Skip to content

Instantly share code, notes, and snippets.

@mbohun

mbohun/01_intro.md Secret

Last active July 4, 2018 03:27
Show Gist options
  • Save mbohun/f4579baf3e4ec680834524bd1ddeded2 to your computer and use it in GitHub Desktop.
Save mbohun/f4579baf3e4ec680834524bd1ddeded2 to your computer and use it in GitHub Desktop.
Download ZIP
cas-4.0.4+ / pac4j-1.7.2+ add support for SAML2.0 IdP DelegateAuthentication (Oracle OAM 11)
Raw
02_cas_SAML_delegate_auth_configuration.md

Looking at a pac4j example at: https://github.com/pac4j/spring-security-pac4j in order to add support for SAML2.0 IdP (integrating with DAWR Oracle OAM SAML2.0 IdP) we need to:

  1. add pac4j saml libs to the cas' pom.xml <dependencies> 
    <dependency>
    <groupId>org.pac4j</groupId>
    <artifactId>pac4j-saml</artifactId>
    <version>${pac4j.version}</version>
</dependency>
  2. add to the applicationContext.xml 
    <bean id="samlConfig" class="org.pac4j.saml.client.SAML2ClientConfiguration">
    <property name="keystorePath" value="resource:samlKeystore.jks" />
    <property name="keystorePassword" value="pac4j-demo-passwd" />
    <property name="privateKeyPassword" value="pac4j-demo-passwd" />
    <property name="identityProviderMetadataPath" value="resource:metadata-okta.xml" />
    <property name="maximumAuthenticationLifetime" value="3600" />
    <property name="serviceProviderEntityId" value="http://localhost:8080/callback?client_name=SAML2Client" />
    <property name="serviceProviderMetadataPath" value="sp-metadata.xml" />
</bean>

<bean id="samlClient" class="org.pac4j.saml.client.SAML2Client">
    <constructor-arg name="configuration" ref="samlConfig" />
</bean>

<bean id="clients" class="org.pac4j.core.client.Clients">
    <property name="callbackUrl" value="${pac4j.callback.url}" />
    <property name="clients">
        <list>
            <ref bean="samlClient" />
        </list>
    </property>
</bean>

REFERENCES:

Raw
03_cas_user_profile_creation.md
  1. User profile creation/registration
    1. with username/password
    2. with/through delegate authentication against DAWR SAML2.0 IdP (Oracle OAM) the SAML2.0 IdP sends back the following user attributes backs to cas:
      • email
      • given name
      • surname
  2. The email address is verified against an email whitelist:
    • is this email matching @agriculture.gov.au, @csiro.au, etc.
    • is this email matching joe.whitelisted@gmail.com, betty.approved@yahoo.com, etc.
    • NOTE: This "email whitelisting" for registration is a new feature/extension, that can be quite easily added in here
  3. The email is used to lookup if an user profile already exists in the cas DB:
    • if yes: the user profile is retrieved from the cas DB
    • if no: the user profile is created
    • In order to allow this, the AttributeParser.java needs to be added support for parsing the DAWR SAML2.0 IdP response in order to extract the attributes mentioned above in point 1 (email, given name, surname)
  4. TODO: Once an user profile is created in the cas DB it can be configured/enhanced/augmented with extra attributes, for example an admin role, etc.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment