[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281714#comment-17281714
]
Robert Munteanu commented on SLING-9397:
The idea behind moving 'important' discussions on the dev list is that it
increases visibility, both for people contributing to the discussion and for
those who have a similar question (now or in the future). Of course, feel free
to keep it in here, but it will be buried in the ticket.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281415#comment-17281415
]
Cris Rockwell commented on SLING-9397:
--
Nope. Prefer to keep it on the ticket. Thanks
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281413#comment-17281413
]
Robert Munteanu commented on SLING-9397:
Can we please keep the conversation at
https://lists.apache.org/thread.html/r145c766cf293c714d70f2b6981962f89c1254baeadad74c0bdf8f35f%40%3Cdev.sling.apache.org%3E
? It gets confusing when it's split, and we can always add the conclusions
here.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Re: [jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
Have you looked into Sling Commons Crypto?
https://sling.apache.org/documentation/bundles/commons-crypto.html
It would not be complete prevention, but at least that way the secrets
aren't stored plain-text. Of course even with that a malicious bundle could
retrieve the private configuration from the OSGi Config Manager, retrieve
the correct Crypto instance and decrypt the messages, but it would require
access to a properly configured instance.
This would prevent someone from reading the values directly from the
console or exporting the app, starting it somewhere else and reading the
values from the config.
On Mon, Feb 8, 2021 at 12:53 PM Cris Rockwell (Jira)
wrote:
>
> [
> https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281261#comment-17281261
> ]
>
> Cris Rockwell commented on SLING-9397:
> --
>
> {quote}Who are you trying to protect the sensitive data from? As far as I
> can
> tell Sling is mostly being run in a single-tenant manner and there is
> no effort to make it multi-tenant.{quote}
> {quote}If you're trying to make it safe from malicious code deployed in the
> same JVM, I'd say that all bets are off already.{quote}
> Yes. My concern is making it harder in case of RCE or malicious Java
> bundles. I get the idea that ‘all bets are off’ in those scenarios.
> Security training instructs us to think in terms of layers. In keeping with
> the principle of least privilege; if these data aren't needed by other
> services and those services aren't fully trusted, then I should consider
> access control more carefully. That's why I'm considering simplifying the
> project structure to eliminate the config service and placing all the
> component and services within the same package, and using package private
> scope.
>
>
>
> > SAML2 Authentication Handler [initial submission]
> > -
> >
> > Key: SLING-9397
> > URL: https://issues.apache.org/jira/browse/SLING-9397
> > Project: Sling
> > Issue Type: New Feature
> > Components: Authentication
> > Environment: localhost
> >Reporter: Cris Rockwell
> >Assignee: Cris Rockwell
> >Priority: Major
> > Labels: SAML, authentification, security, user_management
> > Original Estimate: 168h
> > Time Spent: 1h 20m
> > Remaining Estimate: 166h 40m
> >
> > Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> > [https://github.com/apache/sling-whiteboard/pull/51]
> >
> > *TODO Before Initial*
> > [X] Sync attributes released by the IDP
> > [X] Confirm license and attribution
> > "As the code is ASL2 and does not require a notice or anything else, we
> don't need to mention in. But I think its usually good style to do so and
> have a single sentence in our NOTICE that we include (modified) code from
> ... which has ASL2 as the license"
> >
> > *TODO After Initial*
> > [X] Get confirmation the project builds and operates as expected
> > [X] Ensure that the NOTICE file is the correct one
> > [X] Testing setup ( documentation, local SAML provider, etc )
> > [X] Clarify whether we can depend on artifacts not deployed on Maven
> Central
> > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all
> aspects
> > * [
> https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> > [X] Decide whether to make signing and encryption optional. Currently it
> is required
> > [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> > [ ] Consider whether use
> of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design
> or not.
> > [ ] Find and fix any bugs.
