Hi all,
I have just submitted the PR #45 containing my work for SYNCOPE-1041: it
basically introduces a new extension which allows to:
1. import IdP metadata and configure mapping to match internal users
(also via admin console)
2. export SP metadata
3. enable Admin Console and Enduser to perform SAML-based SSO
I have tested the feature with both
https://www.testshib.org/
and
http://www.ssocircle.com/en/
Please note that, as kindly suggested by Colm and Sergey, I did not
re-implement the SAML assertion validation, but I did re-use
cxf-rt-rs-security-sso-saml.
At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9
should be close enough.
Please let me have your feedback.
Regards.
On 07/03/2017 17:25, Francesco Chicchiriccò wrote:
On 07/03/2017 17:19, Colm O hEigeartaigh wrote:
Hi Francesco,
It's good to see support for SAML coming to Syncope. I'd encourage
you to
re-use the functionality developed in CXF to validate the SAML Response
from the IdP:
https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
I spent a lot of time reading the specs and making sure the validation
rules were all followed :-)
That's very nice, thanks for the pointers!
Regards.
On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò
<[email protected]
wrote:
On 07/03/2017 11:56, Sergey Beryozkin wrote:
Hi Francesco
Not sure if it can be relevant for this work but at the CXF level
we have
this SAML SP support:
http://cxf.apache.org/docs/saml-web-sso.html,
something Colm and myself worked upon earlier on.
Thanks for the pointer, Sergey: I did already find it, though.
This does not completely fit in our scenario since here the idea is to
split the responsibilities in two: from one side the front-end
web-fragment
takes care of the SAML exchange, from the other side the Syncope
core (e.g.
the CXF application) works as back-end for the effective SAML assertion
validation and generation.
I'll look at the provided page and related implementation, anyway,
thank
you very much indeed.
FYI, this class
https://github.com/apache/wss4j/blob/trunk/ws-security-commo
n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java
has been already extremely useful to me, since OpenSAML 3
documentation is
practically absent.
Regards.
On 07/03/17 10:49, Francesco Chicchiriccò wrote:
Hi all,
I have made a proposal at [1] and opened SYNCOPE-1041 for the
purpose.
I am already working on it, and it should be ready on time for
Syncope
2.0.3.
The idea is to embed the whole implementation in a PR, with option of
further discussing before merge.
Also, I would like to include, in the 2.0.3 release notes, a public
"thank you" statement to the University of Helsinki similar to the
one
we made for 1.1.0 [2].
WDYT?
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU
SS%5D+SAML+2.0+Service+Provider+feature
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit
um#Adlibitum-1.1.0(April5th,2013)
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
