Basic auth authentication using IdP

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Basic auth authentication using IdP

Kobe
hello..

i setup my Shibboleth IdP with my SP and works well for form-based authentication.
I also need to allow programmatic api clients to be authenticated using same idp.
how can I do this? clearly the client making api calls to secured resources in the
sp cannot respond to form-based login.

Basically a API query toa secured resoure on the SP shouldbe authenticated using basic auth
mechanism with the idp.

any help is greatly appreciated...

/K
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
On 3/9/11 8:09 PM, "Kobe" <[hidden email]> wrote:
>I also need to allow programmatic api clients to be authenticated using
>same
>idp.

The appropriate profile for this is called ECP and is not the same as what
is used for a browser. I answered the same question this morning. I'll try
and write up a page since this is coming up constantly all of the sudden,
for some reason. You can find the IdP extension for ECP on the
contributions page and the specification itself at OASIS.

-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Kobe
thank you for your help. ECP profile needs soap binding - my web services are
REST based. Do I need to implement a proxy client that will implement this profile
based on SOAP on bahalf of my REST clients.

Is there a open source implementation of a basic ECP proxy client for doing basic auth?
So that I can implement my own client based on it?

many thanks!

/K
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
> thank you for your help. ECP profile needs soap binding - my web services
> are REST based. Do I need to implement a proxy client that will implement this
> profile based on SOAP on bahalf of my REST clients.

Only the parts that involve the authentication step involve SOAP. It is agnostic about the actual resources.
 
> Is there a open source implementation of a basic ECP proxy client for doing
> basic auth?

There are Java libraries around that do a superset of the basic ECP work to support delegation flows hosted on web sites. They do more than what is needed for a basic client.

-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Kobe
Cantor, Scott E. wrote
> Is there a open source implementation of a basic ECP proxy client for doing
> basic auth?

There are Java libraries around that do a superset of the basic ECP work to support delegation flows hosted on web sites. They do more than what is needed for a basic client.

-- Scott
Can you point me to these Java libraries that can used as a starter for implementing an ECP?
I searched and found a reference in  openliberty site - but I am not sure if they provide
an implementation.

thanks,

/K
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
On 3/10/11 2:21 PM, "Kobe" <[hidden email]> wrote:
>Can you point me to these Java libraries that can used as a starter for
>implementing an ECP?

If I had the links handy, I would. One of them was done by Unicon and was
linked from the Shib-uPortal wiki space at one point, and the other was
being done in Europe I believe. When I get around to writing up a page, I
will probably try and track them down. You should be able to find some
mention of the latter one in the list archive.

>I searched and found a reference in  openliberty site - but I am not sure
>if
>they provide an implementation.

Not in a usable state, no.

-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
In reply to this post by Kobe
On 3/10/11 2:21 PM, "Kobe" <[hidden email]> wrote:
>Can you point me to these Java libraries that can used as a starter for
>implementing an ECP?

Here you go:
https://spaces.internet2.edu/display/SHIB2/ECP

-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Jonathan Tellier
> Here you go:
> https://spaces.internet2.edu/display/SHIB2/ECP

I'd like to point out that in your list of Java clients, you could add
a link to this:

http://git.springsource.org/~jtellier/spring-security/se-security-saml-ecp

It's my clone of the Spring Security Extensions project that support
the basic ECP profile. I've heard from the Spring devs and they are
interested in merging my changes. I have no idea when this is going to
happen though.

--jtellier
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
> I'd like to point out that in your list of Java clients, you could add
> a link to this:
>
> http://git.springsource.org/~jtellier/spring-security/se-security-saml-ecp

You could also...

Thanks,
-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Jonathan Tellier
> You could also...

Of course... what was I thinking? I've just done it.

Sorry about that.

--jtellier
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Kobe
In reply to this post by Jonathan Tellier
Jonathan,

I looked at your earlier post on this forum and Spring forums. I thought that your
implementation was still underway.

Could you pl describe how this can be deployed with an ECP-capable SP and IDP?
My understanding is that if I have a web service that is supplies basic auth headers,
then I can deploy it behind this client as follows:

         <IdP>  <------> (ECP client) <--------> <SP>
                                     |
                                     |
                                 web service client

is my understanding correct.

