Skip to end of banner
Go to start of banner

Outline for mod-login-saml move to Apaches mod_shib

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Current »

This outline refers to this JIRA issue

A. old-fashioned way

  1. Install and configure Service Provider direct on the machine
    1. Install package from distribution repository OR https://wiki.shibboleth.net/confluence/display/SP3/LinuxInstall
    2. Configure SP → https://wiki.shibboleth.net/confluence/display/SP3/Configuration
    3. Configure Webserver → https://wiki.shibboleth.net/confluence/display/SP3/WebServers

  2. At the secured webserver location place the endpoint of „mod-login“ (mod-login-saml?)  that takes the submitted attributes (these are exposed in the environment variables) to map to the right user and log him/her in.

B. containerized way

Use the maintainted service provider in a container → good starting point might be this: https://github.internet2.edu/docker/shib-sp

At this point it might be considerable to merge the remaining login logic with its APIs into the SP container or do it vice versa...


Additional considerations may be:

How switching from mod-login-saml/pac4j to Apache/mod_shib helps with SAML related Jiras





UXPROD-2444Login authorization attribute for SAML-based SSOprocess of SAML result (attribute)Both pac4j and mod_shib equally support authorization attributes.
Both require integration work to make it work in FOLIO.
MODLOGSAML-92SSO Logout does not destroy SAML sessionnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
UXPROD-1612Make the SAML(SSO) metadata file available through a public (Edge) URL in order to enable automatic configuration of the iDPnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-71Login via SSO possible even after decryption of SAML assertions failsnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-97Single-Sign-On (SSO) always fails(native SP client functionality /
part of SAML workflow)
Fixed. Bug in the underlying library, FOLIO uses a new version with the fix now.
UXPROD-556Federation-based SSO authentication - basic supportnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support federations.
Both require integration work to make it work in FOLIO.
MODLOGSAML-58Arbitrary URL Redirection in SAML Responsenative SP client functionality /
part of SAML workflow
This is an integration bug that may also happen when integrating mod_shib.
MODLOGSAML-44remove required permissions from /saml/regenerate endpointnative SP client functionality /
part of SAML workflow
This is an integration bug regarding FOLIO's permissions that can also happen when using Apache mod_shib.
STCOR-532Logout from FOLIO, keep SSO login(native SP client functionality /
part of SAML workflow)
This is fixed. This issue applies to both pac4j and mod_shib.
MODLOGSAML-59Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flownative SP client functionality /
part of SAML workflow
CSRF must correctly been configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF.
MODLOGSAML-94Provide SLO (Single Log Out) endpoint to be called by SSO IdPnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-70Periodically recreate SAML clientsnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally support fetching the latest IdP metadata.
STRIPES-683Set credentials: include on fetch to /saml/loginnative SP client functionality /
part of SAML workflow
Fixed in Stripes. The fix is needed for both pac4j and mod_shib.
FOLREL-364login-saml: 2.0native SP client functionality /
part of SAML workflow
This issue has added a new interface version for ui-tenant-settings because a SSO configuration feature has been added to FOLIO's tenant settings. This is needed for both pac4j and mod_shib.
MODLOGSAML-65Create mod-login-saml security releasenative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
MODLOGSAML-95MODLOGSAML (mod-login-saml) release for 2021 R2native SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
MODLOGSAML-66Spike: Move to NGINX/Apache for SAML2 SP?(native SP client functionality /
part of SAML workflow)
(wink)
MODLOGSAML-56Document module behavior for multiple tenants and clusteringnative SP client functionality /
part of SAML workflow
Both pac4j and mod_shib equally need documentation about SSO.
MODLOGSAML-78Extract IdP metadata from federation metadatanot sure about this

Both pac4j and mod_shib equally support federations.

Both require integration work to make it work in FOLIO.

MODLOGSAML-72Use longer certificate expiration period in sp-metadata or make it adjustablenot (directly) SAML related

Both pac4j and mod_shib support configurabgle SP certificate expiration periods.

Both require integration work to make it work in FOLIO.

FOLIO-2524Security Audit raised issuesnative SP client functionality /
part of SAML workflow
The audit points to MODLOGSAML-59 "Cross-Site Request Forgery (CSRF) in SSO Flow", see above.
UXPROD-808Patrons able to authn using multiple authn systemsnot (directly) SAML relatedBoth pac4j and Apache equally support multiple authn systems.

MODLOGSAML-63Implement CSRF Preventionnative SP client functionality /
part of SAML workflow
CSRF must correctly been configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF.
MODLOGSAML-90Remove Base64Util(native SP client functionality /
part of SAML workflow)
The issue is NOT specific to SAML: https://github.com/folio-org/mod-login-saml/blob/v2.2.0/src/main/java/org/folio/rest/impl/SamlAPI.java
The mod_shib - FOLIO integration might have a similar issue.
UXPROD-811Shared/central technical services staff with appropriate privileges can manage resources for any library within the consortium, preferably with a single login.(native SP client functionality /
part of SAML workflow)
Both pac4j and Apache equally support the requested feature.
MODLOGSAML-89Replace pac4j-saml-opensamlv3 by pac4j-saml(native SP client functionality /
part of SAML workflow)
Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
  • No labels