OIDC or SAML2 for Sling

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

OIDC or SAML2 for Sling

Christopher Rockwell
Hello Sling Users
 
Does anyone know of a solution for SSO for Apache Sling using OIDC, OAuth2 or SAML2 using JCR-based access controls, user creation and attribute synchronization, and group membership?

This one looks interesting, but is it dead?
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html <https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html>

This student project looks interesting, so is our best resource?
https://github.com/apache/sling-whiteboard/pull/14 <https://github.com/apache/sling-whiteboard/pull/14>
https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e <https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e>
https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow <https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow>
https://github.com/apache/sling-whiteboard/tree/master/oidc-handler <https://github.com/apache/sling-whiteboard/tree/master/oidc-handler>

There is this presentation about Keycloak, but as stated I’m looking to manage access controls on the content.
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html <https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html>

Thanks!
Cris R


Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Robert Munteanu-2
Hi Cris,

On Tue, 2019-12-10 at 17:33 -0500, Cris Rockwell wrote:

> Hello Sling Users
>  
> Does anyone know of a solution for SSO for Apache Sling using OIDC,
> OAuth2 or SAML2 using JCR-based access controls, user creation and
> attribute synchronization, and group membership?
>
> This one looks interesting, but is it dead?
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> <https://sling.apache.org/documentation/the-sling-
> engine/authentication/authentication-authenticationhandler/openid-
> authenticationhandler.html>

This was was OpenID, not OpenID connect, so not applicable to your
scenario. Also dead.

This one is incomplete and not reviewed for security, so I would advise
against using it.

> There is this presentation about Keycloak, but as stated I’m looking
> to manage access controls on the content.
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> <https://adapt.to/2018/en/schedule/modern-authentication-in-sling-
> with-openid-connect-and-keycloak.html>


What exactly would you need to manage JCR-based controls? I would
imagine that mapping users to JCR groups based on whatever data your
identity solution provides and then creating access based on ACLs only
would satisfy your request.

Thanks,
Robert

Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Christopher Rockwell
"What exactly would you need to manage JCR-based controls? I would
imagine that mapping users to JCR groups based on whatever data your
identity solution provides and then creating access based on ACLs only
would satisfy your request."


We need to manage a few things at the identity provider:
1. User attributes: username, name, email, phone, maybe a few other pieces of data about the user.
2. Group membership

When the user signs in, with SAML2 there is encrypted metadata which contains that information. Upon sign in, Sling users should be created, their user attributes updated and the user should be added or removed from Sling group membership. Once the user has signed in, then access is granted as usual using JCR-based ACL’s applied for the groups.

Thanks
Cris Rockwell, App Sys Analyst/Programmer Sr  
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109
Desk: 734.763.6818 | Email: [hidden email]









> On Dec 11, 2019, at 9:34 AM, Robert Munteanu <[hidden email]> wrote:
>
> What exactly would you need to manage JCR-based controls? I would
> imagine that mapping users to JCR groups based on whatever data your
> identity solution provides and then creating access based on ACLs only
> would satisfy your request.

Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Robert Munteanu-2
On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:

> "What exactly would you need to manage JCR-based controls? I would
> imagine that mapping users to JCR groups based on whatever data your
> identity solution provides and then creating access based on ACLs
> only
> would satisfy your request."
>
>
> We need to manage a few things at the identity provider:
> 1. User attributes: username, name, email, phone, maybe a few other
> pieces of data about the user.
> 2. Group membership
>
> When the user signs in, with SAML2 there is encrypted metadata which
> contains that information. Upon sign in, Sling users should be
> created, their user attributes updated and the user should be added
> or removed from Sling group membership. Once the user has signed in,
> then access is granted as usual using JCR-based ACL’s applied for the
> groups.

Right, I see that there is no support for that in the keycloak handler,
as it was presented [1].

I don't think there is any out-of-the-box support for what you're
looking for.

I would be happy to guide anyone willing to implement such
functionality though.

Thanks,
Robert


[1]: https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak

Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Eric Norman-2
In reply to this post by Christopher Rockwell
Hi Cris,

It should be possible.  For one of my projects I had to implement something
similar to support OAuth2 based logins to a sling based server using the
facebook/google/twitter oauth support.

