New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAML2 Service Provider Pull Request #51
SAML2 Service Provider Pull Request #51
Conversation
…t the bundle Activates
… the entire set of cryptographic algorithms as required by OpenSaml V3
… flow to call requestCredentials. Added dependency on oak-auth-external for user sync'ing
…mport package for HTTPSOAP11Decoder in ArtifactResolution Servlet
…uth Handler, Consumer Servlet and the UserManager service
…uth Handler, Consumer Servlet and the UserManager service
I've been thinking some more about how to make sure the reviews are productive and reduce the time needed to get this into the whiteboard. The idea I came up with takes two complementary approaches:
For item 1 I suggest that you provide a docker script or docker-compose setup that launches a SAML-enable identity provider. One idea would be Keycloak with Docker, but I admit I'm not at all familiar with identity providers to offer an informed suggestion. This would allow you to drop ~400 LOC in the For item 2 item 1 already helps :-) I think you can start with submitting the minimal functionality that works - and I get that is the AuthenticationHandler. I see code for the ExternalIdentityProvider and LoginModule as well. If that is not needed for the basic login flow, I would suggest submitting them as follow-up PRs once we merge the initial one. I also see a potential of dropping some code with the TokenStore class. You mention it's derived from the class in the Would that work for you? |
Having a built-in IDP during development was really useful and simplified the setup and testing. I get the point is that there should be another way to test the SP code without the demo IDP. I'm curious whether you tried to test it with the internal IDP. This would be the simplest way. I thought the mock IDP might potentially help in troubleshooting issues, which is why I considered an enable/disable switch for it. Nevertheless, the internal IDP and Saml2ExternalIdentityProvider can be removed from the PR. It wont work without Saml2LoginModule as it stands today, but let me know what code changes would allow it to work without a login module. I will keep the internal IDP on a dev branch, because it is so handy. But otherwise could remove some code from the PR. At the same time I still need to add code for a few features.
There is going to be some code to review because there's a lot involved with implementing a SAML2 Service Provider authentication handler. Do you have a target number for LOC? |
…gurations saved take effect. Without this property, the bundle needs to be started again.
…anything used only by the IDP code.
…, and Keycloak IDP.
@cmrockwell - if you think the IDP is useful, let's keep it in for now. I am trying to make my review simpler, but if that makes you PR submission harder it does not make sense. And no, there is no target LOC. |
Thanks, that's kind Robert.
The demo IDP doesn't offer much if any value to end users. If it creates confusion, uncertainty or concern; then there is no reason to push it. As a developer, I can push it as a separate bundle to my localhost if I want.
The demo IDP has been removed, so please take a look if things look a little cleaner now.
Cris
On Tue, Apr 14, 2020 at 3:20 AM, Robert Munteanu<notifications@github.com> wrote:
@cmrockwell - if you think the IDP is useful, let's keep it in for now. I am trying to make my review simpler, but if that makes you PR submission harder it does not make sense.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
…copy from users' IDP Assertion to the JCR users properties
…o.FAIL_AUTH ensures the requestCredentials method is called
… extractCredentials
@cmrockwell @rombert I wonder if we want to merge this PR and then further refine with additional commits / PRs? |
@klcodanr - we would need at least a "legal" review in terms of code attribution and ownership. But I agree, we should not polish code indefinitely, but instead be more agile with reviewing. |
I've added attribution and the original license from webprofile-ref-project-v3. I've also reached out to Stefan Rasmusson to see whether this is sufficient. https://blog.samlsecurity.com/p/opensaml.html?showComment=1587589973632 |
…ing the JKS from resources. I needed to do this to recover my own local IDP instance configuration, and it just didn't work. Probably best to just describe how I did manually. Also added an link keycloak standalone instead of docker
Thanks a lot @cmrockwell . I see that the From an ASF point of view it does not seem that we need to change the NOTICE file, since the third party repository does not have a NOTICE file itself. A notice file should be generated automatically with the build ( but the build fails out-of-the-box for me). BTW, the possible names for the notice are The remaining question is how and if we need to add attribution to the source code files. Maybe @bdelacretaz or @cziegeler have an idea? Bertrand, Carsten - @cmrockwell has based some of his submission on code from https://bitbucket.org/srasmusson/webprofile-ref-project-v3, which is Apache-2.0 licensed. The changes are currently listed in https://github.com/apache/sling-whiteboard/blob/8386886dbe241020e11ae8c75ca487a204fe0bbf/saml-handler/NOTICE.md ( although I consider we don't need anything in the NOTICE file, see above ). How would you recommend that we record this attribution? @cmrockwell - once clarified I think we can merge this and then iterate. I suggest that we can keep a record of open items. This can be a simple TODO file in the repository root, a Jira task titled 'SAML authentication handler initial contribution', or anything else really. What would you prefer? Finally, I have not found an ICLA on file for you, I would encourage you to file on ( see https://www.apache.org/licenses/contributor-agreements.html ) as you seem to be on track for continued contributions. |
As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license |
@rombert I updated the NOTICE based on my understanding of Carsten's comment. Please let me know what the build issue is, and what if any git operations were preformed. !shibboleth,* |
Please post more about that |
@cmrockwell - what I get is
I have no settings.xml. I am running with
At any rate, we'll have to solve the issue of external artifacts at some points, we should not have any custom repositories set. I've merged this in now, let's focus on getting the build passing so we can start validating the functionality. |
Thanks for posting. Here is what the OpenSAML (Shibboleth) developers say about Maven Central.
|
Ack, I read that. I understand the reasons. Note that at the ASF the primary source of disitribution are cryptographically signed source releases, not binaries on Maven Central. That does not change the fact that Maven Central discourages using There are ways around it, for now we just need to keep in mind that we (probably) should not add extra Maven repositories and fix it before a first release. |
Sound good. Thank you for merging this. I'll spend some time to analyze the build issue you identified and report back once I'm able to reproduce it. Update: Assuming it builds for you after this, getting it installed and active in Sling will require your instance to provide org.apache.jackrabbit.oak-auth-external |
The build works for me with that change. Can you submit a PR with it? |
The intent of this PR is to get it reviewed and provide me with valuable feedback about making it better, and ideally getting direct support from Sling Developers.
Work left to do
SAML2ConfigService
andSAML2ConfigServiceImpl
is a good design or not.AuthenticationHandlerSAML2 to reference the same configuration.
@reference
private SAML2ConfigService saml2ConfigService;
My assumption about the purpose of a Sling Whiteboard is it is similar to a whiteboard in an office. An area to sketch ideas. Stuff gets merged into the Whiteboard that dies there, and maybe a few things get promoted. If this gets promoted, then I assume the questions listed above and a lot more would need answers.
https://issues.apache.org/jira/browse/SLING-9397