https://redmine.czechidm.com/https://redmine.czechidm.com/themes/purplemine2/favicon/favicon.ico?16339658642018-05-16T13:20:59ZIdStory Identity ManagerIdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=51472018-05-16T13:20:59ZAlena Peterováalena.peterova@bcvsolutions.eu
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/5147/diff?detail_id=7444">diff</a>)</li><li><strong>Assignee</strong> changed from <i>Vít Švanda</i> to <i>Alena Peterová</i></li></ul><p>Adding the option to disable SSO of admins after consultation with the team. This is due to security reasons. If some attacker gains access to admin's computer, at least he won't have automatic access as super admin to IdM.</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=56992018-07-13T16:18:04ZAlena Peterováalena.peterova@bcvsolutions.eu
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Target version</strong> set to <i>Lapis (8.2.0)</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>80</i></li></ul><p>The SSO authentication filter is implemented in the branch apeterova/1095-support-SSO - <a class="external" href="https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860">https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860</a></p>
<p>SSO authentication can be enabled for all non-privileged users by a new configuration property. Admins with the permission APP_ADMIN (role superAdminRole) can't be authenticated by SSO.</p>
<p>After consultation with Radek, I didn't add the new permission "App configuration - SSO disabled" yet, because IdM currently supports only one "App configuration" permission. Other App permissions would in some cases behave as APP_ADMIN, which is not desired.<br />Also we would need to implement a new method to get all assigned authorities of the not-logged user without "trimming" (= it should return APP_ADMIN as well as APP_SSODISABLED for super admins, not only APP_ADMIN).</p>
<p>The code can be tested locally - setting the "REMOTE_USER" header by the Modify Headers plugin.</p>
<p>The integration with AD was tested in our AD testing environment. Log in to our domain controller 172.31.255.180 as testsso/Demo1234 (domain PISKOVISTE) and navigate to <a class="external" href="https://virt1.local/idm">https://virt1.local/idm</a> in Internet Explorer. The authentication also works from the local computer (/etc/hosts: 172.31.255.151 virt1.local), the browser will prompt for the credentials.</p>
<p>The documentation and install guide is still in progress.</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57002018-07-16T07:02:40ZAlena Peterováalena.peterova@bcvsolutions.eu
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Needs feedback</i></li><li><strong>Assignee</strong> changed from <i>Alena Peterová</i> to <i>Radek Tomiška</i></li><li><strong>% Done</strong> changed from <i>80</i> to <i>90</i></li></ul><p>New configuration properties:<br /><a class="external" href="https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#sso">https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#sso</a></p>
<p>Added information about existing SSO filter: <br /><a class="external" href="https://wiki.czechidm.com/devel/documentation/security/dev/authentication#basic_view">https://wiki.czechidm.com/devel/documentation/security/dev/authentication#basic_view</a>, <a class="external" href="https://wiki.czechidm.com/devel/documentation/security/dev/security#sso">https://wiki.czechidm.com/devel/documentation/security/dev/security#sso</a>, <a class="external" href="https://wiki.czechidm.com/devel/documentation/security/dev/security#active_filters">https://wiki.czechidm.com/devel/documentation/security/dev/security#active_filters</a></p>
<p>The install guide for admin (how to configure Kerberos in Apache) will be by tomorrow.</p>
<p>Please Radek could you do the feedback for the code? <a class="external" href="https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860">https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860</a></p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57132018-07-16T14:22:18ZRadek Tomiškaradek.tomiska@bcvsolutions.eu
<ul><li><strong>Status</strong> changed from <i>Needs feedback</i> to <i>In Progress</i></li><li><strong>Assignee</strong> changed from <i>Radek Tomiška</i> to <i>Alena Peterová</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>70</i></li></ul><p>Thx for this new feature, all features works (tested by soapIU) and code is awesome! I like reusing Honza's IdmAuthenticationFilter interface with token resolved from header.</p>
<p>I have just two note for redesign <br />- Added configuration is related to this filter only, configurable interface should be added directly to IdmAuthenticationFilter (the same way as in AuthorizationEvaluator, EntityEventProcessor). Configuration for filters was not needed before, but now it is. Added value will be enable / disable feature for all filters (used in AuthenticationFilter), we can create FE agenda for filters (the same as for processors) in future etc.<br />- LookupService can be used instead IdmIdentityService (identity can be found by different attributes by registered lookup + overridable on projects). Maybe configure forbidden uid as our internal uuid (optionally) could be safer(cannot be changed as username).</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57322018-07-17T13:16:14ZRadek Tomiškaradek.tomiska@bcvsolutions.eu
<ul><li><strong>Assignee</strong> changed from <i>Alena Peterová</i> to <i>Radek Tomiška</i></li></ul> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57352018-07-17T14:53:30ZAlena Peterováalena.peterova@bcvsolutions.eu
<ul></ul><p>Radek Tomiška wrote:</p>
<blockquote>
<p>- LookupService can be used instead IdmIdentityService (identity can be found by different attributes by registered lookup + overridable on projects). Maybe configure forbidden uid as our internal uuid (optionally) could be safer(cannot be changed as username).</p>
</blockquote>
<p>I wouldn't use our internal UUID, it requires some skill to find UUID for given login and vice-versa - and if we didn't have auditting enabled, this would be for advanced administrators. :-) Also would require existence of the user in IdM, but I want to put there also logins which are not identities, e.g. "Administrator" - to ignore them before lookup.</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57412018-07-17T18:41:27ZAlena Peterováalena.peterova@bcvsolutions.eu
<ul></ul><p>Install guide for enabling SSO in Apache httpd added to wiki: <a class="external" href="https://wiki.czechidm.com/tutorial/adm/sso_ad_domain">https://wiki.czechidm.com/tutorial/adm/sso_ad_domain</a>.</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57432018-07-17T20:27:53ZRadek Tomiškaradek.tomiska@bcvsolutions.eu
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Needs feedback</i></li><li><strong>Assignee</strong> changed from <i>Radek Tomiška</i> to <i>Vít Švanda</i></li><li><strong>% Done</strong> changed from <i>70</i> to <i>90</i></li></ul><p>I did redesign mentioned above.</p>
<p>Commit: <a class="external" href="https://github.com/bcvsolutions/CzechIdMng/commit/a7793a3883398ca0ed3da79ff5d2fb395eb21f5b">https://github.com/bcvsolutions/CzechIdMng/commit/a7793a3883398ca0ed3da79ff5d2fb395eb21f5b</a><br />Doc: <a class="external" href="https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#authentication_filters">https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#authentication_filters</a></p>
<p>Vitek, could you do quick last feedback, pls?</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=57552018-07-18T10:56:59ZVít Švanda
<ul><li><strong>Status</strong> changed from <i>Needs feedback</i> to <i>Closed</i></li><li><strong>Assignee</strong> changed from <i>Vít Švanda</i> to <i>Alena Peterová</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul><p>I did review and test.</p>
<p>Works nice, thanks you BOTH, for that.</p> IdStory Identity Manager - Task #1095: Support Single-Sign-Onhttps://redmine.czechidm.com/issues/1095?journal_id=150662021-04-20T12:07:10ZRadek Tomiškaradek.tomiska@bcvsolutions.eu
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-5 priority-1 priority-lowest prio-name-low closed" href="/issues/2767">Defect #2767</a>: SSO: Redundant token generated for public configuration endpoint, when SSO is enabled</i> added</li></ul>