.References https://www.keycloak.org/getting-started/getting-started-docker
Links
admin:admin log-in http://localhost:8088/auth/admin
localhost realm http://localhost:8088/auth/admin/master/console/#/realms/localhost/clients
Option 1: Generate using Keytool$ keytool -genkey -alias samlKeys -keyalg RSA -keystore samlKeystore.jks
Option 2: Import Existing into jks$ keytool -importkeystore -srckeystore serviceProviderKeys.p12 -destkeystore samlKeystore.jks -srcstoretype pkcs12 -alias spKeysAlias
Option 3: For localhost testing with Keycloak use resources/slingSP.jks
Copy resources/slingSP.jks to your Sling instance ./sling/keys/slingSP.jks
$ keytool -import -file idp-signing.pem -keystore samlKeystore.jks -alias IDPSigningAlias
jaas.controlFlag=Sufficient
jaas.ranking=110
jaas.realmName=jackrabbit.oak
jaas.classname=org.apache.sling.auth.saml2.sp.Saml2LoginModule
Configure a Service User to handle the User Management.
org.apache.sling.auth.saml2:Saml2UserMgtService=saml2-user-mgt
Grant the system user saml2-user-mgt
sufficient ACL's to create and write to users home.
path=https://localhost:2443/
service.ranking=1000
entityID=https://localhost:2443/
acsPath=/sp/consumer
saml2userIDAttr=urn:oid:2.5.4.42
saml2userHome=/home/users/saml
saml2groupMembershipAttr=
saml2SessionAttr=saml2AuthInfo
saml2IDPDestination=https://localhost:8088/idp/profile/SAML2/Rediect/SSO
saml2SPEnabled=true
jksFileLocation=./sling/keys/slingSP.jks
jksStorePassword=storepass
idpCertAlias=localhost spKeysAlias=slingSP spKeysPassword=encPassword
Note: After configuring the SAML2 authentication handler, the Sling Form login can still be accessed directly http://localhost:8080/system/sling/form/login?resource=%2F
Optionally, configure Keycloak to release a group to the Sling Client and create that group within Sling. Add the group ID (from the assetion) to the OSGI configuration.
Visit https://localhost:2443 and observe login takes place on the http://localhost:8088 Keycloak Identity Provider.
Enter the credentials saml2-example:password, and observe user is granted access to the system.