Hi Cris, Hopefully the LDAP authentication will fulfill your requirements. Once you're done, it would be interesting to discuss (privately, if you prefer) what gaps you identified in the authentication support we offer.
Thanks, Robert On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote: > Hi Robert > > Thank you for your offer to guide an OIDC and/or SAML2 Sling > Authentication Handler implementation. Long term, I could also see > contributing to a peer reviewed initiative to securely add the > features to Sling applications. After some thought, I might follow up > with you about this out of band. > > In the short run, perhaps Oak’s LDAP authentication will support the > features we need. > https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html > <https://jackrabbit.apache.org/oak/docs/security/authentication/ldap > .html> > https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html > <https://jackrabbit.apache.org/oak/docs/security/authentication/exte > rnalloginmodule.html> > > Thanks all. > Cris R > > > > > > > > > > > On Dec 11, 2019, at 11:58 AM, Robert Munteanu <romb...@apache.org> > > wrote: > > > > On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: > > > "What exactly would you need to manage JCR-based controls? I > > > would > > > imagine that mapping users to JCR groups based on whatever data > > > your > > > identity solution provides and then creating access based on ACLs > > > only > > > would satisfy your request." > > > > > > > > > We need to manage a few things at the identity provider: > > > 1. User attributes: username, name, email, phone, maybe a few > > > other > > > pieces of data about the user. > > > 2. Group membership > > > > > > When the user signs in, with SAML2 there is encrypted metadata > > > which > > > contains that information. Upon sign in, Sling users should be > > > created, their user attributes updated and the user should be > > > added > > > or removed from Sling group membership. Once the user has signed > > > in, > > > then access is granted as usual using JCR-based ACL’s applied for > > > the > > > groups. > > > > Right, I see that there is no support for that in the keycloak > > handler, > > as it was presented [1]. > > > > I don't think there is any out-of-the-box support for what you're > > looking for. > > > > I would be happy to guide anyone willing to implement such > > functionality though. > > > > Thanks, > > Robert > > > > > > [1]: > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak > > < > > https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak > > >
