tag | 6256fbf39298cd4fc01fd98147ca62861875555b | |
---|---|---|
tagger | Cris Rockwell <cmrockwe@umich.edu> | Fri Jul 02 11:06:25 2021 -0400 |
object | 334b8e7b7b3f300d4109f00cc61bed5d013d3984 |
[maven-release-plugin] copy for tag org.apache.sling.auth.saml2-0.2.6
commit | 334b8e7b7b3f300d4109f00cc61bed5d013d3984 | [log] [tgz] |
---|---|---|
author | Cris Rockwell <cmrockwe@umich.edu> | Fri Jul 02 11:06:20 2021 -0400 |
committer | Cris Rockwell <cmrockwe@umich.edu> | Fri Jul 02 11:06:20 2021 -0400 |
tree | e2b83c3a2e1a015b62e3acf60c6923e31659a995 | |
parent | fadd13ec779dc6c85566c30b2341b9e7e3f977c8 [diff] |
[maven-release-plugin] prepare release org.apache.sling.auth.saml2-0.2.6
An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling using OpenSAML v4 libraries
https://en.wikipedia.org/wiki/SAML_2.0
Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.
User management is based on the OSGi bundle configuration and SAML2 Assertion
saml2groupMembershipAttr
set with the value of the name of the SAML group membership attribute.syncAttrs
can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.Provide a Service User Mapper OSGI Config
Set up the system user “saml2-user-mgt”
jcr:all
to this user on the /home
path Provide a SAML2 OSGI Configuration
Use Composum Users to create the group “pcms-authors” to test automatic group membership assignment
Notes:
JAAS OSGI Config is automatically created and removed upon bundle activation and deactivation as shown below
Visit http://localhost:8080 and observe login takes place on the http://localhost:8484 Keycloak Server IDP
Enter credentials for the user you created. After the user authenticates at the IDP, they are redirected to the orginally requested resource.
This portion discusses encryption which can be very critical for the security of this solution.
Decide a location on the file system for the Keystores. For example, under the sling folder$ mkdir sling/keys
$ cd sling/keys
It's a good idea to configure SSL for Jetty providing https binding.
Aside from the Jetty SSL credentials discussed above, there are two other credentials to consider for a SAML2 Service Provider (SP).
The SP Keypair is used by the IDP and SP to encrypt and decrypt SAML2 responses. It should be unique for each service provider.
Note that the SP Keypair is also used to cryptographically sign SAML requests sent from the SP to the IDP.
openssl req -newkey rsa:2048 -nodes -keyout samlSPkey.pem -x509 -days 365 -out samlSPcert.pem
openssl pkcs12 -inkey samlSPkey.pem -in samlSPcert.pem -export -out samlSPkeystore.p12
$ keytool -list -v -keystore samlSPkeystore.p12
$ keytool -import -file signingCert.pem -keystore samlKeystore.jks -alias idpsigningalias
This module was contributed to Apache Sling by Cris Rockwell and Regents of the University of Michigan.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.