Menu
▾
▴
asimba-users — Questions and answers of Asimba users
You can subscribe to this list here.
| 2014 |
Jan
(5) |
Feb
(2) |
Mar
|
Apr
(2) |
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
|
Feb
(11) |
Mar
|
Apr
|
May
(6) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Mark D. <mdo...@co...> - 2014-02-03 17:53:11
|
...I'm in the train with a lousy internet connection at the moment, but you need to configure the ResponseEndpoint (that handles the Response from a remote IDP) with the SAML2 Profile. If you take a look at the asimba-saml-proxy example asimba.xml, you'll what that will look like: in asimba.xml: asimba-server/profiles/profile(SAML2Profile)/profile needs a ResponseEndpoint and the SAML2AuthenticationMethod needs to reference this SAML2Profile by its @id using the <idpprofile> element. You're almost there! On 03/02/14 17:54, Tataryn Oleksiy wrote: > It still does not work ([main] ERROR > c.a.o.a.r.s.SAML2AuthenticationMethod - Cannot start: there is no SAML2 > IDP Profile that handles the Response Endpoint for this SAML SP) > > From the sources it looks like I also need ResponseEndpoint configured > in /asimba-server/profiles/profile/profiles/profile, so trying to figure > that out. > > Best Regards, > Oleksiy Tataryn > > > On Fri, Jan 31, 2014 at 1:55 PM, Mark Dobrinic <mdo...@co... > <mailto:mdo...@co...>> wrote: > > Hi Oleksiy, > > The remote-saml2 authentication method isn't documented properly yet. > The <idpprofile> element was introduced in 1.1.2; the actual change is > documented though: > http://sourceforge.net/p/asimba/wiki/Changes%20since%201.1.2./#20130903-update-to-support-multiple-saml2-idp-profiles-with-multiple-remote-saml2-authmethod-configurations > > Bottom line is: you need a configured SAML2 IDP Profile; the Remote > SAML2 authentication method uses the the id of the SAML2 IDP profile to > reference it, so incoming SAML2 Response messages can be handled > correctly. > > The example configuration that I provided to you (GLUU) configures a > SAML2 IDP with an id "saml2", so the configuration in the RemoteSAML > authentication method would be: > <idpprofile id="saml2" /> > > > Does this help you further? > > Cheers! > > Mark > > > > On 30/01/14 23:12, Tataryn Oleksiy wrote: > > Thanks Mark, > > I tried configuring one external IDP, but asimba thrown an error > during > > tomcat startup, complining about the lack of <idpprofile> element. > > Unfortunately I did not found any documentation about the idpprofile. > > How is it used or where can I find information about it? > > > > Attached is the tomcat log with the error. > > > > Best Regards, > > Oleksiy Tataryn > > > > > > On Wed, Jan 29, 2014 at 10:27 PM, Mark Dobrinic > <mdo...@co... <mailto:mdo...@co...> > > <mailto:mdo...@co... <mailto:mdo...@co...>>> > wrote: > > > > Hi Oleksiy, > > > > Some of your questions have some documentation to cover it, > but let me > > help you with your questions before we're there ;) > > > > btw; if you have suggestions on how to improve the docs, > please let > > me know. > > > > > Hello asimba-users, > > > I am trying to use Asimba as a SAML proxy for several IDPs. The > > problem > > > is that I cannot find any documentation for that and > asimba.xml is not > > > helping much. > > > So here are my questions: > > > 1. How do I add several external IDPs and remove the internal > > Asimba one > > > (the one that accepts asimba1/asimba1 creds)? > > > > Asimba has a concept of a IDP profile, which is SAML, that > reports on > > how a user was authenticated. > > > > Authentication is done by executing an authentication profile, > that > > contains one or more authentication methods. > > > > What you're looking for here, is authentication based on a > remote SAML > > IDP. This is implemented in the Remote SAML2 Authentication > method. > > This method is actually documented: > > http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/ > > > > So you'd start with defining a new authentication profile in > asimba.xml: > > /asimba/authentication/profile, something like this: > > <profile id="remote.saml2" friendlyname="remote.saml2" > enabled="true"> > > <method id="RemoteSAML" /> > > </profile> > > > > ... and then a web-based authentication method in asimba.xml: > > /asimba/websso/authentication/methods/method like this: > > > > <method id="RemoteSAML" friendlyname="Remote SAML authentication" > > enabled="true" response_signing_required="true" > > > class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod"> > > ... > > </method> > > > > ..you're setting up the context for using remote SAML IDP's. > > > > This can be set up using: > > <method ....