Hi Francesco, Good work! A few questions for you:
a) Is there any documentation available on how to set this up for a Syncope deployment? I'll give it a try once there is. b) Does the code support both the "RP" and "IdP" initiated flows? Both would be useful, although we could always add the other at a later stage if not. c) I see CXF's SAMLProtocolResponseValidator in the code but not the SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of validating the SAML Response against the web SSO profile, or are you doing this manually somewhere? d) There are some TransformerFactory instances that need to have the secure processing feature enabled. Thanks, Colm. On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccò <ilgro...@apache.org > wrote: > Hi all, > I have just submitted the PR #45 containing my work for SYNCOPE-1041: it > basically introduces a new extension which allows to: > > 1. import IdP metadata and configure mapping to match internal users (also > via admin console) > 2. export SP metadata > 3. enable Admin Console and Enduser to perform SAML-based SSO > > I have tested the feature with both > > https://www.testshib.org/ > > and > > http://www.ssocircle.com/en/ > > Please note that, as kindly suggested by Colm and Sergey, I did not > re-implement the SAML assertion validation, but I did re-use > cxf-rt-rs-security-sso-saml. > At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should > be close enough. > > Please let me have your feedback. > Regards. > > On 07/03/2017 17:25, Francesco Chicchiriccò wrote: > >> On 07/03/2017 17:19, Colm O hEigeartaigh wrote: >> >>> Hi Francesco, >>> >>> It's good to see support for SAML coming to Syncope. I'd encourage you to >>> re-use the functionality developed in CXF to validate the SAML Response >>> from the IdP: >>> >>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso >>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML >>> ProtocolResponseValidator.java >>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso >>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/ >>> SAMLSSOResponseValidator.java >>> >>> I spent a lot of time reading the specs and making sure the validation >>> rules were all followed :-) >>> >> >> That's very nice, thanks for the pointers! >> Regards. >> >> On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò < >>> ilgro...@apache.org >>> >>>> wrote: >>>> On 07/03/2017 11:56, Sergey Beryozkin wrote: >>>> >>>> Hi Francesco >>>>> >>>>> Not sure if it can be relevant for this work but at the CXF level we >>>>> have >>>>> this SAML SP support: >>>>> >>>>> http://cxf.apache.org/docs/saml-web-sso.html, >>>>> >>>>> something Colm and myself worked upon earlier on. >>>>> >>>>> Thanks for the pointer, Sergey: I did already find it, though. >>>> >>>> This does not completely fit in our scenario since here the idea is to >>>> split the responsibilities in two: from one side the front-end >>>> web-fragment >>>> takes care of the SAML exchange, from the other side the Syncope core >>>> (e.g. >>>> the CXF application) works as back-end for the effective SAML assertion >>>> validation and generation. >>>> >>>> I'll look at the provided page and related implementation, anyway, thank >>>> you very much indeed. >>>> >>>> FYI, this class >>>> >>>> https://github.com/apache/wss4j/blob/trunk/ws-security-commo >>>> n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java >>>> >>>> has been already extremely useful to me, since OpenSAML 3 documentation >>>> is >>>> practically absent. >>>> >>>> Regards. >>>> >>>> On 07/03/17 10:49, Francesco Chicchiriccò wrote: >>>> >>>>> Hi all, >>>>>> I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. >>>>>> >>>>>> I am already working on it, and it should be ready on time for Syncope >>>>>> 2.0.3. >>>>>> >>>>>> The idea is to embed the whole implementation in a PR, with option of >>>>>> further discussing before merge. >>>>>> >>>>>> Also, I would like to include, in the 2.0.3 release notes, a public >>>>>> "thank you" statement to the University of Helsinki similar to the one >>>>>> we made for 1.1.0 [2]. >>>>>> >>>>>> WDYT? >>>>>> Regards. >>>>>> >>>>>> [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU >>>>>> SS%5D+SAML+2.0+Service+Provider+feature >>>>>> [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit >>>>>> um#Adlibitum-1.1.0(April5th,2013) >>>>>> >>>>> >> -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
