Hi Cris, On Tue, 2019-12-10 at 17:33 -0500, Cris Rockwell wrote: > Hello Sling Users > > Does anyone know of a solution for SSO for Apache Sling using OIDC, > OAuth2 or SAML2 using JCR-based access controls, user creation and > attribute synchronization, and group membership? > > This one looks interesting, but is it dead? > https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html > <https://sling.apache.org/documentation/the-sling- > engine/authentication/authentication-authenticationhandler/openid- > authenticationhandler.html>
This was was OpenID, not OpenID connect, so not applicable to your scenario. Also dead. > > This student project looks interesting, so is our best resource? > https://github.com/apache/sling-whiteboard/pull/14 < > https://github.com/apache/sling-whiteboard/pull/14> > https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e > <https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect- > relying-party-implementation-for-apache-sling-635ea1e9b45e> > https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow > <https://cwiki.apache.org/confluence/display/SLING/Instructions+to+s > etup+the+OIDC+flow> > https://github.com/apache/sling-whiteboard/tree/master/oidc-handler < > https://github.com/apache/sling-whiteboard/tree/master/oidc-handler> > This one is incomplete and not reviewed for security, so I would advise against using it. > There is this presentation about Keycloak, but as stated I’m looking > to manage access controls on the content. > https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html > <https://adapt.to/2018/en/schedule/modern-authentication-in-sling- > with-openid-connect-and-keycloak.html> What exactly would you need to manage JCR-based controls? I would imagine that mapping users to JCR groups based on whatever data your identity solution provides and then creating access based on ACLs only would satisfy your request. Thanks, Robert