> > > ... > > <idps id="saml2idps" > > > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage"> > > <idp id="urn:idp:config:test1" friendlyname="Config > Sourced Test > > IDP 1" scoping="true" avoid_subjectconfirmation="true"> > > <metadata> > > > > > <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file> > > </metadata> > > </idp> > > </idps> > > ... > > </method> > > > > There are some more options to configure here, that should be > > documented. I'll put it on my list. > > > > > > > 2. How do I configure the discovery? What are the > requirements for the > > > IDPs? > > > > Discovery is default being done by a JSP-file that renders the > IDP's > > that the user can choose from. If this needs customization, > you can > > choose to either customize the JSP, or implement your own > module that > > you can configure to activate. This last one is only when you know > > exactly what you want to do. > > > > > > > 3. I heard that asimba allows IDPs information to be stored > in the > > > database. How can I achieve that? > > > > The example above configures the IDP's from asimba.xml. If you > want to > > use a JDBC backed store, you should configure the <idps ..> > element with > > the JDBC-implementation: > > > > <idps id="saml2idps" > > > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage" > > /> > > > > This relies on a configured model storagefactory to be > configured in > > asimba.xml: /asimba: > > <storagefactory > > class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory"> > > <model> > > > <environment_context>java:comp/env</environment_context> > > <resource-ref>jdbc/oaModel</resource-ref> > > </model> > > <system> > > > <environment_context>java:comp/env</environment_context> > > <resource-ref>jdbc/oaSystem</resource-ref> > > </system> > > </storagefactory> > > > > ... which relies on the jdbc/oaModel and jdbc/oaSystem > resources to be > > configured by your application server. > > > > See the Asimba Wiki documentation: > > http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/ > > > > By default, the IDPs are queried from the table 'saml2_orgs', > of which > > the database definition is published on the remote-saml2 > documentation > > of the Asimba Wiki. This can be overruled. Let me know if you > want me to > > look it up. Either way, I should put it on the Asimba Wiki ;) > > > > > > > 4. How can I control which SPs are serviced by asimba? > > > > A SAML2 SP is an Asimba Requestor, that has some additional > > SAML2-specific properties (Asimba is protocol agnostic, SAML2 > is "just a > > protocol"). Requestors are contained in a RequestorPool. > > > > Each RequestorPool defines which authentication profiles are > allowed, > > and which attribute gathering and -release policies are > applied to it. > > > > If you want to set up a RequestorPool using a JDBC backend, > this is > > documented in the JDBC documentation on the Asimba Wiki: > > http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/ > > > > If you want to set up the requestor pools in asimba.xml: there > is an > > example of this in the asimba.xml of the asimba-wa module of > the sources > > (line 179-201): > > > http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml > > > > So, the next thing is to add SAML2 specific data to the > requestors. > > Again, this can be done in a JDBC backend, by setting the > properties (in > > table requestorpool_requestor_properties): > > [saml2-profileid].metadata.file that contains the location of the > > filename to the saml metadata, or > > [saml2-profileid].metadata.http.url that contains the URL > where the > > metadata can be retrieved from, or > > [saml2-profileid].metadata that contains the actual metadata > itself in > > the database. > > > > (saml2-profileid is the id that you've give to the > > com.alfaariss.oa.profile.saml2.SAML2Profile > asimba/profiles/profile) > > > > > > .. or in the asimba.xml, by configuring the requestors inside > the saml2 > > idp profile configuration: /asimba/profiles/profile/requestors > like: > > <requestors signing="TRUE"> > > <requestor id="localhost/AsimbaSimpleSP" signing="FALSE"> > > <metadata> > > > > > <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file> > > <!-- when metadata is sourced from a URL instead, the > > configuration could look like this: > > <http timeout="10000" > > url="http://my.serviceprovider.com/sp/metadata" /> > > --> > > </metadata> > > </requestor> > > </requestors> > > > > > > > > I hope this helps you out. > > > > Cheers! > > > > Mark > > > > > > > > > > > > > > Best Regards, > > > Oleksiy Tataryn > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > WatchGuard Dimension instantly turns raw network data into > actionable > > > security intelligence. It gives you real-time visual > feedback on key > > > security issues and trends. Skip the complicated setup - simply > > import > > > a virtual appliance and go from zero to informed in seconds. > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > > > > > _______________________________________________ > > > Asimba-users mailing list > > > Asi...