Re: [xwiki-users] SSO/SAML: issue with example provided on Github
Hi Nicolas, If I remember correctly I wrote this authenticator and I think it requires some code in XWiki pages to manage the redirects but I don't think I have this code anymore. Plus it was for one custom SAML server and has not been tested with multiple ones. In any case it's a good basis for starting a SAML authenticator. If you are coding against a more widespread SAML server, do contribute your code :) You can takeover the module fully as no backwards compatibility is needed. Ludovic 2013/3/27 Nicolas Sanitas nicolas.sani...@intech.lu Thank you Tomas, I'll try the new POM ASAP (I already updated the version of opensaml to 2.4.1in my POM). No the JAR was not built, but it was the only message I could see :-( I keep you informed. Have a good day. 2013/3/27 Thomas Mortagne thomas.morta...@xwiki.com Looks like the version of opensaml used by this module is not in a very good state wherever it's stored, I changed it for the last one (2.5.1-1) and it seems better now. On Wed, Mar 27, 2013 at 7:49 AM, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Tue, Mar 26, 2013 at 11:54 PM, Nicolas Sanitas nicolas.sani...@intech.lu wrote: Hello everybody, I would like to authenticate users via a SAML server. I red this page http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication. I would like to try the example project provided on Github: https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-saml(rather 'old'). When I want to build the project, I've got this error: [WARNING] The POM for jfree:jfreechart:jar:1.0.0-rc1-xwiki is missing, no dependency information available This is not an error and is expected in this version AFAIK. Was the JAR file built ? If not then it does not have anything to do with this warning, must be something else. I precise that I tried using Maven and Nexus XWiki repos. Could you help me, please? Thanks by advance, Nicolas ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- *Nicolas SANITAS* InTech S.A. 17-19 avenue de la Libération L-3850 Schifflange - LUXEMBOURG Tél : +352 53 11 53 Fax : +352 53 15 93 nicolas.sani...@intech.lu MeetMe: Doodle http://doodle.com/nsanitas Les informations contenues dans cet email peuvent être confidentielles ou protégées par des lois en vigueur. Elles sont à l'attention des destinataires uniquement. Les données nominatives éventuelles ne peuvent être communiquées à des tiers par le récepteur de cet email. Si vous n'êtes pas le destinataire principal, ni un des destinataires placés en copie, la divulgation, la copie, la diffusion ou toute autre utilisation de cet email est prohibée et peut être illégale. Dans ce cas, merci d'avertir l'émetteur immédiatement et de détruire cet email. Please consider the environment before printing this email. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Ludovic Dubost Founder and CEO Blog: http://blog.ludovic.org/ XWiki: http://www.xwiki.com Skype: ldubost GTalk: ldubost ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
Nicolas, If you'd be able to rebuild this module that it at least compiles and does something, I'd also be interested in trying it and contributing to its development. Valdis Hi Nicolas, If I remember correctly I wrote this authenticator and I think it requires some code in XWiki pages to manage the redirects but I don't think I have this code anymore. Plus it was for one custom SAML server and has not been tested with multiple ones. In any case it's a good basis for starting a SAML authenticator. If you are coding against a more widespread SAML server, do contribute your code :) You can takeover the module fully as no backwards compatibility is needed. Ludovic ... ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
If that is really the case then sticking xwiki in a tomcat container and fronting with apache / mod_shib and using http authenticator is by far the simplest way to get SAML auth to your Xwiki.. this would take about a day or two assuming you have a working SAML environment Identity Provider / Federation wise. re/writing a true SAML compliant authenticator is (im going to bet) far more time consuming.. you have to deal with all the constraints and bit level SAML which is where the brunt of the security comes from.. and the registration and management of metadata.. etc.. etc.. -- thanks kevin.foote On Fri, 29 Mar 2013, Valdis Vītoliņš wrote: I agree in general, but devil is in details. If I have usual time constrained project, and have to ship something in, say, two months; then I have to develop anything that works, not the best solution. I have looked to some of these projects, though currently integration with these requires too much learning project internalities to be achievable in short-term project. I'd like to help build something, that could be deployable by putting some jar file and writing settings in xwiki.cfg, but I'm not experienced enough and have no time to go in long and deep custom development. Valdis Just a comment.. (I'm a list watcher 99.9% of the time) XWIKI will work just fine with SAML products that engage at the container level.. You just use a HTTP auth type authenticator which there are a few out there in the contributions area. My advice would be to NOT write to the SAML protocol where this gets really intricate.. but to just let the known to work SAML products do their thing. Pulling the SAML bits into XWIKI does not buy you anything intricate to the product and just adds much more room for error on the authenticator. People wanting to implement their own SAML