I basically needed 3 main custom OSGi services to make it work:
1. A custom impl of AbstractAuthenticationFormServlet that was used to
initiate the oauth challenge from custom buttons on the login page.
2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service
that handles the requesting/extraction/validation of the credentials from
the external oauth provider.  I used the scribejava library for the OAuth
conversations (https://github.com/scribejava/scribejava)
3. A custom org.apache.felix.jaas.LoginModuleFactory service for the
"jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2 are
accepted for logging in to the oak JCR repository without knowing the
password.

The impl for #2 also dealt with linking the verified external account
identity with a local jackrabbit.oak user and copying any required
attributes from the external account to the local user profile.

Regards,
Eric

On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell <[hidden email]> wrote:

> Hello Sling Users
>
> Does anyone know of a solution for SSO for Apache Sling using OIDC, OAuth2
> or SAML2 using JCR-based access controls, user creation and attribute
> synchronization, and group membership?
>
> This one looks interesting, but is it dead?
>
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> <
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> >
>
> This student project looks interesting, so is our best resource?
> https://github.com/apache/sling-whiteboard/pull/14 <
> https://github.com/apache/sling-whiteboard/pull/14>
>
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> <
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> >
>
> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
> <
> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
> >
> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler <
> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler>
>
> There is this presentation about Keycloak, but as stated I’m looking to
> manage access controls on the content.
>
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> <
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> >
>
> Thanks!
> Cris R
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Christopher Rockwell
Hi Eric

Thanks for the response. OAuth2 would be a handy option for user authentication, user creation and perhaps user attributes. But I’m pretty sure group membership would not come as part of the authentication process data (at least not for us). With an OAuth2 approach where group membership data is not included, would it be necessary or advisable to also use LDAP to lookup the user groups and then add/remove the user from the JCR groups upon sign in (or a quartz ETL-like job)? If so, I image we can add a forth OSGI services to that list. But where should we make the call for LDAP group membership service? Part of the custom AuthenticationHandler?  Or is Oauth2 just not a good fit given the need to manage group membership at the identity provider?

Cris







> On Dec 11, 2019, at 1:55 PM, Eric Norman <[hidden email]> wrote:
>
> Hi Cris,
>
> It should be possible.  For one of my projects I had to implement something
> similar to support OAuth2 based logins to a sling based server using the
> facebook/google/twitter oauth support.
>
> I basically needed 3 main custom OSGi services to make it work:
> 1. A custom impl of AbstractAuthenticationFormServlet that was used to
> initiate the oauth challenge from custom buttons on the login page.
> 2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service
> that handles the requesting/extraction/validation of the credentials from
> the external oauth provider.  I used the scribejava library for the OAuth
> conversations (https://github.com/scribejava/scribejava)
> 3. A custom org.apache.felix.jaas.LoginModuleFactory service for the
> "jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2 are
> accepted for logging in to the oak JCR repository without knowing the
> password.
>
> The impl for #2 also dealt with linking the verified external account
> identity with a local jackrabbit.oak user and copying any required
> attributes from the external account to the local user profile.
>
> Regards,
> Eric
>
> On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell <[hidden email]> wrote:
>
>> Hello Sling Users
>>
>> Does anyone know of a solution for SSO for Apache Sling using OIDC, OAuth2
>> or SAML2 using JCR-based access controls, user creation and attribute
>> synchronization, and group membership?
>>
>> This one looks interesting, but is it dead?
>>
>> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
>> <
>> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
>>>
>>
>> This student project looks interesting, so is our best resource?
>> https://github.com/apache/sling-whiteboard/pull/14 <
>> https://github.com/apache/sling-whiteboard/pull/14>
>>
>> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
>> <
>> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
>>>
>>
>> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
>> <
>> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
>>>
>> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler <
>> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler>
>>
>> There is this presentation about Keycloak, but as stated I’m looking to
>> manage access controls on the content.
>>
>> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
>> <
>> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
>>>
>>
>> Thanks!
>> Cris R
>>
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Eric Norman-2
Hi Cris,

It may depend on what capabilities the external OAuth provider supplies.
For example, I believe some OAuth providers may provide a way to return
group memberships via OAuth2 scopes?