@li... > <mailto:Asi...@li...> > > <mailto:Asi...@li... > <mailto:Asi...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > WatchGuard Dimension instantly turns raw network data into actionable > > security intelligence. It gives you real-time visual feedback on key > > security issues and trends. Skip the complicated setup - simply > import > > a virtual appliance and go from zero to informed in seconds. > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > Asimba-users mailing list > > Asi...@li... > <mailto:Asi...@li...> > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > |
|
From: Tataryn O. <ota...@gm...> - 2014-02-03 16:55:02
|
It still does not work ([main] ERROR c.a.o.a.r.s.SAML2AuthenticationMethod - Cannot start: there is no SAML2 IDP Profile that handles the Response Endpoint for this SAML SP) >From the sources it looks like I also need ResponseEndpoint configured in /asimba-server/profiles/profile/profiles/profile, so trying to figure that out. Best Regards, Oleksiy Tataryn On Fri, Jan 31, 2014 at 1:55 PM, Mark Dobrinic <mdo...@co...>wrote: > Hi Oleksiy, > > The remote-saml2 authentication method isn't documented properly yet. > The <idpprofile> element was introduced in 1.1.2; the actual change is > documented though: > > http://sourceforge.net/p/asimba/wiki/Changes%20since%201.1.2./#20130903-update-to-support-multiple-saml2-idp-profiles-with-multiple-remote-saml2-authmethod-configurations > > Bottom line is: you need a configured SAML2 IDP Profile; the Remote > SAML2 authentication method uses the the id of the SAML2 IDP profile to > reference it, so incoming SAML2 Response messages can be handled correctly. > > The example configuration that I provided to you (GLUU) configures a > SAML2 IDP with an id "saml2", so the configuration in the RemoteSAML > authentication method would be: > <idpprofile id="saml2" /> > > > Does this help you further? > > Cheers! > > Mark > > > > On 30/01/14 23:12, Tataryn Oleksiy wrote: > > Thanks Mark, > > I tried configuring one external IDP, but asimba thrown an error during > > tomcat startup, complining about the lack of <idpprofile> element. > > Unfortunately I did not found any documentation about the idpprofile. > > How is it used or where can I find information about it? > > > > Attached is the tomcat log with the error. > > > > Best Regards, > > Oleksiy Tataryn > > > > > > On Wed, Jan 29, 2014 at 10:27 PM, Mark Dobrinic <mdo...@co... > > <mailto:mdo...@co...>> wrote: > > > > Hi Oleksiy, > > > > Some of your questions have some documentation to cover it, but let > me > > help you with your questions before we're there ;) > > > > btw; if you have suggestions on how to improve the docs, please let > > me know. > > > > > Hello asimba-users, > > > I am trying to use Asimba as a SAML proxy for several IDPs. The > > problem > > > is that I cannot find any documentation for that and asimba.xml is > not > > > helping much. > > > So here are my questions: > > > 1. How do I add several external IDPs and remove the internal > > Asimba one > > > (the one that accepts asimba1/asimba1 creds)? > > > > Asimba has a concept of a IDP profile, which is SAML, that reports on > > how a user was authenticated. > > > > Authentication is done by executing an authentication profile, that > > contains one or more authentication methods. > > > > What you're looking for here, is authentication based on a remote > SAML > > IDP. This is implemented in the Remote SAML2 Authentication method. > > This method is actually documented: > > http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/ > > > > So you'd start with defining a new authentication profile in > asimba.xml: > > /asimba/authentication/profile, something like this: > > <profile id="remote.saml2" friendlyname="remote.saml2" > enabled="true"> > > <method id="RemoteSAML" /> > > </profile> > > > > ... and then a web-based authentication method in asimba.xml: > > /asimba/websso/authentication/methods/method like this: > > > > <method id="RemoteSAML" friendlyname="Remote SAML authentication" > > enabled="true" response_signing_required="true" > > > class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod"> > > ... > > </method> > > > > ..you're setting up the context for using remote SAML IDP's. > > > > This can be set up using: > > <method ....