On Wed, Jan 4, 2012 at 8:51 PM, Bram Cymet <bcy...@cbnco.com> wrote: > Just to add one more point: > > I don't need users to be able to log into the identity management > console with their kerberos credentials. I am fine with just using > regular LDAP auth for admin users on the console.
Hi Bram, This is possible. In summary you need to do following, 1. Setup a "Security Token Service" (STS) in WSO2 Identity Server and add your endpoint URL to secure with SAML token profile 2. Secure STS with Kerberos token profile. For this you need to add jaas.conf and krb.conf files in $IS_HOME/repository/conf directory. In the krb.conf file you need to specify your KDC details. I am attaching a sample jaas.conf and a krb.conf 3. Secure your service with a SAML policy 4. Write a client which talks to STS with Kerberos security profile. In client side also you need to have a krb.conf and a jaas.conf. If you dont specify krb.conf it will pick the default krb.conf (/etc/krb5.conf). Once SAML token is obtained client need to present SAML token to end service. I am also attaching a sample SAML policy file. This involves few steps and the process is bit detailed. I am working on an article relevant to this use case. Hopefully i should be able to finish during the weekend. Thanks AmilaJ > > On 12-01-04 10:18 AM, Bram Cymet wrote: >> Hi Amila, >> >> I am trying to authenticate users using an external kerberos KDC. >> >> Really what I am trying to do is similar to what is described here: >> >> http://blog.facilelogin.com/2011/11/cross-domain-authentication-patterns.html >> >> >> I want to have a user come along with their kerberos ticket and I then >> want the identity server to give out a SAML token (hopefully with >> attributes from the users ldap entry and group memberships) to be used >> for authentication to another service. >> >> I have started to play with the STS and set it up with Kerberos security >> (option 16) I am just not sure how to test it to see that it is working >> the way I would like. >> >> I am new to SAML and WS-Security so I am still trying to wrap my head >> around how everything fits together. >> >> Thanks, >> >> Bram >> >> On 12-01-04 9:31 AM, Amila Jayasekara wrote: >>> On Tue, Jan 3, 2012 at 11:24 PM, Bram Cymet <bcy...@cbnco.com> wrote: >>>> Ok i figured out my problem. >>>> >>>> I was missing the GroupNameListFilter property. Now I am able to log in. >>>> >>>> The next thing I would like to figure out is if I can use my existing >>>> kerberos KDC for authentication? >>> >>> Hi Bram, >>> >>> Can you elaborate your question bit further ? >>> Are you trying authenticate users in WSO2 server using an external >>> Kerberos KDC OR else are you trying to setup KDC server which comes >>> with embedded LDAP for user authentication ? >>> >>> Thanks >>> AmilaJ >>> >>>> >>>> Thanks, >>>> >>>> Bram >>>> >>>> On 12-01-03 11:28 AM, Bram Cymet wrote: >>>>> Hi Hasini, >>>>> >>>>> Here is my user-mgt.xml file >>>>> >>>>> <UserManager> >>>>> <Realm> >>>>> <Configuration> >>>>> <AdminRole>admin</AdminRole> >>>>> <AdminUser> >>>>> <UserName>bcymet</UserName> >>>>> <Password>XXXXXX</Password> >>>>> </AdminUser> >>>>> <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By >>>>> default users in thsi role sees the registry root --> >>>>> <ReadOnly>true</ReadOnly> >>>>> <MaxUserNameListLength>500</MaxUserNameListLength> >>>>> <Property >>>>> name="url">jdbc:h2:repository/database/WSO2CARBON_DB</Property> >>>>> <Property name="userName">wso2carbon</Property> >>>>> <Property name="password">wso2carbon</Property> >>>>> <Property name="driverName">org.h2.Driver</Property> >>>>> <Property name="maxActive">50</Property> >>>>> <Property name="maxWait">60000</Property> >>>>> <Property name="minIdle">5</Property> >>>>> </Configuration> >>>>> >>>>> <UserStoreManager >>>>> class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> >>>>> <Property name="ReadOnly">true</Property> >>>>> <Property name="MaxUserNameListLength">100</Property> >>>>> <Property name="ConnectionURL">ldap://localhost:389</Property> >>>>> <Property >>>>> name="ConnectionName">cn=admin,dc=TESTLDAP,dc=CBN</Property> >>>>> <Property name="ConnectionPassword">******</Property> >>>>> <Property >>>>> name="UserSearchBase">ou=people,dc=TESTLDAP,dc=CBN</Property> >>>>> <Property >>>>> name="UserNameListFilter">(objectClass=inetOrgPerson)</Property> >>>>> <Property name="UserNameAttribute">uid</Property> >>>>> <Property name="ReadLDAPGroups">false</Property> >>>>> <Property >>>>> name="GroupSearchBase">ou=groups,dc=TESTLDAP,dc=CBN</Property> >>>>> <Property >>>>> name="GroupSearchFilter">(objectClass=groupOfNames)</Property> >>>>> <Property name="GroupNameAttribute">cn</Property> >>>>> <Property name="MembershipAttribute">member</Property> >>>>> </UserStoreManager> >>>>> >>>>> <AuthorizationManager >>>>> >>>>> class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"> >>>>> </AuthorizationManager> >>>>> </Realm> >>>>> </UserManager> >>>>> >>>>> I followed the directions for the read only setup at first. >>>>> >>>>> I thought that the part in the file: >>>>> >>>>> <AdminRole>admin</AdminRole> >>>>> <AdminUser> >>>>> <UserName>bcymet</UserName> >>>>> <Password>XXXXXX</Password> >>>>> </AdminUser> >>>>> >>>>> would give my user permissions that it needed. >>>>> >>>>> I guess I am missing something else. >>>>> >>>>> >>>>> On 12-01-03 11:23 AM, Hasini Gunasinghe wrote: >>>>>> Hi Bram, >>>>>> >>>>>> In order to login, you need to have login permission as well. (i.e only >>>>>> matching user name, password is not sufficient) >>>>>> >>>>>> In the first time login, you should login as the admin user which you >>>>>> specify in the user-mgt.xml. Admin user can then create users, roles and >>>>>> assign users to roles and permissions to those roles. >>>>>> >>>>>> So can you please make sure that you specify the admin user and admin >>>>>> role in user-mgt.xml correctly and also the admin user belongs to the >>>>>> admin role in the LDAP. >>>>>> Also, please make sure that you provided the correct value for the group >>>>>> search base property in user-mgt.xml >>>>>> >>>>>> If you can attach the user-mgt.xml, we might be able to provide more >>>>>> insight. >>>>>> >>>>>> Thanks, >>>>>> Hasini. >>>>>> >>>>>> On Tue, Jan 3, 2012 at 8:45 PM, Bram Cymet <bcy...@cbnco.com >>>>>> <mailto:bcy...@cbnco.com>> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I am attempting to setup a wso2 identity server using my existing >>>>>> openldap instance as the userstore. >>>>>> >>>>>> I can see the server connecting to my ldap instance when I attempt to >>>>>> log in so I know the ConnectionURL, Name, and Password are correct. I >>>>>> can even see the server bind to my ldap instance successfully. >>>>>> However I >>>>>> can not log into the identity web interface. >>>>>> >>>>>> In the logs all I get is: >>>>>> >>>>>> [2012-01-03 09:55:11,033] WARN >>>>>> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - >>>>>> Failed >>>>>> Administrator login attempt 'bcymet[0]' at [2012-01-03 09:55:11,0032] >>>>>> from IP address 172.20.22.157 >>>>>> >>>>>> Any idea what might be going on or how I can up the logging to get a >>>>>> more detailed message? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -- >>>>>> Bram Cymet >>>>>> Software Developer >>>>>> Canadian Bank Note Co. Ltd. >>>>>> 613-608-9752 >>>>>> _______________________________________________ >>>>>> Carbon-dev mailing list >>>>>> Carbon-dev@wso2.org <mailto:Carbon-dev@wso2.org> >>>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Carbon-dev mailing list >>>>>> Carbon-dev@wso2.org >>>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Bram Cymet >>>> Software Developer >>>> Canadian Bank Note Co. Ltd. >>>> 613-608-9752 >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> Carbon-dev@wso2.org >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >>> >> >> > > > -- > Bram Cymet > Software Developer > Canadian Bank Note Co. Ltd. > 613-608-9752 > _______________________________________________ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev -- Mobile : +94773330538
jaas.conf
Description: Binary data
krb5.conf
Description: Binary data