Otherwise, the mechanism for group membership lookup may depend on what
additional REST APIs that your external server provides.  For example, once
you have a verified OAuth token, then you might be able to use that
identity to make additional https calls back to the OAuth provider to
retrieve additional data.  For example, with a valid facebook oauth token
you could invoke their graph APIs to get a list of the groups the user is a
member of.

Of course, if your external oauth provider doesn't provide any mechanism
for lookup of user/group profile data then you would need to figure
something else out.

As to where to do the group membership sync logic: If you are ok with a
short delay in the group memberships being updated, then I suppose you
could listen for login events and do the work in the async event handler.
 Otherwise, if you expect the group membership to take effect immediately
during login, then doing that work in the
AuthenticationHandler#extractCredentials call would probably be ok after
you have verified the credentials are valid.

Regards,
-Eric

On Wed, Dec 11, 2019 at 11:45 AM Cris Rockwell <[hidden email]> wrote:

> Hi Eric
>
> Thanks for the response. OAuth2 would be a handy option for user
> authentication, user creation and perhaps user attributes. But I’m pretty
> sure group membership would not come as part of the authentication process
> data (at least not for us). With an OAuth2 approach where group membership
> data is not included, would it be necessary or advisable to also use LDAP
> to lookup the user groups and then add/remove the user from the JCR groups
> upon sign in (or a quartz ETL-like job)? If so, I image we can add a forth
> OSGI services to that list. But where should we make the call for LDAP
> group membership service? Part of the custom AuthenticationHandler?  Or is
> Oauth2 just not a good fit given the need to manage group membership at the
> identity provider?
>
> Cris
>
>
>
>
>
>
>
> > On Dec 11, 2019, at 1:55 PM, Eric Norman <[hidden email]> wrote:
> >
> > Hi Cris,
> >
> > It should be possible.  For one of my projects I had to implement
> something
> > similar to support OAuth2 based logins to a sling based server using the
> > facebook/google/twitter oauth support.
> >
> > I basically needed 3 main custom OSGi services to make it work:
> > 1. A custom impl of AbstractAuthenticationFormServlet that was used to
> > initiate the oauth challenge from custom buttons on the login page.
> > 2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service
> > that handles the requesting/extraction/validation of the credentials from
> > the external oauth provider.  I used the scribejava library for the OAuth
> > conversations (https://github.com/scribejava/scribejava)
> > 3. A custom org.apache.felix.jaas.LoginModuleFactory service for the
> > "jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2
> are
> > accepted for logging in to the oak JCR repository without knowing the
> > password.
> >
> > The impl for #2 also dealt with linking the verified external account
> > identity with a local jackrabbit.oak user and copying any required
> > attributes from the external account to the local user profile.
> >
> > Regards,
> > Eric
> >
> > On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell <[hidden email]>
> wrote:
> >
> >> Hello Sling Users
> >>
> >> Does anyone know of a solution for SSO for Apache Sling using OIDC,
> OAuth2
> >> or SAML2 using JCR-based access controls, user creation and attribute
> >> synchronization, and group membership?
> >>
> >> This one looks interesting, but is it dead?
> >>
> >>
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> >> <
> >>
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> >>>
> >>
> >> This student project looks interesting, so is our best resource?
> >> https://github.com/apache/sling-whiteboard/pull/14 <
> >> https://github.com/apache/sling-whiteboard/pull/14>
> >>
> >>
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> >> <
> >>
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> >>>
> >>
> >>
> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
> >> <
> >>
> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
> >>>
> >> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler <
> >> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler>
> >>
> >> There is this presentation about Keycloak, but as stated I’m looking to
> >> manage access controls on the content.
> >>
> >>
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> >> <
> >>
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> >>>
> >>
> >> Thanks!
> >> Cris R
> >>
> >>
> >>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Christopher Rockwell
In reply to this post by Robert Munteanu-2
Hi Robert

Thank you for your offer to guide an OIDC and/or SAML2 Sling Authentication Handler implementation. Long term, I could also see contributing to a peer reviewed initiative to securely add the features to Sling applications. After some thought, I might follow up with you about this out of band.