stack inside 'web appX' is a topic that always comes up on some of the lists I'm on and the SAML people always say there is really no reason to do this.. o IMO leave the SAML bits to saml products** and use a http authenticator that you like. ** Just to name a few: - http://simplesamlphp.org/ , - http://shibboleth.net/ , - https://github.com/guanxi/guanxi-sp-guard , -- thanks kevin.foote On Fri, 29 Mar 2013, Valdis Vītoliņš wrote: Nicolas, If you'd be able to rebuild this module that it at least compiles and does something, I'd also be interested in trying it and contributing to its development. Valdis Hi Nicolas, If I remember correctly I wrote this authenticator and I think it requires some code in XWiki pages to manage the redirects but I don't think I have this code anymore. Plus it was for one custom SAML server and has not been tested with multiple ones. In any case it's a good basis for starting a SAML authenticator. If you are coding against a more widespread SAML server, do contribute your code :) You can takeover the module fully as no backwards compatibility is needed. Ludovic ... ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
Hi Kevin, Good comment. It's true that using the default XWiki authenticator and relying on a Tomcat or Apache level authenticator is always an easier way than full protocol implementation. However we usually also want to have the XWiki user be created with data coming from the authentication. Have you seen this done ? Can you point out which SAML product that you know off and that have a container level implementation and that you have seen working with XWiki ? Ludovic 2013/3/29 Kevin P. Foote kpfo...@iup.edu Just a comment.. (I'm a list watcher 99.9% of the time) XWIKI will work just fine with SAML products that engage at the container level.. You just use a HTTP auth type authenticator which there are a few out there in the contributions area. My advice would be to NOT write to the SAML protocol where this gets really intricate.. but to just let the known to work SAML products do their thing. Pulling the SAML bits into XWIKI does not buy you anything intricate to the product and just adds much more room for error on the authenticator. People wanting to implement their own SAML stack inside 'web appX' is a topic that always comes up on some of the lists I'm on and the SAML people always say there is really no reason to do this.. o IMO leave the SAML bits to saml products** and use a http authenticator that you like. ** Just to name a few: - http://simplesamlphp.org/ , - http://shibboleth.net/ , - https://github.com/guanxi/**guanxi-sp-guardhttps://github.com/guanxi/guanxi-sp-guard, -- thanks kevin.foote On Fri, 29 Mar 2013, Valdis Vītoliņš wrote: Nicolas, If you'd be able to rebuild this module that it at least compiles and does something, I'd also be interested in trying it and contributing to its development. Valdis Hi Nicolas, If I remember correctly I wrote this authenticator and I think it requires some code in XWiki pages to manage the redirects but I don't think I have this code anymore. Plus it was for one custom SAML server and has not been tested with multiple ones. In any case it's a good basis for starting a SAML authenticator. If you are coding against a more widespread SAML server, do contribute your code :) You can takeover the module fully as no backwards compatibility is needed. Ludovic ... __**_ users mailing list users@xwiki.org http://lists.xwiki.org/**mailman/listinfo/usershttp://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Ludovic Dubost Founder and CEO Blog: http://blog.ludovic.org/ XWiki: http://www.xwiki.com Skype: ldubost GTalk: ldubost ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
On Fri, 29 Mar 2013, Ludovic Dubost wrote: Good comment. It's true that using the default XWiki authenticator and relying on a Tomcat or Apache level authenticator is always an easier way than full protocol implementation. However we usually also want to have the XWiki user be created with data coming from the authentication. Yes.. I have this type of authN-Z / creation working.. I don't know where you all moved the contributions repository too.. But I based my authenticator off one of those and it does do what you are talking about. Have you seen this done ? Can you point out which SAML product that you know off and that have a container level implementation and that you have seen working with XWiki ? Yes.. I am most framiliar with shibboleth.net products and the SP is coded to either IIS or Apache ... both of which can front xwiki without problems. -- thanks kevin.foote ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
On Fri, 29 Mar 2013, Kevin P. Foote wrote: On Fri, 29 Mar 2013, Ludovic Dubost wrote: Good comment. It's true that using the default XWiki authenticator and relying on a Tomcat or Apache level authenticator is always an easier way than full protocol implementation. However we usually also want to have the XWiki user be created with data coming from the authentication. Yes.. I have this type of authN-Z / creation working.. I don't know where you all moved the contributions repository too.. But I based my authenticator off one of those and it does do what you are talking about. github.com/kevinfoote/xwiki-authenticator-guanxi ((Haven't touched this in quite sime time)) so milage may very. This uses incomming REMOTE_USER and values coming in from the Shib-SP -- thanks kevin.foote ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
