Menu
▾
▴
Re: [Asimba-users] Configuring asimba as a SAML proxy
|
From: Mark D. <mdo...@co...> - 2014-01-29 20:28:03
|
Hi Oleksiy, Some of your questions have some documentation to cover it, but let me help you with your questions before we're there ;) btw; if you have suggestions on how to improve the docs, please let me know. > Hello asimba-users, > I am trying to use Asimba as a SAML proxy for several IDPs. The problem > is that I cannot find any documentation for that and asimba.xml is not > helping much. > So here are my questions: > 1. How do I add several external IDPs and remove the internal Asimba one > (the one that accepts asimba1/asimba1 creds)? Asimba has a concept of a IDP profile, which is SAML, that reports on how a user was authenticated. Authentication is done by executing an authentication profile, that contains one or more authentication methods. What you're looking for here, is authentication based on a remote SAML IDP. This is implemented in the Remote SAML2 Authentication method. This method is actually documented: http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/ So you'd start with defining a new authentication profile in asimba.xml: /asimba/authentication/profile, something like this: <profile id="remote.saml2" friendlyname="remote.saml2" enabled="true"> <method id="RemoteSAML" /> </profile> ... and then a web-based authentication method in asimba.xml: /asimba/websso/authentication/methods/method like this: <method id="RemoteSAML" friendlyname="Remote SAML authentication" enabled="true" response_signing_required="true" class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod"> ... </method> ..you're setting up the context for using remote SAML IDP's. This can be set up using: <method ....> ... <idps id="saml2idps" class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage"> <idp id="urn:idp:config:test1" friendlyname="Config Sourced Test IDP 1" scoping="true" avoid_subjectconfirmation="true"> <metadata> <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file> </metadata> </idp> </idps> ... </method> There are some more options to configure here, that should be documented. I'll put it on my list. > 2. How do I configure the discovery? What are the requirements for the > IDPs? Discovery is default being done by a JSP-file that renders the IDP's that the user can choose from. If this needs customization, you can choose to either customize the JSP, or implement your own module that you can configure to activate. This last one is only when you know exactly what you want to do. > 3. I heard that asimba allows IDPs information to be stored in the > database. How can I achieve that? The example above configures the IDP's from asimba.xml. If you want to use a JDBC backed store, you should configure the <idps ..> element with the JDBC-implementation: <idps id="saml2idps" class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage" /> This relies on a configured model storagefactory to be configured in asimba.xml: /asimba: <storagefactory class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory"> <model> <environment_context>java:comp/env</environment_context> <resource-ref>jdbc/oaModel</resource-ref> </model> <system> <environment_context>java:comp/env</environment_context> <resource-ref>jdbc/oaSystem</resource-ref> </system> </storagefactory> ... which relies on the jdbc/oaModel and jdbc/oaSystem resources to be configured by your application server. See the Asimba Wiki documentation: http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/ By default, the IDPs are queried from the table 'saml2_orgs', of which the database definition is published on the remote-saml2 documentation of the Asimba Wiki. This can be overruled. Let me know if you want me to look it up. Either way, I should put it on the Asimba Wiki ;) > 4. How can I control which SPs are serviced by asimba? A SAML2 SP is an Asimba Requestor, that has some additional SAML2-specific properties (Asimba is protocol agnostic, SAML2 is "just a protocol"). Requestors are contained in a RequestorPool. Each RequestorPool defines which authentication profiles are allowed, and which attribute gathering and -release policies are applied to it. If you want to set up a RequestorPool using a JDBC backend, this is documented in the JDBC documentation on the Asimba Wiki: http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/ If you want to set up the requestor pools in asimba.xml: there is an example of this in the asimba.xml of the asimba-wa module of the sources (line 179-201): http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml So, the next thing is to add SAML2 specific data to the requestors. Again, this can be done in a JDBC backend, by setting the properties (in table requestorpool_requestor_properties): [saml2-profileid].metadata.file that contains the location of the filename to the saml metadata, or [saml2-profileid].metadata.http.url that contains the URL where the metadata can be retrieved from, or [saml2-profileid].metadata that contains the actual metadata itself in the database. (saml2-profileid is the id that you've give to the com.alfaariss.oa.profile.saml2.SAML2Profile asimba/profiles/profile) .. or in the asimba.xml, by configuring the requestors inside the saml2 idp profile configuration: /asimba/profiles/profile/requestors like: <requestors signing="TRUE"> <requestor id="localhost/AsimbaSimpleSP" signing="FALSE"> <metadata> <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file> <!-- when metadata is sourced from a URL instead, the configuration could look like this: <http timeout="10000" url="http://my.serviceprovider.com/sp/metadata" /> --> </metadata> </requestor> </requestors> I hope this helps you out. Cheers! Mark > > Best Regards, > Oleksiy Tataryn > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Asimba-users mailing list > Asi...@li... > https://lists.sourceforge.net/lists/listinfo/asimba-users > |
