Outline for mod-login-saml move to Apaches mod_shib

This outline refers to this JIRA issue

A. old-fashioned way

Install and configure Service Provider direct on the machine
1. Install package from distribution repository OR https://wiki.shibboleth.net/confluence/display/SP3/LinuxInstall
2. Configure SP → https://wiki.shibboleth.net/confluence/display/SP3/Configuration
3. Configure Webserver → https://wiki.shibboleth.net/confluence/display/SP3/WebServers
At the secured webserver location place the endpoint of „mod-login“ (mod-login-saml?) that takes the submitted attributes (these are exposed in the environment variables) to map to the right user and log him/her in.

B. containerized way

Use the maintainted service provider in a container → good starting point might be this: https://github.internet2.edu/docker/shib-sp

At this point it might be considerable to merge the remaining login logic with its APIs into the SP container or do it vice versa...

Additional considerations may be:

If an instance is needed to interact with multiple Identity Providers
→ https://wiki.shibboleth.net/confluence/display/EDS10/Embedded+Discovery+Service
If running multiple FOLIO instances on different URLs additional configuration is needed
Implementing SLO
Is it worth to add the full blown Apache just for running mod_shib? FOLIO currently uses Okapi with Vert.x as the back-end web server.

How switching from mod-login-saml/pac4j to Apache/mod_shib helps with SAML related Jiras


UXPROD-2444	Login authorization attribute for SAML-based SSO	process of SAML result (attribute)	Both pac4j and mod_shib equally support authorization attributes. Both require integration work to make it work in FOLIO.
MODLOGSAML-92	SSO Logout does not destroy SAML session	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
UXPROD-1612	Make the SAML(SSO) metadata file available through a public (Edge) URL in order to enable automatic configuration of the iDP	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-71	Login via SSO possible even after decryption of SAML assertions fails	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-97	Single-Sign-On (SSO) always fails	(native SP client functionality / part of SAML workflow)	Fixed. Bug in the underlying library, FOLIO uses a new version with the fix now. Both pac4j and mod_shib equally need regular version bumps to ship the latest functional and security fixes.
UXPROD-556	Federation-based SSO authentication - basic support	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally support federations. Both require integration work to make it work in FOLIO.
MODLOGSAML-58	Arbitrary URL Redirection in SAML Response	native SP client functionality / part of SAML workflow	This is an integration bug that may also happen when integrating mod_shib.
MODLOGSAML-44	remove required permissions from /saml/regenerate endpoint	native SP client functionality / part of SAML workflow	This is an integration bug regarding FOLIO's permissions that can also happen when using Apache mod_shib.
STCOR-532	Logout from FOLIO, keep SSO login	(native SP client functionality / part of SAML workflow)	This is fixed. This issue applies to both pac4j and mod_shib.
MODLOGSAML-59	Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flow	native SP client functionality / part of SAML workflow	CSRF must correctly been configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF.
MODLOGSAML-94	Provide SLO (Single Log Out) endpoint to be called by SSO IdP	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO.
MODLOGSAML-70	Periodically recreate SAML clients	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally support fetching the latest IdP metadata.
STRIPES-683	Set credentials: include on fetch to /saml/login	native SP client functionality / part of SAML workflow	Fixed in Stripes. The fix is needed for both pac4j and mod_shib.
FOLREL-364	login-saml: 2.0	native SP client functionality / part of SAML workflow	This issue has added a new interface version for ui-tenant-settings because a SSO configuration feature has been added to FOLIO's tenant settings. This is needed for both pac4j and mod_shib.
MODLOGSAML-65	Create mod-login-saml security release	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
MODLOGSAML-95	MODLOGSAML (mod-login-saml) release for 2021 R2	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.
MODLOGSAML-66	Spike: Move to NGINX/Apache for SAML2 SP?	(native SP client functionality / part of SAML workflow)
MODLOGSAML-56	Document module behavior for multiple tenants and clustering	native SP client functionality / part of SAML workflow	Both pac4j and mod_shib equally need documentation about SSO.
MODLOGSAML-78	Extract IdP metadata from federation metadata	not sure about this	Both pac4j and mod_shib equally support federations. Both require integration work to make it work in FOLIO.
MODLOGSAML-72	Use longer certificate expiration period in sp-metadata or make it adjustable	not (directly) SAML related	Both pac4j and mod_shib support configurabgle SP certificate expiration periods. Both require integration work to make it work in FOLIO.
FOLIO-2524	Security Audit raised issues	native SP client functionality / part of SAML workflow	The audit points to MODLOGSAML-59 "Cross-Site Request Forgery (CSRF) in SSO Flow", see above.
UXPROD-808	Patrons able to authn using multiple authn systems	not (directly) SAML related	Both pac4j and Apache equally support multiple authn systems.
MODLOGSAML-63	Implement CSRF Prevention	native SP client functionality / part of SAML workflow	CSRF must been correctly configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF.
MODLOGSAML-90	Remove Base64Util	(native SP client functionality / part of SAML workflow)	The issue is NOT specific to SAML: https://github.com/folio-org/mod-login-saml/blob/v2.2.0/src/main/java/org/folio/rest/impl/SamlAPI.java The mod_shib - FOLIO integration might have a similar issue.
UXPROD-811	Shared/central technical services staff with appropriate privileges can manage resources for any library within the consortium, preferably with a single login.	(native SP client functionality / part of SAML workflow)	Both pac4j and Apache equally support the requested feature.
MODLOGSAML-89	Replace pac4j-saml-opensamlv3 by pac4j-saml	(native SP client functionality / part of SAML workflow)	Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes.

The list shows that switching the SAML client doesn't fix the issues. Most issues are integration issues that affect any SAML client.