Right I had seen that one. If you want you can move it to: https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/ with the other authenticators. Ludovic 2013/3/29 Kevin P. Foote kpfo...@iup.edu On Fri, 29 Mar 2013, Kevin P. Foote wrote: On Fri, 29 Mar 2013, Ludovic Dubost wrote: Good comment. It's true that using the default XWiki authenticator and relying on a Tomcat or Apache level authenticator is always an easier way than full protocol implementation. However we usually also want to have the XWiki user be created with data coming from the authentication. Yes.. I have this type of authN-Z / creation working.. I don't know where you all moved the contributions repository too.. But I based my authenticator off one of those and it does do what you are talking about. github.com/kevinfoote/xwiki-**authenticator-guanxihttp://github.com/kevinfoote/xwiki-authenticator-guanxi ((Haven't touched this in quite sime time)) so milage may very. This uses incomming REMOTE_USER and values coming in from the Shib-SP -- thanks kevin.foote __**_ users mailing list users@xwiki.org http://lists.xwiki.org/**mailman/listinfo/usershttp://lists.xwiki.org/mailman/listinfo/users -- Ludovic Dubost Founder and CEO Blog: http://blog.ludovic.org/ XWiki: http://www.xwiki.com Skype: ldubost GTalk: ldubost ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
On Tue, Mar 26, 2013 at 11:54 PM, Nicolas Sanitas nicolas.sani...@intech.lu wrote: Hello everybody, I would like to authenticate users via a SAML server. I red this page http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication. I would like to try the example project provided on Github: https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-saml(rather 'old'). When I want to build the project, I've got this error: [WARNING] The POM for jfree:jfreechart:jar:1.0.0-rc1-xwiki is missing, no dependency information available This is not an error and is expected in this version AFAIK. Was the JAR file built ? If not then it does not have anything to do with this warning, must be something else. I precise that I tried using Maven and Nexus XWiki repos. Could you help me, please? Thanks by advance, Nicolas ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
Looks like the version of opensaml used by this module is not in a very good state wherever it's stored, I changed it for the last one (2.5.1-1) and it seems better now. On Wed, Mar 27, 2013 at 7:49 AM, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Tue, Mar 26, 2013 at 11:54 PM, Nicolas Sanitas nicolas.sani...@intech.lu wrote: Hello everybody, I would like to authenticate users via a SAML server. I red this page http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication. I would like to try the example project provided on Github: https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-saml(rather 'old'). When I want to build the project, I've got this error: [WARNING] The POM for jfree:jfreechart:jar:1.0.0-rc1-xwiki is missing, no dependency information available This is not an error and is expected in this version AFAIK. Was the JAR file built ? If not then it does not have anything to do with this warning, must be something else. I precise that I tried using Maven and Nexus XWiki repos. Could you help me, please? Thanks by advance, Nicolas ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] SSO/SAML: issue with example provided on Github
Thank you Tomas, I'll try the new POM ASAP (I already updated the version of opensaml to 2.4.1in my POM). No the JAR was not built, but it was the only message I could see :-( I keep you informed. Have a good day. 2013/3/27 Thomas Mortagne thomas.morta...@xwiki.com Looks like the version of opensaml used by this module is not in a very good state wherever it's stored, I changed it for the last one (2.5.1-1) and it seems better now. On Wed, Mar 27, 2013 at 7:49 AM, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Tue, Mar 26, 2013 at 11:54 PM, Nicolas Sanitas nicolas.sani...@intech.lu wrote: Hello everybody, I would like to authenticate users via a SAML server. I red this page http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication. I would like to try the example project provided on Github: https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-saml(rather 'old'). When I want to build the project, I've got this error: [WARNING] The POM for jfree:jfreechart:jar:1.0.0-rc1-xwiki is missing, no dependency information available This is not an error and is expected in this version AFAIK. Was the JAR file built ? If not then it does not have anything to do with this warning, must be something else. I precise that I tried using Maven and Nexus XWiki repos. Could you help me, please? Thanks by advance, Nicolas ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- *Nicolas SANITAS* InTech S.A. 17-19 avenue de la Libération L-3850 Schifflange - LUXEMBOURG Tél : +352 53 11 53 Fax : +352 53 15 93 nicolas.sani...@intech.lu MeetMe: Doodle http://doodle.com/nsanitas Les informations contenues dans cet email peuvent être confidentielles ou protégées par des lois en vigueur. Elles sont à l'attention des destinataires uniquement. Les données nominatives éventuelles ne peuvent être communiquées à des tiers par le récepteur de cet email. Si vous n'êtes pas le destinataire principal, ni un des destinataires placés en copie, la divulgation, la copie, la diffusion ou toute autre utilisation de cet email est prohibée et peut être illégale. Dans ce cas, merci d'avertir l'émetteur immédiatement et de détruire cet email. Please consider the environment before printing this email. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users