[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281714#comment-17281714 ] Robert Munteanu commented on SLING-9397: The idea behind moving 'important' discussions on the dev list is that it increases visibility, both for people contributing to the discussion and for those who have a similar question (now or in the future). Of course, feel free to keep it in here, but it will be buried in the ticket. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281415#comment-17281415 ] Cris Rockwell commented on SLING-9397: -- Nope. Prefer to keep it on the ticket. Thanks > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281413#comment-17281413 ] Robert Munteanu commented on SLING-9397: Can we please keep the conversation at https://lists.apache.org/thread.html/r145c766cf293c714d70f2b6981962f89c1254baeadad74c0bdf8f35f%40%3Cdev.sling.apache.org%3E ? It gets confusing when it's split, and we can always add the conclusions here. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
Re: [jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
Have you looked into Sling Commons Crypto? https://sling.apache.org/documentation/bundles/commons-crypto.html It would not be complete prevention, but at least that way the secrets aren't stored plain-text. Of course even with that a malicious bundle could retrieve the private configuration from the OSGi Config Manager, retrieve the correct Crypto instance and decrypt the messages, but it would require access to a properly configured instance. This would prevent someone from reading the values directly from the console or exporting the app, starting it somewhere else and reading the values from the config. On Mon, Feb 8, 2021 at 12:53 PM Cris Rockwell (Jira) wrote: > > [ > https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281261#comment-17281261 > ] > > Cris Rockwell commented on SLING-9397: > -- > > {quote}Who are you trying to protect the sensitive data from? As far as I > can > tell Sling is mostly being run in a single-tenant manner and there is > no effort to make it multi-tenant.{quote} > {quote}If you're trying to make it safe from malicious code deployed in the > same JVM, I'd say that all bets are off already.{quote} > Yes. My concern is making it harder in case of RCE or malicious Java > bundles. I get the idea that ‘all bets are off’ in those scenarios. > Security training instructs us to think in terms of layers. In keeping with > the principle of least privilege; if these data aren't needed by other > services and those services aren't fully trusted, then I should consider > access control more carefully. That's why I'm considering simplifying the > project structure to eliminate the config service and placing all the > component and services within the same package, and using package private > scope. > > > > > SAML2 Authentication Handler [initial submission] > > - > > > > Key: SLING-9397 > > URL: https://issues.apache.org/jira/browse/SLING-9397 > > Project: Sling > > Issue Type: New Feature > > Components: Authentication > > Environment: localhost > >Reporter: Cris Rockwell > >Assignee: Cris Rockwell > >Priority: Major > > Labels: SAML, authentification, security, user_management > > Original Estimate: 168h > > Time Spent: 1h 20m > > Remaining Estimate: 166h 40m > > > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > > [https://github.com/apache/sling-whiteboard/pull/51] > > > > *TODO Before Initial* > > [X] Sync attributes released by the IDP > > [X] Confirm license and attribution > > "As the code is ASL2 and does not require a notice or anything else, we > don't need to mention in. But I think its usually good style to do so and > have a single sentence in our NOTICE that we include (modified) code from > ... which has ASL2 as the license" > > > > *TODO After Initial* > > [X] Get confirmation the project builds and operates as expected > > [X] Ensure that the NOTICE file is the correct one > > [X] Testing setup ( documentation, local SAML provider, etc ) > > [X] Clarify whether we can depend on artifacts not deployed on Maven > Central > > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all > aspects > > * [ > https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > > [X] Decide whether to make signing and encryption optional. Currently it > is required > > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > > [ ] Consider whether use > of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design > or not. > > [ ] Find and fix any bugs. > > > > > > -- > This message was sent by Atlassian Jira > (v8.3.4#803005) >
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281261#comment-17281261 ] Cris Rockwell commented on SLING-9397: -- {quote}Who are you trying to protect the sensitive data from? As far as I can tell Sling is mostly being run in a single-tenant manner and there is no effort to make it multi-tenant.{quote} {quote}If you're trying to make it safe from malicious code deployed in the same JVM, I'd say that all bets are off already.{quote} Yes. My concern is making it harder in case of RCE or malicious Java bundles. I get the idea that ‘all bets are off’ in those scenarios. Security training instructs us to think in terms of layers. In keeping with the principle of least privilege; if these data aren't needed by other services and those services aren't fully trusted, then I should consider access control more carefully. That's why I'm considering simplifying the project structure to eliminate the config service and placing all the component and services within the same package, and using package private scope. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17279811#comment-17279811 ] Robert Munteanu commented on SLING-9397: [~cris] - maybe ask on the dev list? > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17279771#comment-17279771 ] Cris Rockwell commented on SLING-9397: -- One of the open items identified in the ticket description regards *SAML2ConfigService* and the implementation *SAML2ConfigServiceImpl*. This service provides SAML configurations to *AuthenticationHandlerSAML2* and *Saml2UserMgtServiceImpl*. Because SAML2ConfigService has keystore information, I find it uncomfortable making it generally available as an OSGI whiteboard service. I would like some feedback about the appropriate way to provide sensitive configurations only to the required services. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140558#comment-17140558 ] Cris Rockwell commented on SLING-9397: -- [~rombert] I've started some updates on this bundle: Switch build source and target to Java 11, Updated OpenSAML to V4, and Clarified processes the README for local testing. I'm in the process of making SSL, encryption and signing optional. Keycloak Server has an option to do partial realm imports and exports, which contain the realm "clients" and groups, but does not include users (I assume for security reasons). Here is a draft of the new README https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler As you can see some things are configured manually. * JAAS OSGI * SAML2 OSGI * Service User ** Service User Mapping ** Service User Creation ** Service User ACL A Composum package could be used to package the Service User and Service User ACL's. I don't know how include include a OSGI configs in a Composum. I may be wrong but the UI doesn't seem to allow it. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17119625#comment-17119625 ] Robert Munteanu commented on SLING-9397: [~cris_rockwell] - looking at the instructions indeed the SSL setup is complicated. One first good step would be to either make signing/encryption optional or to provide a faster way to do it for Sling. Can this be done with a content package or a script? I guess one self-signed keystore is something we can script and then deploy on-demand to Sling. And I would assume that we can automate keycloak setup as well. Docker/Maven things can come a bit later and I can help with that. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118977#comment-17118977 ] Cris Rockwell commented on SLING-9397: -- Question about local testing using "docker or some sort of JUnit setup:" I assume this means one step that installs and configures an external IDP (running locally), installs the related configurations for SAML2 module in Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if I misunderstood. It could take me a while for that. My knowledge and experience using docker is (shall we say) just now emerging. For example, I had Keycloak IDP running via docker and a week later it wouldn't start at all. Since I'm novice at docker and had this trouble, I had revised the instructions to download and install Keycloak the old fashioned way. Nevertheless, I can take another pass... [ ] Change signing and encryption to optional. This will simplify localhost testing. [ ] One step process to launch a preconfigured localhost IDP external to Sling [ ] Maven profile to rollout OSGI SAML2 settings for localhost IDP above Any kind of direct help or advice would be most appreciated. Otherwise, I'll chip away this localhost testing. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17116944#comment-17116944 ] Robert Munteanu commented on SLING-9397: [~cris_rockwell] - I'd like to create a local testing setup first. I think we should also consider adding some integration tests against an external SAML IDP running on localhost, either via docker or some sort of JUnit setup. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17116098#comment-17116098 ] Robert Munteanu commented on SLING-9397: [~cris_rockwell] - I plan to make a review pass this week. In the meantime, feel free to develop the module according to your needs. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107330#comment-17107330 ] Cris Rockwell commented on SLING-9397: -- Looks good. I've pulled the latest, built and confirmed the NOTICE has the statement by using the command below and inspecting the file. I've marked that as done in the description above. {{jar xf org.apache.sling.auth.saml2-0.1.0-SNAPSHOT.jar META-INF/NOTICE}} Let me know what is next. Thanks! > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107007#comment-17107007 ] Robert Munteanu commented on SLING-9397: Now that the parent pom 39 is out, I've pushed the proposed changes in [sling-whiteboard commit d33702f2|https://github.com/apache/sling-whiteboard/commit/d33702f2]. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104475#comment-17104475 ] Cris Rockwell commented on SLING-9397: -- Sounds great. Thanks [~rombert]! > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104161#comment-17104161 ] Robert Munteanu commented on SLING-9397: I've started the release vote for the parent pom and the resource bundle. With the following changes to the SAML handler, the NOTICE file is generated correctly for me {noformat}diff --git a/saml-handler/pom.xml b/saml-handler/pom.xml index d1f6a07f..715cd4ee 100644 --- a/saml-handler/pom.xml +++ b/saml-handler/pom.xml @@ -15,7 +15,7 @@ org.apache.sling sling-bundle-parent -38 +39 @@ -35,6 +35,9 @@ admin admin true +This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license. + +[1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3 {noformat} Of course, this needs the vote to pass and the artifacts to be released. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102350#comment-17102350 ] Robert Munteanu commented on SLING-9397: Thanks for the jar-resource-bundle PR [~cris_rockwell]! Yes, once that is merged and included in the saml handler module, the NOTICE issue will be fixed. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 40m > Remaining Estimate: 167h 20m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101911#comment-17101911 ] Cris Rockwell commented on SLING-9397: -- Regarding NOTICE, it's building from the Velocity template below. The template would need to be updated to place a module notice statement into this, and I made a PR to do that. * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm] * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1] Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to 1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent would also need to increment the version to 1.0.1 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml] After which, modules can place a notice statement in the pom.xml properties {{}}{{ }}{{}} {{ This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license.}} {{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}} {{}} And then the NOTICE will be built using the updated template and also have whatever noticeStatement is needed by the module. SAML2 Service Provider This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license. [1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3] Copyright 2007-2020 The Apache Software Foundation Apache Sling is based on source code originally developed by Day Software (http://www.day.com/). This product includes software developed at The Apache Software Foundation (http://www.apache.org/). > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101571#comment-17101571 ] Robert Munteanu commented on SLING-9397: [~cris_rockwell] - I've whitelisted your user in Jenkins for the sling-whiteboard module, so PRs should be validated automatically instead of waiting for me to manually trigger a build. Also, I've noticed that the NOTICE file you added is not reflected in the jar file - it still contains our standard NOTICE. Can you please look into that? Also, the text you added in the notice file should be in addition to the text we have in our standard one Also, if you prefer, you can reference the Jira issue in each PR, so they are automatically linked. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101051#comment-17101051 ] Cris Rockwell commented on SLING-9397: -- WRT the Web Profile SSO Profile specification, line 396 states... ??SAML Confirmation Method Identifiers: The SAML V2.0 "bearer" confirmation method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer, is used by this profile.?? And this is manifested in the saml2 response {{}} {{..}} https://localhost:2443/sp/consumer"/|https://localhost:2443/sp/consumer]> Line 364 gives an example about how to use this data. The data above was taken from an example from my localhost tests on April 14th The bearer of the assertion can confirm itself as the subject, provided the assertion is delivered in a message sent to " [https://localhost:2443/sp/consumer]; before 14:33 GMT on April 14th , 2020, in response to a request with ID "_498f728a71735ba28bbc19d634517c18". When processing the SAML2 Response, this relying party code needs to validate these three conditions. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)