> > > ... > > <idps id="saml2idps" > > > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage"> > > <idp id="urn:idp:config:test1" friendlyname="Config Sourced > Test > > IDP 1" scoping="true" avoid_subjectconfirmation="true"> > > <metadata> > > > > > <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file> > > </metadata> > > </idp> > > </idps> > > ... > > </method> > > > > There are some more options to configure here, that should be > > documented. I'll put it on my list. > > > > > > > 2. How do I configure the discovery? What are the requirements for > the > > > IDPs? > > > > Discovery is default being done by a JSP-file that renders the IDP's > > that the user can choose from. If this needs customization, you can > > choose to either customize the JSP, or implement your own module that > > you can configure to activate. This last one is only when you know > > exactly what you want to do. > > > > > > > 3. I heard that asimba allows IDPs information to be stored in the > > > database. How can I achieve that? > > > > The example above configures the IDP's from asimba.xml. If you want > to > > use a JDBC backed store, you should configure the <idps ..> element > with > > the JDBC-implementation: > > > > <idps id="saml2idps" > > > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage" > > /> > > > > This relies on a configured model storagefactory to be configured in > > asimba.xml: /asimba: > > <storagefactory > > class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory"> > > <model> > > > <environment_context>java:comp/env</environment_context> > > <resource-ref>jdbc/oaModel</resource-ref> > > </model> > > <system> > > > <environment_context>java:comp/env</environment_context> > > <resource-ref>jdbc/oaSystem</resource-ref> > > </system> > > </storagefactory> > > > > ... which relies on the jdbc/oaModel and jdbc/oaSystem resources to > be > > configured by your application server. > > > > See the Asimba Wiki documentation: > > http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/ > > > > By default, the IDPs are queried from the table 'saml2_orgs', of > which > > the database definition is published on the remote-saml2 > documentation > > of the Asimba Wiki. This can be overruled. Let me know if you want > me to > > look it up. Either way, I should put it on the Asimba Wiki ;) > > > > > > > 4. How can I control which SPs are serviced by asimba? > > > > A SAML2 SP is an Asimba Requestor, that has some additional > > SAML2-specific properties (Asimba is protocol agnostic, SAML2 is > "just a > > protocol"). Requestors are contained in a RequestorPool. > > > > Each RequestorPool defines which authentication profiles are allowed, > > and which attribute gathering and -release policies are applied to > it. > > > > If you want to set up a RequestorPool using a JDBC backend, this is > > documented in the JDBC documentation on the Asimba Wiki: > > http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/ > > > > If you want to set up the requestor pools in asimba.xml: there is an > > example of this in the asimba.xml of the asimba-wa module of the > sources > > (line 179-201): > > > http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml > > > > So, the next thing is to add SAML2 specific data to the requestors. > > Again, this can be done in a JDBC backend, by setting the properties > (in > > table requestorpool_requestor_properties): > > [saml2-profileid].metadata.file that contains the location of the > > filename to the saml metadata, or > > [saml2-profileid].metadata.http.url that contains the URL where the > > metadata can be retrieved from, or > > [saml2-profileid].metadata that contains the actual metadata itself > in > > the database. > > > > (saml2-profileid is the id that you've give to the > > com.alfaariss.oa.profile.saml2.SAML2Profile asimba/profiles/profile) > > > > > > .. or in the asimba.xml, by configuring the requestors inside the > saml2 > > idp profile configuration: /asimba/profiles/profile/requestors like: > > <requestors signing="TRUE"> > > <requestor id="localhost/AsimbaSimpleSP" signing="FALSE"> > > <metadata> > > > > > <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file> > > <!-- when metadata is sourced from a URL instead, the > > configuration could look like this: > > <http timeout="10000" > > url="http://my.serviceprovider.com/sp/metadata" /> > > --> > > </metadata> > > </requestor> > > </requestors> > > > > > > > > I hope this helps you out. > > > > Cheers! > > > > Mark > > > > > > > > > > > > > > Best Regards, > > > Oleksiy Tataryn > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > WatchGuard Dimension instantly turns raw network data into > actionable > > > security intelligence. It gives you real-time visual feedback on > key > > > security issues and trends. Skip the complicated setup - simply > > import > > > a virtual appliance and go from zero to informed in seconds. > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > > > > > _______________________________________________ > > > Asimba-users mailing list > > > Asi...