Menu
▾
▴
Re: [Asimba-users] Configuring asimba as a SAML proxy
|
From: Mark D. <mdo...@co...> - 2014-02-03 17:53:11
|
...I'm in the train with a lousy internet connection at the moment, but you need to configure the ResponseEndpoint (that handles the Response from a remote IDP) with the SAML2 Profile. If you take a look at the asimba-saml-proxy example asimba.xml, you'll what that will look like: in asimba.xml: asimba-server/profiles/profile(SAML2Profile)/profile needs a ResponseEndpoint and the SAML2AuthenticationMethod needs to reference this SAML2Profile by its @id using the <idpprofile> element. You're almost there! On 03/02/14 17:54, Tataryn Oleksiy wrote: > It still does not work ([main] ERROR > c.a.o.a.r.s.SAML2AuthenticationMethod - Cannot start: there is no SAML2 > IDP Profile that handles the Response Endpoint for this SAML SP) > > From the sources it looks like I also need ResponseEndpoint configured > in /asimba-server/profiles/profile/profiles/profile, so trying to figure > that out. > > Best Regards, > Oleksiy Tataryn > > > On Fri, Jan 31, 2014 at 1:55 PM, Mark Dobrinic <mdo...@co... > <mailto:mdo...@co...>> wrote: > > Hi Oleksiy, > > The remote-saml2 authentication method isn't documented properly yet. > The <idpprofile> element was introduced in 1.1.2; the actual change is > documented though: > http://sourceforge.net/p/asimba/wiki/Changes%20since%201.1.2./#20130903-update-to-support-multiple-saml2-idp-profiles-with-multiple-remote-saml2-authmethod-configurations > > Bottom line is: you need a configured SAML2 IDP Profile; the Remote > SAML2 authentication method uses the the id of the SAML2 IDP profile to > reference it, so incoming SAML2 Response messages can be handled > correctly. > > The example configuration that I provided to you (GLUU) configures a > SAML2 IDP with an id "saml2", so the configuration in the RemoteSAML > authentication method would be: > <idpprofile id="saml2" /> > > > Does this help you further? > > Cheers! > > Mark > > > > On 30/01/14 23:12, Tataryn Oleksiy wrote: > > Thanks Mark, > > I tried configuring one external IDP, but asimba thrown an error > during > > tomcat startup, complining about the lack of <idpprofile> element. > > Unfortunately I did not found any documentation about the idpprofile. > > How is it used or where can I find information about it? > > > > Attached is the tomcat log with the error. > > > > Best Regards, > > Oleksiy Tataryn > > > > > > On Wed, Jan 29, 2014 at 10:27 PM, Mark Dobrinic > <mdo...@co... <mailto:mdo...@co...> > > <mailto:mdo...@co... <mailto:mdo...@co...>>> > wrote: > > > > Hi Oleksiy, > > > > Some of your questions have some documentation to cover it, > but let me > > help you with your questions before we're there ;) > > > > btw; if you have suggestions on how to improve the docs, > please let > > me know. > > > > > Hello asimba-users, > > > I am trying to use Asimba as a SAML proxy for several IDPs. The > > problem > > > is that I cannot find any documentation for that and > asimba.xml is not > > > helping much. > > > So here are my questions: > > > 1. How do I add several external IDPs and remove the internal > > Asimba one > > > (the one that accepts asimba1/asimba1 creds)? > > > > Asimba has a concept of a IDP profile, which is SAML, that > reports on > > how a user was authenticated. > > > > Authentication is done by executing an authentication profile, > that > > contains one or more authentication methods. > > > > What you're looking for here, is authentication based on a > remote SAML > > IDP. This is implemented in the Remote SAML2 Authentication > method. > > This method is actually documented: > > http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/ > > > > So you'd start with defining a new authentication profile in > asimba.xml: > > /asimba/authentication/profile, something like this: > > <profile id="remote.saml2" friendlyname="remote.saml2" > enabled="true"> > > <method id="RemoteSAML" /> > > </profile> > > > > ... and then a web-based authentication method in asimba.xml: > > /asimba/websso/authentication/methods/method like this: > > > > <method id="RemoteSAML" friendlyname="Remote SAML authentication" > > enabled="true" response_signing_required="true" > > > class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod"> > > ... > > </method> > > > > ..you're setting up the context for using remote SAML IDP's. > > > > This can be set up using: > > <method ....> > > ... > > <idps id="saml2idps" > > > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage"> > > <idp id="urn:idp:config:test1" friendlyname="Config > Sourced Test > > IDP 1" scoping="true" avoid_subjectconfirmation="true"> > > <metadata> > > > > > <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file> > > </metadata> > > </idp> > > </idps> > > ... > > </method> > > > > There are some more options to configure here, that should be > > documented. I'll put it on my list. > > > > > > > 2. How do I configure the discovery? What are the > requirements for the > > > IDPs? > > > > Discovery is default being done by a JSP-file that renders the > IDP's > > that the user can choose from. If this needs customization, > you can > > choose to either customize the JSP, or implement your own > module that > > you can configure to activate. This last one is only when you know > > exactly what you want to do. > > > > > > > 3. I heard that asimba allows IDPs information to be stored > in the > > > database. How can I achieve that? > > > > The example above configures the IDP's from asimba.xml. If you > want to > > use a JDBC backed store, you should configure the <idps ..