In the short run, perhaps Oak’s LDAP authentication will support the features we need.
https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html>
https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html>

Thanks all.
Cris R









> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <[hidden email]> wrote:
>
> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
>> "What exactly would you need to manage JCR-based controls? I would
>> imagine that mapping users to JCR groups based on whatever data your
>> identity solution provides and then creating access based on ACLs
>> only
>> would satisfy your request."
>>
>>
>> We need to manage a few things at the identity provider:
>> 1. User attributes: username, name, email, phone, maybe a few other
>> pieces of data about the user.
>> 2. Group membership
>>
>> When the user signs in, with SAML2 there is encrypted metadata which
>> contains that information. Upon sign in, Sling users should be
>> created, their user attributes updated and the user should be added
>> or removed from Sling group membership. Once the user has signed in,
>> then access is granted as usual using JCR-based ACL’s applied for the
>> groups.
>
> Right, I see that there is no support for that in the keycloak handler,
> as it was presented [1].
>
> I don't think there is any out-of-the-box support for what you're
> looking for.
>
> I would be happy to guide anyone willing to implement such
> functionality though.
>
> Thanks,
> Robert
>
>
> [1]: https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak <https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak>
Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Robert Munteanu-2
Hi Cris,

Hopefully the LDAP authentication will fulfill your requirements. Once
you're done, it would be interesting to discuss (privately, if you
prefer) what gaps you identified in the authentication support we
offer.

Thanks,
Robert

On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:

> Hi Robert
>
> Thank you for your offer to guide an OIDC and/or SAML2 Sling
> Authentication Handler implementation. Long term, I could also see
> contributing to a peer reviewed initiative to securely add the
> features to Sling applications. After some thought, I might follow up
> with you about this out of band.
>
> In the short run, perhaps Oak’s LDAP authentication will support the
> features we need.
> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
> <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> .html>
> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
> <https://jackrabbit.apache.org/oak/docs/security/authentication/exte
> rnalloginmodule.html>
>
> Thanks all.
> Cris R
>
>
>
>
>
>
>
>
>
> > On Dec 11, 2019, at 11:58 AM, Robert Munteanu <[hidden email]>
> > wrote:
> >
> > On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
> > > "What exactly would you need to manage JCR-based controls? I
> > > would
> > > imagine that mapping users to JCR groups based on whatever data
> > > your
> > > identity solution provides and then creating access based on ACLs
> > > only
> > > would satisfy your request."
> > >
> > >
> > > We need to manage a few things at the identity provider:
> > > 1. User attributes: username, name, email, phone, maybe a few
> > > other
> > > pieces of data about the user.
> > > 2. Group membership
> > >
> > > When the user signs in, with SAML2 there is encrypted metadata
> > > which
> > > contains that information. Upon sign in, Sling users should be
> > > created, their user attributes updated and the user should be
> > > added
> > > or removed from Sling group membership. Once the user has signed
> > > in,
> > > then access is granted as usual using JCR-based ACL’s applied for
> > > the
> > > groups.
> >
> > Right, I see that there is no support for that in the keycloak
> > handler,
> > as it was presented [1].
> >
> > I don't think there is any out-of-the-box support for what you're
> > looking for.
> >
> > I would be happy to guide anyone willing to implement such
> > functionality though.
> >
> > Thanks,
> > Robert
> >
> >
> > [1]:
> > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> > <
> > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> > >

Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Christopher Rockwell
Hi Robert

I would like to follow up with you about adding SAML2 SP (Service Provider) support to Apache Sling.

Our team reviewed security requirements with the leading identity provider (IDP) administrator at the University. His suggestion was to use SAML2 (or OIDC) and skip the LDAP authentication idea. We have been using SAML2 for many years with other applications. It seems SAML2 for open and closed source Java Enterprise applications is very common, so I feel good about requesting SAML2 SP support for Apache Sling.