@li... > > <mailto:Asi...@li...> > > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > WatchGuard Dimension instantly turns raw network data into actionable > > security intelligence. It gives you real-time visual feedback on key > > security issues and trends. Skip the complicated setup - simply import > > a virtual appliance and go from zero to informed in seconds. > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > Asimba-users mailing list > > Asi...@li... > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > |
|
From: Mark D. <mdo...@co...> - 2014-01-31 11:55:57
|
Hi Oleksiy, The remote-saml2 authentication method isn't documented properly yet. The <idpprofile> element was introduced in 1.1.2; the actual change is documented though: http://sourceforge.net/p/asimba/wiki/Changes%20since%201.1.2./#20130903-update-to-support-multiple-saml2-idp-profiles-with-multiple-remote-saml2-authmethod-configurations Bottom line is: you need a configured SAML2 IDP Profile; the Remote SAML2 authentication method uses the the id of the SAML2 IDP profile to reference it, so incoming SAML2 Response messages can be handled correctly. The example configuration that I provided to you (GLUU) configures a SAML2 IDP with an id "saml2", so the configuration in the RemoteSAML authentication method would be: <idpprofile id="saml2" /> Does this help you further? Cheers! Mark On 30/01/14 23:12, Tataryn Oleksiy wrote: > Thanks Mark, > I tried configuring one external IDP, but asimba thrown an error during > tomcat startup, complining about the lack of <idpprofile> element. > Unfortunately I did not found any documentation about the idpprofile. > How is it used or where can I find information about it? > > Attached is the tomcat log with the error. > > Best Regards, > Oleksiy Tataryn > > > On Wed, Jan 29, 2014 at 10:27 PM, Mark Dobrinic <mdo...@co... > <mailto:mdo...@co...>> wrote: > > Hi Oleksiy, > > Some of your questions have some documentation to cover it, but let me > help you with your questions before we're there ;) > > btw; if you have suggestions on how to improve the docs, please let > me know. > > > Hello asimba-users, > > I am trying to use Asimba as a SAML proxy for several IDPs. The > problem > > is that I cannot find any documentation for that and asimba.xml is not > > helping much. > > So here are my questions: > > 1. How do I add several external IDPs and remove the internal > Asimba one > > (the one that accepts asimba1/asimba1 creds)? > > Asimba has a concept of a IDP profile, which is SAML, that reports on > how a user was authenticated. > > Authentication is done by executing an authentication profile, that > contains one or more authentication methods. > > What you're looking for here, is authentication based on a remote SAML > IDP. This is implemented in the Remote SAML2 Authentication method. > This method is actually documented: > http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/ > > So you'd start with defining a new authentication profile in asimba.xml: > /asimba/authentication/profile, something like this: > <profile id="remote.saml2" friendlyname="remote.saml2" enabled="true"> > <method id="RemoteSAML" /> > </profile> > > ... and then a web-based authentication method in asimba.xml: > /asimba/websso/authentication/methods/method like this: > > <method id="RemoteSAML" friendlyname="Remote SAML authentication" > enabled="true" response_signing_required="true" > class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod"> > ... > </method> > > ..you're setting up the context for using remote SAML IDP's. > > This can be set up using: > <method ....> > ... > <idps id="saml2idps" > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage"> > <idp id="urn:idp:config:test1" friendlyname="Config Sourced Test > IDP 1" scoping="true" avoid_subjectconfirmation="true"> > <metadata> > > <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file> > </metadata> > </idp> > </idps> > ... > </method> > > There are some more options to configure here, that should be > documented. I'll put it on my list. > > > > 2. How do I configure the discovery? What are the requirements for the > > IDPs? > > Discovery is default being done by a JSP-file that renders the IDP's > that the user can choose from. If this needs customization, you can > choose to either customize the JSP, or implement your own module that > you can configure to activate. This last one is only when you know > exactly what you want to do. > > > > 3. I heard that asimba allows IDPs information to be stored in the > > database. How can I achieve that? > > The example above configures the IDP's from asimba.xml. If you want to > use a JDBC backed store, you should configure the <idps ..