Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This outline refers to this JIRA issue

A. old-fashioned way

  1. Install and configure Service Provider direct on the machine
    1. Install package from distribution repository OR https://wiki.shibboleth.net/confluence/display/SP3/LinuxInstall
    2. Configure SP → https://wiki.shibboleth.net/confluence/display/SP3/Configuration
    3. Configure Webserver → https://wiki.shibboleth.net/confluence/display/SP3/WebServers

  2. At the secured webserver location place the endpoint of „mod-login“ (mod-login-saml?)  that takes the submitted attributes (these are exposed in the environment variables) to map to the right user and log him/her in.

...

How switching from mod-login-saml/pac4j to Apache/mod_shib helps with SAML related Jiras





UXPROD-2444Login authorization attribute for SAML-based SSOprocess of SAML result (attribute)Both pac4j and mod_shib equally support authorization attributes.
Both require integration work to make it work in FOLIO.
MODLOGSAML-92SSO Logout does not destroy SAML sessionnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
UXPROD-1612Make the SAML(SSO) metadata file available through a public (Edge) URL in order to enable automatic configuration of the iDPnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-71Login via SSO possible even after decryption of SAML assertions failsnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-97Single-Sign-On (SSO) always fails(native SP client functionality /
part of SAML workflow)
Fixed. Bug in the underlying library, FOLIO uses a new version with the fix now.
Both pac4j and mod_shib equally need regular version bumps to ship the latest functional and security fixes.
UXPROD-556Federation-based SSO authentication - basic supportnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support federations.
Both require integration work to make it work in FOLIO.
MODLOGSAML-58Arbitrary URL Redirection in SAML Responsenative SP client functionality /
part of SAML workflow
This is an integration bug that may also happen when integrating mod_shib.
MODLOGSAML-44remove required permissions from /saml/regenerate endpointnative SP client functionality /
part of SAML workflow
This is an integration bug regarding FOLIO's permissions that can also happen when using Apache mod_shib.
STCOR-532Logout from FOLIO, keep SSO login(native SP client functionality /
part of SAML workflow)
This is fixed. This issue applies to both pac4j and mod_shib.
MODLOGSAML-59Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flownative SP client functionality /
part of SAML workflow
CSRF must correctly been configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF.
MODLOGSAML-94Provide SLO (Single Log Out) endpoint to be called by SSO IdPnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-70Periodically recreate SAML clientsnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support fetching the latest IdP metadata.
STRIPES-683Set credentials: include on fetch to /saml/loginnative SP client functionality /
part of SAML workflow
Fixed in Stripes. The fix is needed for both pac4j and mod_shib.
FOLREL-364login-saml: 2.0native SP client functionality /
part of SAML workflow
This issue has added a new interface version for ui-tenant-settings because a SSO configuration feature has been added to FOLIO's tenant settings. This is needed for both pac4j and mod_shib.
MODLOGSAML-65Create mod-login-saml security releasenative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
MODLOGSAML-95MODLOGSAML (mod-login-saml) release for 2021 R2native SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
MODLOGSAML-66Spike: Move to NGINX/Apache for SAML2 SP?(native SP client functionality /
part of SAML workflow)
(wink)
MODLOGSAML-56Document module behavior for multiple tenants and clusteringnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally need documentation about SSO.
MODLOGSAML-78Extract IdP metadata from federation metadatanot sure about this

Both pac4j and mod_shib equally support federations.

Both require integration work to make it work in FOLIO.

MODLOGSAML-72Use longer certificate expiration period in sp-metadata or make it adjustablenot (directly) SAML related

Both pac4j and mod_shib support configurabgle SP certificate expiration periods.

Both require integration work to make it work in FOLIO.

FOLIO-2524Security Audit raised issuesnative SP client functionality /
part of SAML workflow
The audit points to MODLOGSAML-59 "Cross-Site Request Forgery (CSRF) in SSO Flow", see above.
UXPROD-808Patrons able to authn using multiple authn systemsnot (directly) SAML relatedBoth pac4j and Apache equally support multiple authn systems.

MODLOGSAML-63Implement CSRF Preventionnative SP client functionality /
part of SAML workflow
CSRF must been correctly configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF.
MODLOGSAML-90Remove Base64Util(native SP client functionality /
part of SAML workflow)
The issue is NOT specific to SAML: https://github.com/folio-org/mod-login-saml/blob/v2.2.0/src/main/java/org/folio/rest/impl/SamlAPI.java
The mod_shib - FOLIO integration might have a similar issue.
UXPROD-811Shared/central technical services staff with appropriate privileges can manage resources for any library within the consortium, preferably with a single login.(native SP client functionality /
part of SAML workflow)
Both pac4j and Apache equally support the requested feature.
MODLOGSAML-89Replace pac4j-saml-opensamlv3 by pac4j-saml(native SP client functionality /
part of SAML workflow)
Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.

The list shows that switching the SAML client doesn't fix the issues. Most issues are integration issues that affect any SAML client.