TIA,

/K
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Jonathan Tellier
> I looked at your earlier post on this forum and Spring forums. I thought
> that your
> implementation was still underway.

Yeah that it might have been confusing. I've just updated my post to
reflect the latest development.

> Could you pl describe how this can be deployed with an
> ECP-capable SP and IDP?

Wow, I was really lost yesterday when I jumped into this discussion
and modified the wiki. I've pointed to my SP implementation. Not my
client implementation. I'm sorry about the confusion I generated...

I do have a Java ECP client, but it's using OpenSAML (nothing do do
with Spring) and it's hosted in the code repo of some other project on
which I'm working on. As I'm thinking about it, I don't think I should
put it on the wiki page because it's a bit too specific. However, I'm
still going to explain how to use it because it could be useful to
anyone wanting to write an ECP client.

So the code is available there:

http://scm.iaasframework.com/hg/iaas-security/

You can browse to the "EcpProxy" and there, you'll find the
com.iaasframework.ecp.SPAuthnTokenRetreiver class, which is the client
itself.

The client takes care of step 1 to 6 of the spec [1], so from there,
you can send the token to the SP in order to authenticate and access
the protected resource.

So this client is not a "complete" client per se (because it does not
take care of the entire flow), but it should help you writing one that
will suit your needs.

Once again sorry for the confusion, but I hope I've rectified things :)

Jonathan


[1] http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Kobe
hello...

your implementation is a very good starter - you have saved me a bunch of hassles.
thankyou!!

Jonathan Tellier wrote
I do have a Java ECP client, but it's using OpenSAML

The client takes care of step 1 to 6 of the spec [1], so from there,
you can send the token to the SP in order to authenticate and access
the protected resource.

So this client is not a "complete" client per se (because it does not
take care of the entire flow), but it should help you writing one that
will suit your needs.
I have two questions -
 a) how can I figure out the IdP ECP URL to which I shud send the AuthnRequest received from SP.
     i would like to do in an idp-agnostic way. I could not locate an example of an idp metadata with
     ECP profile. could you suggest how this can be solved? do you have a sample Idp metadata
     with ECPprofile?


  b) I am tryig to extend your code to do step (7) - I am trying to convert the assertion received fromt
    IdP to the SP to obtain the SP-specific token. I am not sure which URL on SP I shud send this to.
    Can you pl explain? Can this SP URL to which the IdP assertion needs to be sent be inferred from SP
    metadata?

thnaks,

/K
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
> I have two questions -
>  a) how can I figure out the IdP ECP URL to which I shud send the
> AuthnRequest received from SP.
>      i would like to do in an idp-agnostic way. I could not locate an
> example of an idp metadata with
>      ECP profile. could you suggest how this can be solved? do you have a
> sample Idp metadata   with ECPprofile?

The SingleSignOnService for ECP has a Binding with the SAML 2.0 SOAP binding URI in it, that's all.

>   b) I am tryig to extend your code to do step (7) - I am trying to convert
> the assertion received fromt
>     IdP to the SP to obtain the SP-specific token. I am not sure which URL
> on SP I shud send this to.

If you mean where you send the *response* from the IdP, that's in the two SOAP headers you have to cross check to make sure they match.
 
-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Kobe
thanks scott.

I my ECP client gets the following AuthnRequest response from my SP. So I should POST the saml assertion received from IdP to the assertion consumer service URL?

   <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://mysp.xxx.com:8080/opensso/Consumer/ECP/metaAlias/sp" ForceAuthn="false" ID="s2f86c64b5560c735b1d06ad7edeca9795298024ac" IsPassive="false" IssueInstant="2011-03-13T05:57:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0">

thanks,

/K
Reply | Threaded
Open this post in threaded view
|

Re: Basic auth authentication using IdP

Cantor, Scott E.
> I my ECP client gets the following AuthnRequest response from my SP. So I
> should POST the saml assertion received from IdP to the assertion consumer
> service URL?

I'm not going to try and shorthand the profile in an email, you need to read the specification. The short answer is, that's an imprecise/incomplete description of what you have to do.

If you don't understand the spec, you can ask anything you need to on the saml-dev mailing list at OASIS.

With respect to Shibboleth, any additional questions about developing code against it should be moved to the shibboleth-dev list.

-- Scott