> element with > the JDBC-implementation: > > <idps id="saml2idps" > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage" > /> > > This relies on a configured model storagefactory to be configured in > asimba.xml: /asimba: > <storagefactory > class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory"> > <model> > <environment_context>java:comp/env</environment_context> > <resource-ref>jdbc/oaModel</resource-ref> > </model> > <system> > <environment_context>java:comp/env</environment_context> > <resource-ref>jdbc/oaSystem</resource-ref> > </system> > </storagefactory> > > ... which relies on the jdbc/oaModel and jdbc/oaSystem resources to be > configured by your application server. > > See the Asimba Wiki documentation: > http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/ > > By default, the IDPs are queried from the table 'saml2_orgs', of which > the database definition is published on the remote-saml2 documentation > of the Asimba Wiki. This can be overruled. Let me know if you want me to > look it up. Either way, I should put it on the Asimba Wiki ;) > > > > 4. How can I control which SPs are serviced by asimba? > > A SAML2 SP is an Asimba Requestor, that has some additional > SAML2-specific properties (Asimba is protocol agnostic, SAML2 is "just a > protocol"). Requestors are contained in a RequestorPool. > > Each RequestorPool defines which authentication profiles are allowed, > and which attribute gathering and -release policies are applied to it. > > If you want to set up a RequestorPool using a JDBC backend, this is > documented in the JDBC documentation on the Asimba Wiki: > http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/ > > If you want to set up the requestor pools in asimba.xml: there is an > example of this in the asimba.xml of the asimba-wa module of the sources > (line 179-201): > http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml > > So, the next thing is to add SAML2 specific data to the requestors. > Again, this can be done in a JDBC backend, by setting the properties (in > table requestorpool_requestor_properties): > [saml2-profileid].metadata.file that contains the location of the > filename to the saml metadata, or > [saml2-profileid].metadata.http.url that contains the URL where the > metadata can be retrieved from, or > [saml2-profileid].metadata that contains the actual metadata itself in > the database. > > (saml2-profileid is the id that you've give to the > com.alfaariss.oa.profile.saml2.SAML2Profile asimba/profiles/profile) > > > .. or in the asimba.xml, by configuring the requestors inside the saml2 > idp profile configuration: /asimba/profiles/profile/requestors like: > <requestors signing="TRUE"> > <requestor id="localhost/AsimbaSimpleSP" signing="FALSE"> > <metadata> > > <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file> > <!-- when metadata is sourced from a URL instead, the > configuration could look like this: > <http timeout="10000" > url="http://my.serviceprovider.com/sp/metadata" /> > --> > </metadata> > </requestor> > </requestors> > > > > I hope this helps you out. > > Cheers! > > Mark > > > > > > > > Best Regards, > > Oleksiy Tataryn > > > > > > > ------------------------------------------------------------------------------ > > WatchGuard Dimension instantly turns raw network data into actionable > > security intelligence. It gives you real-time visual feedback on key > > security issues and trends. Skip the complicated setup - simply > import > > a virtual appliance and go from zero to informed in seconds. > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > Asimba-users mailing list > > Asi...@li... > <mailto:Asi...@li...> > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Asimba-users mailing list > Asi...@li... > https://lists.sourceforge.net/lists/listinfo/asimba-users > |
|
From: Tataryn O. <ota...@gm...> - 2014-01-30 22:12:45
|
19:04:55.490 [main] INFO c.a.o.a.r.s.i.s.c.IDPConfigStorage - Organi
zation 'urn:idp:config:test1' uses metadata in file: /opt/shibboleth-idp2/metada
ta/1111-idp-metadata.xml
19:04:55.497 [main] INFO c.a.o.a.r.s.i.s.c.IDPConfigStorage - Found
IDP with ID: urn:idp:config:test1
19:04:55.500 [main] INFO c.a.o.a.r.s.i.s.c.IDPConfigStorage - Starte
d storage with id: saml2idps
19:04:55.501 [main] INFO c.a.o.e.core.idp.IDPStorageManager - IDP St
orage added: saml2idps
19:04:55.503 [main] ERROR c.a.o.a.r.s.SAML2AuthenticationMethod - No
'idpprofile' configured; make sure there is a <idpprofile id='..' /> value to re
