Configure pgpverify-maven-plugin to verify signatures of all embedded artifacts using independently verified keys. Check signature of all other dependencies using in-band keys if available.
4 files changed
tree: 36f9eccdf34d0f5594f7afd8f4ffa40209d52f61
  1. src/
  2. .asf.yaml
  3. .gitignore
  4. .sling-module.json
  5. any.asc.txt
  6. bnd.bnd
  7. CODE_OF_CONDUCT.md
  8. CONTRIBUTING.md
  9. Jenkinsfile
  10. LICENSE
  11. pom.xml
  12. README.md
  13. shibboleth.asc.txt
README.md

Apache Sling

Build Status Test Status Coverage Sonarcloud Status Maven Central auth License

Apache Sling SAML2 Handler

An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling using OpenSAML v4 libraries

Overview

https://en.wikipedia.org/wiki/SAML_2.0

  • The SAMLRequest uses HTTP Redirect Binding, and the contained Authn Request object instructs the IDP to use HTTP Post Binding.

Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.

Requirements

  • Java 11
  • Sling 11 or 12
  • An external SAML2 identity provider
  • The oak-auth-external bundle must be installed and active

User Management

User management is based on the OSGi bundle configuration and SAML2 Assertion

  • Upon successful authentication, a user is created
  • The user may be added to a JCR group membership under certain conditions:
    • This bundle has an OSGI config saml2groupMembershipAttr set with the value of the name of the SAML group membership attribute.
    • The users SAML assertion contains an attribute matching the configuration above
    • The value of the users group membership attribute is a name of an existing JCR group
  • syncAttrs can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.

Configurations, Service User and ACL's

Manual configurations set using /system/console/configMgr

Provide a Service User Mapper OSGI Config

  • org.apache.sling.auth.saml2:Saml2UserMgtService=saml2-user-mgt

Set up the system user “saml2-user-mgt”

  • visit Composum Users as admin
  • Create service user “saml2-user-mgt”
  • Provide an ACL rule for granting jcr:all to this user on the /home path

Provide a SAML2 OSGI Configuration