Outline for mod-login-saml move to Apaches mod_shib
- Axel Dörrer
- Julian Ladisch
Owned by Axel Dörrer
This outline refers to this JIRA issue
A. old-fashioned way
- Install and configure Service Provider direct on the machine
- Install package from distribution repository OR https://wiki.shibboleth.net/confluence/display/SP3/LinuxInstall
- Configure SP → https://wiki.shibboleth.net/confluence/display/SP3/Configuration
- Configure Webserver → https://wiki.shibboleth.net/confluence/display/SP3/WebServers
- At the secured webserver location place the endpoint of „mod-login“ (mod-login-saml?) that takes the submitted attributes (these are exposed in the environment variables) to map to the right user and log him/her in.
B. containerized way
Use the maintainted service provider in a container → good starting point might be this: https://github.internet2.edu/docker/shib-sp
At this point it might be considerable to merge the remaining login logic with its APIs into the SP container or do it vice versa...
Additional considerations may be:
- If an instance is needed to interact with multiple Identity Providers
→ https://wiki.shibboleth.net/confluence/display/EDS10/Embedded+Discovery+Service - If running multiple FOLIO instances on different URLs additional configuration is needed
- Implementing SLO
- Is it worth to add the full blown Apache just for running mod_shib? FOLIO currently uses Okapi with Vert.x as the back-end web server.
How switching from mod-login-saml/pac4j to Apache/mod_shib helps with SAML related Jiras
| UXPROD-2444 | Login authorization attribute for SAML-based SSO | process of SAML result (attribute) | Both pac4j and mod_shib equally support authorization attributes. Both require integration work to make it work in FOLIO. |
| MODLOGSAML-92 | SSO Logout does not destroy SAML session | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO. |
| UXPROD-1612 | Make the SAML(SSO) metadata file available through a public (Edge) URL in order to enable automatic configuration of the iDP | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO. |
| MODLOGSAML-71 | Login via SSO possible even after decryption of SAML assertions fails | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO. |
| MODLOGSAML-97 | Single-Sign-On (SSO) always fails | (native SP client functionality / part of SAML workflow) | Fixed. Bug in the underlying library, FOLIO uses a new version with the fix now. Both pac4j and mod_shib equally need regular version bumps to ship the latest functional and security fixes. |
| UXPROD-556 | Federation-based SSO authentication - basic support | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally support federations. Both require integration work to make it work in FOLIO. |
| MODLOGSAML-58 | Arbitrary URL Redirection in SAML Response | native SP client functionality / part of SAML workflow | This is an integration bug that may also happen when integrating mod_shib. |
| MODLOGSAML-44 | remove required permissions from /saml/regenerate endpoint | native SP client functionality / part of SAML workflow | This is an integration bug regarding FOLIO's permissions that can also happen when using Apache mod_shib. |
| STCOR-532 | Logout from FOLIO, keep SSO login | (native SP client functionality / part of SAML workflow) | This is fixed. This issue applies to both pac4j and mod_shib. |
| MODLOGSAML-59 | Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flow | native SP client functionality / part of SAML workflow | CSRF must correctly been configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF. |
| MODLOGSAML-94 | Provide SLO (Single Log Out) endpoint to be called by SSO IdP | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally support single log out (SLO). Both require some configuration in FOLIO as some institutions want to disable SLO, some want to enable SLO. |
| MODLOGSAML-70 | Periodically recreate SAML clients | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally support fetching the latest IdP metadata. |
| STRIPES-683 | Set credentials: include on fetch to /saml/login | native SP client functionality / part of SAML workflow | Fixed in Stripes. The fix is needed for both pac4j and mod_shib. |
| FOLREL-364 | login-saml: 2.0 | native SP client functionality / part of SAML workflow | This issue has added a new interface version for ui-tenant-settings because a SSO configuration feature has been added to FOLIO's tenant settings. This is needed for both pac4j and mod_shib. |
| MODLOGSAML-65 | Create mod-login-saml security release | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes. |
| MODLOGSAML-95 | MODLOGSAML (mod-login-saml) release for 2021 R2 | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes. |
| MODLOGSAML-66 | Spike: Move to NGINX/Apache for SAML2 SP? | (native SP client functionality / part of SAML workflow) |  |
| MODLOGSAML-56 | Document module behavior for multiple tenants and clustering | native SP client functionality / part of SAML workflow | Both pac4j and mod_shib equally need documentation about SSO. |
| MODLOGSAML-78 | Extract IdP metadata from federation metadata | not sure about this | Both pac4j and mod_shib equally support federations. Both require integration work to make it work in FOLIO. |
| MODLOGSAML-72 | Use longer certificate expiration period in sp-metadata or make it adjustable | not (directly) SAML related | Both pac4j and mod_shib support configurabgle SP certificate expiration periods. Both require integration work to make it work in FOLIO. |
| FOLIO-2524 | Security Audit raised issues | native SP client functionality / part of SAML workflow | The audit points to MODLOGSAML-59 "Cross-Site Request Forgery (CSRF) in SSO Flow", see above. |
| UXPROD-808 | Patrons able to authn using multiple authn systems | not (directly) SAML related | Both pac4j and Apache equally support multiple authn systems. |
| MODLOGSAML-63 | Implement CSRF Prevention | native SP client functionality / part of SAML workflow | CSRF must been correctly configured at all APIs that the browser accesses: Stripes + Okapi. This includes SSO APIs. Both Vert.x + pac4j and Apache + mod_shib equally support CSRF. |
| MODLOGSAML-90 | Remove Base64Util | (native SP client functionality / part of SAML workflow) | The issue is NOT specific to SAML: https://github.com/folio-org/mod-login-saml/blob/v2.2.0/src/main/java/org/folio/rest/impl/SamlAPI.java The mod_shib - FOLIO integration might have a similar issue. |
| UXPROD-811 | Shared/central technical services staff with appropriate privileges can manage resources for any library within the consortium, preferably with a single login. | (native SP client functionality / part of SAML workflow) | Both pac4j and Apache equally support the requested feature. |
| MODLOGSAML-89 | Replace pac4j-saml-opensamlv3 by pac4j-saml | (native SP client functionality / part of SAML workflow) | Both pac4j and mod_shib equally need regular version bumps to ship the latest security fixes. |
The list shows that switching the SAML client doesn't fix the issues. Most issues are integration issues that affect any SAML client.