ference the SAML2IDP Profile that configures the ResponseEndpoint for this SAML2
SP
19:04:55.524 [main] ERROR c.a.o.s.a.web.AuthenticationManager - Inter
nal error during object creation
com.alfaariss.oa.OAException: 0002
at com.alfaariss.oa.authentication.remote.saml2.BaseSAML2AuthenticationM
ethod.start(BaseSAML2AuthenticationMethod.java:272) ~[asimba-am-remote-saml2-1.1
.3.jar:na]
at com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMetho
d.start(SAML2AuthenticationMethod.java:127) ~[asimba-am-remote-saml2-1.1.3.jar:n
a]
at com.alfaariss.oa.sso.authentication.web.AuthenticationManager.createA
uthenticationMethod(AuthenticationManager.java:335) [asimba-sso-web-1.1.3.jar:na
]
at com.alfaariss.oa.sso.authentication.web.AuthenticationManager.start(A
uthenticationManager.java:245) [asimba-sso-web-1.1.3.jar:na]
at com.alfaariss.oa.sso.web.WebSSOServlet.start(WebSSOServlet.java:171)
[asimba-sso-web-1.1.3.jar:na]
at com.alfaariss.oa.sso.web.WebSSOServlet.init(WebSSOServlet.java:127) [
asimba-sso-web-1.1.3.jar:na]
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.
java:1173) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:99
3) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContex
t.java:4421) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4
734) [catalina.jar:6.0.33]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase
.java:799) [catalina.jar:6.0.33]
19:04:55.529 [main] ERROR c.alfaariss.oa.sso.web.WebSSOServlet - Erro
r starting WebSSO
com.alfaariss.oa.sso.SSOException: 0001
at com.alfaariss.oa.sso.authentication.web.AuthenticationManager.createA
uthenticationMethod(AuthenticationManager.java:344) ~[asimba-sso-web-1.1.3.jar:n
a]
at com.alfaariss.oa.sso.authentication.web.AuthenticationManager.start(A
uthenticationManager.java:245) ~[asimba-sso-web-1.1.3.jar:na]
at com.alfaariss.oa.sso.web.WebSSOServlet.start(WebSSOServlet.java:171)
~[asimba-sso-web-1.1.3.jar:na]
at com.alfaariss.oa.sso.web.WebSSOServlet.init(WebSSOServlet.java:127) ~
[asimba-sso-web-1.1.3.jar:na]
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.
java:1173) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:99
3) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContex
t.java:4421) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4
734) [catalina.jar:6.0.33]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase
.java:799) [catalina.jar:6.0.33]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:77
9) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
[catalina.jar:6.0.33]
19:04:55.540 [main] INFO c.alfaariss.oa.sso.web.WebSSOServlet - Stop
ped SSO Profiles |
|
From: Mark D. <mdo...@co...> - 2014-01-29 20:28:03
|
Hi Oleksiy, Some of your questions have some documentation to cover it, but let me help you with your questions before we're there ;) btw; if you have suggestions on how to improve the docs, please let me know. > Hello asimba-users, > I am trying to use Asimba as a SAML proxy for several IDPs. The problem > is that I cannot find any documentation for that and asimba.xml is not > helping much. > So here are my questions: > 1. How do I add several external IDPs and remove the internal Asimba one > (the one that accepts asimba1/asimba1 creds)? Asimba has a concept of a IDP profile, which is SAML, that reports on how a user was authenticated. Authentication is done by executing an authentication profile, that contains one or more authentication methods. What you're looking for here, is authentication based on a remote SAML IDP. This is implemented in the Remote SAML2 Authentication method. This method is actually documented: http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/ So you'd start with defining a new authentication profile in asimba.xml: /asimba/authentication/profile, something like this: <profile id="remote.saml2" friendlyname="remote.saml2" enabled="true"> <method id="RemoteSAML" /> </profile> ... and then a web-based authentication method in asimba.xml: /asimba/websso/authentication/methods/method like this: <method id="RemoteSAML" friendlyname="Remote SAML authentication" enabled="true" response_signing_required="true" class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod"> ... </method> ..you're setting up the context for using remote SAML IDP's. This can be set up using: <method ....