To start, I am studying the eBook OpenSAML V3 mentioned on the Shibboleth website <https://wiki.shibboleth.net/confluence/display/OS30/Home>. The eBook discusses a sample project <https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> and covers various aspects of using OpenSaml3 Java library.

* Authentication request using HTTP Redirect Binding
* Assertion transported using HTTP Artifact Binding
* SAML Artifact transported using HTTP Redirect Binding

If you or others have thoughts or recommendations for me about how to make this happen, please let me know.

Thanks
Cris Rockwell, App Sys Analyst/Programmer Sr  
College of Literature, Science, and the Arts | University of Michigan
LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI I 48109
Desk: 734.763.6818 | Email: [hidden email]







> On Dec 19, 2019, at 12:00 PM, Robert Munteanu <[hidden email]> wrote:
>
> Hi Cris,
>
> Hopefully the LDAP authentication will fulfill your requirements. Once
> you're done, it would be interesting to discuss (privately, if you
> prefer) what gaps you identified in the authentication support we
> offer.
>
> Thanks,
> Robert
>
> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
>> Hi Robert
>>
>> Thank you for your offer to guide an OIDC and/or SAML2 Sling
>> Authentication Handler implementation. Long term, I could also see
>> contributing to a peer reviewed initiative to securely add the
>> features to Sling applications. After some thought, I might follow up
>> with you about this out of band.
>>
>> In the short run, perhaps Oak’s LDAP authentication will support the
>> features we need.
>> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html>
>> <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap>
>> .html>
>> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html <https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html>
>> <https://jackrabbit.apache.org/oak/docs/security/authentication/exte
>> rnalloginmodule.html>
>>
>> Thanks all.
>> Cris R
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu <[hidden email]>
>>> wrote:
>>>
>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
>>>> "What exactly would you need to manage JCR-based controls? I
>>>> would
>>>> imagine that mapping users to JCR groups based on whatever data
>>>> your
>>>> identity solution provides and then creating access based on ACLs
>>>> only
>>>> would satisfy your request."
>>>>
>>>>
>>>> We need to manage a few things at the identity provider:
>>>> 1. User attributes: username, name, email, phone, maybe a few
>>>> other
>>>> pieces of data about the user.
>>>> 2. Group membership
>>>>
>>>> When the user signs in, with SAML2 there is encrypted metadata
>>>> which
>>>> contains that information. Upon sign in, Sling users should be
>>>> created, their user attributes updated and the user should be
>>>> added
>>>> or removed from Sling group membership. Once the user has signed
>>>> in,
>>>> then access is granted as usual using JCR-based ACL’s applied for
>>>> the
>>>> groups.
>>>
>>> Right, I see that there is no support for that in the keycloak
>>> handler,
>>> as it was presented [1].
>>>
>>> I don't think there is any out-of-the-box support for what you're
>>> looking for.
>>>
>>> I would be happy to guide anyone willing to implement such
>>> functionality though.
>>>
>>> Thanks,
>>> Robert
>>>
>>>
>>> [1]:
>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
>>> <
>>> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak <https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak>
Reply | Threaded
Open this post in threaded view
|

Re: OIDC or SAML2 for Sling

Robert Munteanu-2
Hi Cris,

I would be very happy to see OIDC/SAML2 support in Sling. As mentioned,
there were a couple of initiatives, but none of them completed.

If anyone decides to give the implementation a shot, it would be
important to:

- use vetted libraries that do the bulk of the work. I think this was a
problem with some of the earlier approaches
- develop as much in the open as possible. The sling whiteboard is a
good option, also a personal repo is ok if the intention is to
contribute to Sling
- make the module easy to test and incorporate in the Sling starter

I am available to review and incorporate this contribution, and
definitely there are others around.