> >
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.3.4#803005)
>
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281261#comment-17281261
]
Cris Rockwell commented on SLING-9397:
--
{quote}Who are you trying to protect the sensitive data from? As far as I can
tell Sling is mostly being run in a single-tenant manner and there is
no effort to make it multi-tenant.{quote}
{quote}If you're trying to make it safe from malicious code deployed in the
same JVM, I'd say that all bets are off already.{quote}
Yes. My concern is making it harder in case of RCE or malicious Java bundles. I
get the idea that ‘all bets are off’ in those scenarios. Security training
instructs us to think in terms of layers. In keeping with the principle of
least privilege; if these data aren't needed by other services and those
services aren't fully trusted, then I should consider access control more
carefully. That's why I'm considering simplifying the project structure to
eliminate the config service and placing all the component and services within
the same package, and using package private scope.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17279811#comment-17279811
]
Robert Munteanu commented on SLING-9397:
[~cris] - maybe ask on the dev list?
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17279771#comment-17279771
]
Cris Rockwell commented on SLING-9397:
--
One of the open items identified in the ticket description regards
*SAML2ConfigService* and the implementation *SAML2ConfigServiceImpl*. This
service provides SAML configurations to *AuthenticationHandlerSAML2* and
*Saml2UserMgtServiceImpl*.
Because SAML2ConfigService has keystore information, I find it uncomfortable
making it generally available as an OSGI whiteboard service. I would like some
feedback about the appropriate way to provide sensitive configurations only to
the required services.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140558#comment-17140558
]
Cris Rockwell commented on SLING-9397:
--
[~rombert] I've started some updates on this bundle: Switch build source and
target to Java 11, Updated OpenSAML to V4, and Clarified processes the README
for local testing. I'm in the process of making SSL, encryption and signing
optional. Keycloak Server has an option to do partial realm imports and
exports, which contain the realm "clients" and groups, but does not include
users (I assume for security reasons).
Here is a draft of the new README
https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler
As you can see some things are configured manually.
* JAAS OSGI
* SAML2 OSGI
* Service User
** Service User Mapping
** Service User Creation
** Service User ACL
A Composum package could be used to package the Service User and Service User
ACL's. I don't know how include include a OSGI configs in a Composum. I may be
wrong but the UI doesn't seem to allow it.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17119625#comment-17119625
]
Robert Munteanu commented on SLING-9397:
[~cris_rockwell] - looking at the instructions indeed the SSL setup is
complicated. One first good step would be to either make signing/encryption
optional or to provide a faster way to do it for Sling. Can this be done with a
content package or a script? I guess one self-signed keystore is something we
can script and then deploy on-demand to Sling. And I would assume that we can
automate keycloak setup as well.
Docker/Maven things can come a bit later and I can help with that.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118977#comment-17118977
]
Cris Rockwell commented on SLING-9397:
--
Question about local testing using "docker or some sort of JUnit setup:" I
assume this means one step that installs and configures an external IDP
(running locally), installs the related configurations for SAML2 module in
Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if
I misunderstood.
It could take me a while for that. My knowledge and experience using docker is
(shall we say) just now emerging. For example, I had Keycloak IDP running via
docker and a week later it wouldn't start at all. Since I'm novice at docker
and had this trouble, I had revised the instructions to download and install
Keycloak the old fashioned way.
Nevertheless, I can take another pass...
[ ] Change signing and encryption to optional. This will simplify localhost
testing.
[ ] One step process to launch a preconfigured localhost IDP external to Sling
[ ] Maven profile to rollout OSGI SAML2 settings for localhost IDP above
Any kind of direct help or advice would be most appreciated. Otherwise, I'll
chip away this localhost testing.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17116944#comment-17116944
]
Robert Munteanu commented on SLING-9397:
[~cris_rockwell] - I'd like to create a local testing setup first. I think we
should also consider adding some integration tests against an external SAML IDP
running on localhost, either via docker or some sort of JUnit setup.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17116098#comment-17116098
]
Robert Munteanu commented on SLING-9397:
[~cris_rockwell] - I plan to make a review pass this week. In the meantime,
feel free to develop the module according to your needs.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107330#comment-17107330
]
Cris Rockwell commented on SLING-9397:
--
Looks good. I've pulled the latest, built and confirmed the NOTICE has the
statement by using the command below and inspecting the file. I've marked that
as done in the description above.