<?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="kerberossignandencrypt" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:KerberosToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssKerberosV5ApReqToken11/> </wsp:Policy> </sp:KerberosToken> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:SignedParts> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:RequireSignatureConfirmation/> </sp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> <sp:MustSupportIssuedTokens/> </wsp:Policy> </sp:Trust10> <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";> <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds> <rampart:timestampTTL>300</rampart:timestampTTL> <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew> <rampart:kerberosConfig> <rampart:property name="client.principal.name">amilaj</rampart:property> <rampart:property name="client.principal.password">qazqaz</rampart:property> <rampart:property name="service.principal.name">sts/localh...@wso2.org</rampart:property> <!--rampart:property name="java.security.krb5.realm">WSO2.COM</rampart:property --> <!--rampart:property name="java.security.krb5.kdc">127.0.0.1:8000</rampart:property--> <rampart:property name="java.security.krb5.conf">resources/krb5.conf</rampart:property> <rampart:property name="java.security.auth.login.config">resources/jaas.conf</rampart:property> <!--rampart:property name="java.security.auth.login.config">jaas.conf</rampart:property--> <rampart:property name="javax.security.auth.useSubjectCredsOnly">true</rampart:property> <!--rampart:property name="kdc.des.aes.factor">4</rampart:property --> </rampart:kerberosConfig> </rampart:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="SigEncr"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:RequireThumbprintReference /> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:RequireThumbprintReference /> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> <sp:OnlySignEntireHeadersAndBody /> </wsp:Policy> </sp:AsymmetricBinding> <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <Address xmlns="http://www.w3.org/2005/08/addressing";> https://localhost:9444/services/wso2carbon-sts </Address> </Issuer> <sp:RequestSecurityTokenTemplate xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> <t:TokenType> urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType> <t:KeyType> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey </t:KeyType> <t:KeySize>256</t:KeySize> <t:Claims Dialect="http://wso2.org/claims"; xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";> <ic:ClaimType Uri="http://wso2.org/claims/givenname"; /> </t:Claims> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference /> </wsp:Policy> </sp:IssuedToken> </wsp:Policy> </sp:SupportingTokens> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial /> <sp:MustSupportRefThumbprint /> <sp:RequireSignatureConfirmation /> </sp:Policy> </sp:Wss11> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial /> </sp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";> <rampart:user>wso2carbon</rampart:user> <rampart:encryptionUser>useReqSigCert </rampart:encryptionUser> <rampart:timestampPrecisionInMilliseconds>true </rampart:timestampPrecisionInMilliseconds> <rampart:timestampTTL>300</rampart:timestampTTL> <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew> <rampart:tokenStoreClass> org.wso2.carbon.security.util.SecurityTokenStore </rampart:tokenStoreClass> <rampart:encryptionCrypto> <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto"> <rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon </rampart:property> <rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks </rampart:property> <rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks, </rampart:property> <rampart:property name="rampart.config.user">wso2carbon </rampart:property> </rampart:crypto> </rampart:encryptionCrypto> <rampart:signatureCrypto> <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto"> <rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon </rampart:property> <rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks </rampart:property> <rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks, </rampart:property> <rampart:property name="rampart.config.user">wso2carbon </rampart:property> </rampart:crypto> </rampart:signatureCrypto> </rampart:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
_______________________________________________ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