Thanks,
Robert

On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote:

> Hi Robert
>
> I would like to follow up with you about adding SAML2 SP (Service
> Provider) support to Apache Sling.
>
> Our team reviewed security requirements with the leading identity
> provider (IDP) administrator at the University. His suggestion was to
> use SAML2 (or OIDC) and skip the LDAP authentication idea. We have
> been using SAML2 for many years with other applications. It seems
> SAML2 for open and closed source Java Enterprise applications is very
> common, so I feel good about requesting SAML2 SP support for Apache
> Sling.
>
> To start, I am studying the eBook OpenSAML V3 mentioned on the
> Shibboleth website <
> https://wiki.shibboleth.net/confluence/display/OS30/Home>;. The eBook
> discusses a sample project <
> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/
> > and covers various aspects of using OpenSaml3 Java library.
>
> * Authentication request using HTTP Redirect Binding
> * Assertion transported using HTTP Artifact Binding
> * SAML Artifact transported using HTTP Redirect Binding
>
> If you or others have thoughts or recommendations for me about how to
> make this happen, please let me know.
>
> Thanks
> Cris Rockwell, App Sys Analyst/Programmer Sr  
> College of Literature, Science, and the Arts | University of
> Michigan
> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann
> Arbor, MI I 48109
> Desk: 734.763.6818 | Email: [hidden email]
>
>
>
>
>
>
>
> > On Dec 19, 2019, at 12:00 PM, Robert Munteanu <[hidden email]>
> > wrote:
> >
> > Hi Cris,
> >
> > Hopefully the LDAP authentication will fulfill your requirements.
> > Once
> > you're done, it would be interesting to discuss (privately, if you
> > prefer) what gaps you identified in the authentication support we
> > offer.
> >
> > Thanks,
> > Robert
> >
> > On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote:
> > > Hi Robert
> > >
> > > Thank you for your offer to guide an OIDC and/or SAML2 Sling
> > > Authentication Handler implementation. Long term, I could also
> > > see
> > > contributing to a peer reviewed initiative to securely add the
> > > features to Sling applications. After some thought, I might
> > > follow up
> > > with you about this out of band.
> > >
> > > In the short run, perhaps Oak’s LDAP authentication will support
> > > the
> > > features we need.
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html
> > > <https://jackrabbit.apache.org/oak/docs/security/authentication/
> > > ldap.html>
> > > <
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> > > <
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap
> > > >
> > > .html>
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html
> > > <https://jackrabbit.apache.org/oak/docs/security/authentication/
> > > externalloginmodule.html>
> > > <
> > > https://jackrabbit.apache.org/oak/docs/security/authentication/exte
> > > rnalloginmodule.html>
> > >
> > > Thanks all.
> > > Cris R
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On Dec 11, 2019, at 11:58 AM, Robert Munteanu <
> > > > [hidden email]>
> > > > wrote:
> > > >
> > > > On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote:
> > > > > "What exactly would you need to manage JCR-based controls? I
> > > > > would
> > > > > imagine that mapping users to JCR groups based on whatever
> > > > > data
> > > > > your
> > > > > identity solution provides and then creating access based on
> > > > > ACLs
> > > > > only
> > > > > would satisfy your request."
> > > > >
> > > > >
> > > > > We need to manage a few things at the identity provider:
> > > > > 1. User attributes: username, name, email, phone, maybe a few
> > > > > other
> > > > > pieces of data about the user.
> > > > > 2. Group membership
> > > > >
> > > > > When the user signs in, with SAML2 there is encrypted
> > > > > metadata
> > > > > which
> > > > > contains that information. Upon sign in, Sling users should
> > > > > be
> > > > > created, their user attributes updated and the user should be
> > > > > added
> > > > > or removed from Sling group membership. Once the user has
> > > > > signed
> > > > > in,
> > > > > then access is granted as usual using JCR-based ACL’s applied
> > > > > for
> > > > > the
> > > > > groups.
> > > >
> > > > Right, I see that there is no support for that in the keycloak
> > > > handler,
> > > > as it was presented [1].
> > > >
> > > > I don't think there is any out-of-the-box support for what
> > > > you're
> > > > looking for.
> > > >
> > > > I would be happy to guide anyone willing to implement such
> > > > functionality though.
> > > >
> > > > Thanks,
> > > > Robert
> > > >
> > > >
> > > > [1]:
> > > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> > > > <
> > > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak
> > > > <https://github.com/netdava/adapt-to-2018-keycloak-sling-
> > > > presentation/tree/master/adapt-to-2018-sling-keycloak/org-
> > > > apache-sling-auth-keycloak>