{{jar xf org.apache.sling.auth.saml2-0.1.0-SNAPSHOT.jar META-INF/NOTICE}}
Let me know what is next.
Thanks!
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107007#comment-17107007
]
Robert Munteanu commented on SLING-9397:
Now that the parent pom 39 is out, I've pushed the proposed changes in
[sling-whiteboard commit
d33702f2|https://github.com/apache/sling-whiteboard/commit/d33702f2].
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104475#comment-17104475
]
Cris Rockwell commented on SLING-9397:
--
Sounds great. Thanks [~rombert]!
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104161#comment-17104161
]
Robert Munteanu commented on SLING-9397:
I've started the release vote for the parent pom and the resource bundle. With
the following changes to the SAML handler, the NOTICE file is generated
correctly for me
{noformat}diff --git a/saml-handler/pom.xml b/saml-handler/pom.xml
index d1f6a07f..715cd4ee 100644
--- a/saml-handler/pom.xml
+++ b/saml-handler/pom.xml
@@ -15,7 +15,7 @@
org.apache.sling
sling-bundle-parent
-38
+39
@@ -35,6 +35,9 @@
admin
admin
true
+This module includes modified code from
webprofile-ref-project-v3 [1], which has ASL2 as the license.
+
+[1]:
https://bitbucket.org/srasmusson/webprofile-ref-project-v3
{noformat}
Of course, this needs the vote to pass and the artifacts to be released.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102350#comment-17102350
]
Robert Munteanu commented on SLING-9397:
Thanks for the jar-resource-bundle PR [~cris_rockwell]! Yes, once that is
merged and included in the saml handler module, the NOTICE issue will be fixed.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 40m
> Remaining Estimate: 167h 20m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101911#comment-17101911
]
Cris Rockwell commented on SLING-9397:
--
Regarding NOTICE, it's building from the Velocity template below. The template
would need to be updated to place a module notice statement into this, and I
made a PR to do that.
*
[https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
* [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]
Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to
1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent
would also need to increment the version to 1.0.1
* [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]
After which, modules can place a notice statement in the pom.xml properties
{{}}{{ }}{{}}
{{ This module includes modified code from webprofile-ref-project-v3 [1], which
has ASL2 as the license.}}
{{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}}
{{}}
And then the NOTICE will be built using the updated template and also have
whatever noticeStatement is needed by the module.
SAML2 Service Provider
This module includes modified code from webprofile-ref-project-v3 [1],
which has ASL2 as the license.
[1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3]
Copyright 2007-2020 The Apache Software Foundation
Apache Sling is based on source code originally developed
by Day Software (http://www.day.com/).
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101571#comment-17101571
]
Robert Munteanu commented on SLING-9397:
[~cris_rockwell] - I've whitelisted your user in Jenkins for the
sling-whiteboard module, so PRs should be validated automatically instead of
waiting for me to manually trigger a build. Also, I've noticed that the NOTICE
file you added is not reflected in the jar file - it still contains our
standard NOTICE. Can you please look into that? Also, the text you added in the
notice file should be in addition to the text we have in our standard one
Also, if you prefer, you can reference the Jira issue in each PR, so they are
automatically linked.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101051#comment-17101051
]
Cris Rockwell commented on SLING-9397:
--
WRT the Web Profile SSO Profile specification, line 396 states...
??SAML Confirmation Method Identifiers: The SAML V2.0 "bearer" confirmation
method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer, is used by this
profile.??
And this is manifested in the saml2 response
{{}}
{{..}}
https://localhost:2443/sp/consumer"/|https://localhost:2443/sp/consumer]>
Line 364 gives an example about how to use this data. The data above was taken
from an example from my localhost tests on April 14th
The bearer of the assertion can confirm itself as the subject, provided the
assertion is delivered in a message sent to "
[https://localhost:2443/sp/consumer]; before 14:33 GMT on April 14th , 2020, in
response to a request with ID "_498f728a71735ba28bbc19d634517c18".
When processing the SAML2 Response, this relying party code needs to validate
these three conditions.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