> ... <idps id="saml2idps" class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage"> <idp id="urn:idp:config:test1" friendlyname="Config Sourced Test IDP 1" scoping="true" avoid_subjectconfirmation="true"> <metadata> <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file> </metadata> </idp> </idps> ... </method> There are some more options to configure here, that should be documented. I'll put it on my list. > 2. How do I configure the discovery? What are the requirements for the > IDPs? Discovery is default being done by a JSP-file that renders the IDP's that the user can choose from. If this needs customization, you can choose to either customize the JSP, or implement your own module that you can configure to activate. This last one is only when you know exactly what you want to do. > 3. I heard that asimba allows IDPs information to be stored in the > database. How can I achieve that? The example above configures the IDP's from asimba.xml. If you want to use a JDBC backed store, you should configure the <idps ..> element with the JDBC-implementation: <idps id="saml2idps" class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage" /> This relies on a configured model storagefactory to be configured in asimba.xml: /asimba: <storagefactory class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory"> <model> <environment_context>java:comp/env</environment_context> <resource-ref>jdbc/oaModel</resource-ref> </model> <system> <environment_context>java:comp/env</environment_context> <resource-ref>jdbc/oaSystem</resource-ref> </system> </storagefactory> ... which relies on the jdbc/oaModel and jdbc/oaSystem resources to be configured by your application server. See the Asimba Wiki documentation: http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/ By default, the IDPs are queried from the table 'saml2_orgs', of which the database definition is published on the remote-saml2 documentation of the Asimba Wiki. This can be overruled. Let me know if you want me to look it up. Either way, I should put it on the Asimba Wiki ;) > 4. How can I control which SPs are serviced by asimba? A SAML2 SP is an Asimba Requestor, that has some additional SAML2-specific properties (Asimba is protocol agnostic, SAML2 is "just a protocol"). Requestors are contained in a RequestorPool. Each RequestorPool defines which authentication profiles are allowed, and which attribute gathering and -release policies are applied to it. If you want to set up a RequestorPool using a JDBC backend, this is documented in the JDBC documentation on the Asimba Wiki: http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/ If you want to set up the requestor pools in asimba.xml: there is an example of this in the asimba.xml of the asimba-wa module of the sources (line 179-201): http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml So, the next thing is to add SAML2 specific data to the requestors. Again, this can be done in a JDBC backend, by setting the properties (in table requestorpool_requestor_properties): [saml2-profileid].metadata.file that contains the location of the filename to the saml metadata, or [saml2-profileid].metadata.http.url that contains the URL where the metadata can be retrieved from, or [saml2-profileid].metadata that contains the actual metadata itself in the database. (saml2-profileid is the id that you've give to the com.alfaariss.oa.profile.saml2.SAML2Profile asimba/profiles/profile) .. or in the asimba.xml, by configuring the requestors inside the saml2 idp profile configuration: /asimba/profiles/profile/requestors like: <requestors signing="TRUE"> <requestor id="localhost/AsimbaSimpleSP" signing="FALSE"> <metadata> <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file> <!-- when metadata is sourced from a URL instead, the configuration could look like this: <http timeout="10000" url="http://my.serviceprovider.com/sp/metadata" /> --> </metadata> </requestor> </requestors> I hope this helps you out. Cheers! Mark > > Best Regards, > Oleksiy Tataryn > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Asimba-users mailing list > Asi...@li... > https://lists.sourceforge.net/lists/listinfo/asimba-users > |
|
From: Tataryn O. <ota...@gm...> - 2014-01-29 19:05:09
|
Hello asimba-users, I am trying to use Asimba as a SAML proxy for several IDPs. The problem is that I cannot find any documentation for that and asimba.xml is not helping much. So here are my questions: 1. How do I add several external IDPs and remove the internal Asimba one (the one that accepts asimba1/asimba1 creds)? 2. How do I configure the discovery? What are the requirements for the IDPs? 3. I heard that asimba allows IDPs information to be stored in the database. How can I achieve that? 4. How can I control which SPs are serviced by asimba? Best Regards, Oleksiy Tataryn |
|
From: Mark D. <mdo...@co...> - 2014-01-03 16:01:40
|
Just added some documentation on how to configure password authentication in Asimba. The JNDI-part is somehow basic/referencing source. If somebody could fill in the blanks there; would be appreciated ;) Link: https://sourceforge.net/p/asimba/wiki/asimba-am-password/ Cheers! Mark |
