Kevin, can you provide some links to specific how-tos, which some web-savvy SAML-beginner could follow? I started with this option, but then struck with too many velocity code for checking how to differ all these Xwiki.Guests each to other... Now I'm checking https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-saml Which I managed to work. Xwkik-authentication-saml will require more work with SAML implementation itself, though I can rely on Xwiki built-in security then.
Valdis > If that is really the case then sticking xwiki in a tomcat container and > fronting with apache / mod_shib and using http authenticator is by far the > simplest way to get SAML auth to your Xwiki.. this would take about a > day or two assuming you have a working SAML environment Identity Provider / > Federation wise. > > re/writing a true SAML compliant authenticator is (im going to bet) far > more time consuming.. you have to deal with all the constraints and bit > level SAML which is where the brunt of the security comes from.. and the > registration and management of metadata.. etc.. etc.. > > > ------ > thanks > kevin.foote > > On Fri, 29 Mar 2013, Valdis Vītoliņš wrote: > > > I agree in general, > > but devil is in details. > > > > If I have usual time constrained project, and have to ship something in, > > say, two months; then I have to develop anything that works, not the > > best solution. I have looked to some of these projects, though currently > > integration with these requires too much learning project internalities > > to be achievable in short-term project. > > I'd like to help build something, that could be deployable by putting > > some jar file and writing settings in xwiki.cfg, but I'm not experienced > > enough and have no time to go in long and deep custom development. > > > > Valdis > >> Just a comment.. (I'm a list watcher 99.9% of the time) > >> > >> XWIKI will work just fine with SAML products that engage at the > >> container level.. You just use a HTTP auth type authenticator which > >> there are a few out there in the contributions area. > >> > >> My advice would be to NOT write to the SAML protocol where this gets > >> really intricate.. but to just let the known to work SAML products do > >> their thing. Pulling the SAML bits into XWIKI does not buy you anything > >> intricate to the product and just adds much more room for error on the > >> authenticator. > >> > >> People wanting to implement their own SAML stack inside 'web appX' > >> is a topic that always comes up on some of the lists I'm on and the > >> SAML people always say there is really no reason to do this.. o > >> > >> IMO leave the SAML bits to saml products** and use a http authenticator > >> that you like. > >> > >> ** Just to name a few: > >> - http://simplesamlphp.org/ , > >> - http://shibboleth.net/ , > >> - https://github.com/guanxi/guanxi-sp-guard , > >> > >> > >> ------ > >> thanks > >> kevin.foote > >> > >> On Fri, 29 Mar 2013, Valdis Vītoliņš wrote: > >> > >> > Nicolas, > >> > If you'd be able to rebuild this module that it at least compiles and > >> > does something, I'd also be interested in trying it and contributing to > >> > its development. > >> > > >> > Valdis > >> >> Hi Nicolas, > >> >> > >> >> If I remember correctly I wrote this authenticator and I think it > >> >> requires > >> >> some code in XWiki pages to manage the redirects but I don't think I > >> >> have > >> >> this code anymore. > >> >> Plus it was for one custom SAML server and has not been tested with > >> >> multiple ones. > >> >> > >> >> In any case it's a good basis for starting a SAML authenticator. > >> >> If you are coding against a more widespread SAML server, do contribute > >> >> your > >> >> code :) > >> >> You can takeover the module fully as no backwards compatibility is > >> >> needed. > >> >> > >> >> Ludovic > >> > ... > >> > > >> > _______________________________________________ > >> > users mailing list > >> > users@xwiki.org > >> > http://lists.xwiki.org/mailman/listinfo/users > >> > > >> _______________________________________________ users mailing list > >> users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users > > > > > > _______________________________________________ > > users mailing list > > users@xwiki.org > > http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ users mailing list > users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users