> > element with > > the JDBC-implementation: > > > > <idps id="saml2idps" > > > class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage" > > /> > > > > This relies on a configured model storagefactory to be > configured in > > asimba.xml: /asimba: > > <storagefactory > > class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory"> > > <model> > > > <environment_context>java:comp/env</environment_context> > > <resource-ref>jdbc/oaModel</resource-ref> > > </model> > > <system> > > > <environment_context>java:comp/env</environment_context> > > <resource-ref>jdbc/oaSystem</resource-ref> > > </system> > > </storagefactory> > > > > ... which relies on the jdbc/oaModel and jdbc/oaSystem > resources to be > > configured by your application server. > > > > See the Asimba Wiki documentation: > > http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/ > > > > By default, the IDPs are queried from the table 'saml2_orgs', > of which > > the database definition is published on the remote-saml2 > documentation > > of the Asimba Wiki. This can be overruled. Let me know if you > want me to > > look it up. Either way, I should put it on the Asimba Wiki ;) > > > > > > > 4. How can I control which SPs are serviced by asimba? > > > > A SAML2 SP is an Asimba Requestor, that has some additional > > SAML2-specific properties (Asimba is protocol agnostic, SAML2 > is "just a > > protocol"). Requestors are contained in a RequestorPool. > > > > Each RequestorPool defines which authentication profiles are > allowed, > > and which attribute gathering and -release policies are > applied to it. > > > > If you want to set up a RequestorPool using a JDBC backend, > this is > > documented in the JDBC documentation on the Asimba Wiki: > > http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/ > > > > If you want to set up the requestor pools in asimba.xml: there > is an > > example of this in the asimba.xml of the asimba-wa module of > the sources > > (line 179-201): > > > http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml > > > > So, the next thing is to add SAML2 specific data to the > requestors. > > Again, this can be done in a JDBC backend, by setting the > properties (in > > table requestorpool_requestor_properties): > > [saml2-profileid].metadata.file that contains the location of the > > filename to the saml metadata, or > > [saml2-profileid].metadata.http.url that contains the URL > where the > > metadata can be retrieved from, or > > [saml2-profileid].metadata that contains the actual metadata > itself in > > the database. > > > > (saml2-profileid is the id that you've give to the > > com.alfaariss.oa.profile.saml2.SAML2Profile > asimba/profiles/profile) > > > > > > .. or in the asimba.xml, by configuring the requestors inside > the saml2 > > idp profile configuration: /asimba/profiles/profile/requestors > like: > > <requestors signing="TRUE"> > > <requestor id="localhost/AsimbaSimpleSP" signing="FALSE"> > > <metadata> > > > > > <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file> > > <!-- when metadata is sourced from a URL instead, the > > configuration could look like this: > > <http timeout="10000" > > url="http://my.serviceprovider.com/sp/metadata" /> > > --> > > </metadata> > > </requestor> > > </requestors> > > > > > > > > I hope this helps you out. > > > > Cheers! > > > > Mark > > > > > > > > > > > > > > Best Regards, > > > Oleksiy Tataryn > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > WatchGuard Dimension instantly turns raw network data into > actionable > > > security intelligence. It gives you real-time visual > feedback on key > > > security issues and trends. Skip the complicated setup - simply > > import > > > a virtual appliance and go from zero to informed in seconds. > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > > > > > _______________________________________________ > > > Asimba-users mailing list > > > Asi...@li... > <mailto:Asi...@li...> > > <mailto:Asi...@li... > <mailto:Asi...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > WatchGuard Dimension instantly turns raw network data into actionable > > security intelligence. It gives you real-time visual feedback on key > > security issues and trends. Skip the complicated setup - simply > import > > a virtual appliance and go from zero to informed in seconds. > > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > Asimba-users mailing list > > Asi...@li... > <mailto:Asi...@li...> > > https://lists.sourceforge.net/lists/listinfo/asimba-users > > > > |
