Task #1095
closed
Support Single-Sign-On
100%
Description
We need to support SSO to IdM - especially Windows authentication.
There should be an option to enable SSO only for common users and require password from admins.
Design:- Apache (mod_kerb) will take care of Kerberos authentication. Apache sets the header "REMOTE_USER" with the value "uid@domain" in case of successful authentication.
- IdM will read the user's login from the header REMOTE_USER (uid). If such user exists, he/she will be automatically authenticated to IdM.
- = new IdmAuthenticationFilter, which processes the header REMOTE_USER (https://wiki.czechidm.com/tutorial/dev/add_authentication_method#create_a_new_authentication_filter_for_sso). It will be added to the core module.
- A new permission which disables SSO authentication will be added. Admins, who have some role with this permission, won't be authenticated in the SSO authentication filter.
- This new permission, e.g. "App configuration - SSO disabled", will be added to all admin roles during installation.
- The ownership of superAdminRole will automatically disable SSO of the user, because "App configuration - Administration" automatically adds all permissions. So "admin" can never be authenticated by SSO.
- Configurable settings:
- enable sso - true/false (the SSO filter could be switched off if needed)
- name of the header (typically "REMOTE_USER")
- uid suffixes (this usually contains the list of AD domains, e.g. "@DOMAIN.TLD;@INTERNAL.DOMAIN.TLD")
- forbidden uids (list of uids that can't be authenticated through SSO)
Related issues
Updated by Alena Peterová almost 6 years ago
- Description updated (diff)
- Assignee changed from Vít Švanda to Alena Peterová
Adding the option to disable SSO of admins after consultation with the team. This is due to security reasons. If some attacker gains access to admin's computer, at least he won't have automatic access as super admin to IdM.
Updated by Alena Peterová almost 6 years ago
- Status changed from New to In Progress
- Target version set to Lapis (8.2.0)
- % Done changed from 0 to 80
The SSO authentication filter is implemented in the branch apeterova/1095-support-SSO - https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860
SSO authentication can be enabled for all non-privileged users by a new configuration property. Admins with the permission APP_ADMIN (role superAdminRole) can't be authenticated by SSO.
After consultation with Radek, I didn't add the new permission "App configuration - SSO disabled" yet, because IdM currently supports only one "App configuration" permission. Other App permissions would in some cases behave as APP_ADMIN, which is not desired.
Also we would need to implement a new method to get all assigned authorities of the not-logged user without "trimming" (= it should return APP_ADMIN as well as APP_SSODISABLED for super admins, not only APP_ADMIN).
The code can be tested locally - setting the "REMOTE_USER" header by the Modify Headers plugin.
The integration with AD was tested in our AD testing environment. Log in to our domain controller 172.31.255.180 as testsso/Demo1234 (domain PISKOVISTE) and navigate to https://virt1.local/idm in Internet Explorer. The authentication also works from the local computer (/etc/hosts: 172.31.255.151 virt1.local), the browser will prompt for the credentials.
The documentation and install guide is still in progress.
Updated by Alena Peterová almost 6 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Alena Peterová to Radek Tomiška
- % Done changed from 80 to 90
New configuration properties:
https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#sso
Added information about existing SSO filter:
https://wiki.czechidm.com/devel/documentation/security/dev/authentication#basic_view, https://wiki.czechidm.com/devel/documentation/security/dev/security#sso, https://wiki.czechidm.com/devel/documentation/security/dev/security#active_filters
The install guide for admin (how to configure Kerberos in Apache) will be by tomorrow.
Please Radek could you do the feedback for the code? https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860
Updated by Radek Tomiška almost 6 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Radek Tomiška to Alena Peterová
- % Done changed from 90 to 70
Thx for this new feature, all features works (tested by soapIU) and code is awesome! I like reusing Honza's IdmAuthenticationFilter interface with token resolved from header.
I have just two note for redesign
- Added configuration is related to this filter only, configurable interface should be added directly to IdmAuthenticationFilter (the same way as in AuthorizationEvaluator, EntityEventProcessor). Configuration for filters was not needed before, but now it is. Added value will be enable / disable feature for all filters (used in AuthenticationFilter), we can create FE agenda for filters (the same as for processors) in future etc.
- LookupService can be used instead IdmIdentityService (identity can be found by different attributes by registered lookup + overridable on projects). Maybe configure forbidden uid as our internal uuid (optionally) could be safer(cannot be changed as username).
Updated by Radek Tomiška over 5 years ago
- Assignee changed from Alena Peterová to Radek Tomiška
Updated by Alena Peterová over 5 years ago
Radek Tomiška wrote:
- LookupService can be used instead IdmIdentityService (identity can be found by different attributes by registered lookup + overridable on projects). Maybe configure forbidden uid as our internal uuid (optionally) could be safer(cannot be changed as username).
I wouldn't use our internal UUID, it requires some skill to find UUID for given login and vice-versa - and if we didn't have auditting enabled, this would be for advanced administrators. :-) Also would require existence of the user in IdM, but I want to put there also logins which are not identities, e.g. "Administrator" - to ignore them before lookup.
Updated by Alena Peterová over 5 years ago
Install guide for enabling SSO in Apache httpd added to wiki: https://wiki.czechidm.com/tutorial/adm/sso_ad_domain.
Updated by Radek Tomiška over 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 70 to 90
I did redesign mentioned above.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/a7793a3883398ca0ed3da79ff5d2fb395eb21f5b
Doc: https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#authentication_filters
Vitek, could you do quick last feedback, pls?
Updated by Vít Švanda over 5 years ago
- Status changed from Needs feedback to Closed
- Assignee changed from Vít Švanda to Alena Peterová
- % Done changed from 90 to 100
I did review and test.
Works nice, thanks you BOTH, for that.
Updated by Radek Tomiška almost 3 years ago
- Related to Defect #2767: SSO: Redundant token generated for public configuration endpoint, when SSO is enabled added