IdStory Identity Manager

Adding the option to disable SSO of admins after consultation with the team. This is due to security reasons. If some attacker gains access to admin's computer, at least he won't have automatic access as super admin to IdM.

The SSO authentication filter is implemented in the branch apeterova/1095-support-SSO - https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860

SSO authentication can be enabled for all non-privileged users by a new configuration property. Admins with the permission APP_ADMIN (role superAdminRole) can't be authenticated by SSO.

After consultation with Radek, I didn't add the new permission "App configuration - SSO disabled" yet, because IdM currently supports only one "App configuration" permission. Other App permissions would in some cases behave as APP_ADMIN, which is not desired.
Also we would need to implement a new method to get all assigned authorities of the not-logged user without "trimming" (= it should return APP_ADMIN as well as APP_SSODISABLED for super admins, not only APP_ADMIN).

The code can be tested locally - setting the "REMOTE_USER" header by the Modify Headers plugin.

The integration with AD was tested in our AD testing environment. Log in to our domain controller 172.31.255.180 as testsso/Demo1234 (domain PISKOVISTE) and navigate to https://virt1.local/idm in Internet Explorer. The authentication also works from the local computer (/etc/hosts: 172.31.255.151 virt1.local), the browser will prompt for the credentials.

The documentation and install guide is still in progress.

New configuration properties:
https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#sso

Added information about existing SSO filter:
https://wiki.czechidm.com/devel/documentation/security/dev/authentication#basic_view, https://wiki.czechidm.com/devel/documentation/security/dev/security#sso, https://wiki.czechidm.com/devel/documentation/security/dev/security#active_filters

The install guide for admin (how to configure Kerberos in Apache) will be by tomorrow.

Please Radek could you do the feedback for the code? https://github.com/bcvsolutions/CzechIdMng/commit/b33774ca628fd68634074a4c0f4353b38df2f860

Thx for this new feature, all features works (tested by soapIU) and code is awesome! I like reusing Honza's IdmAuthenticationFilter interface with token resolved from header.

I have just two note for redesign
- Added configuration is related to this filter only, configurable interface should be added directly to IdmAuthenticationFilter (the same way as in AuthorizationEvaluator, EntityEventProcessor). Configuration for filters was not needed before, but now it is. Added value will be enable / disable feature for all filters (used in AuthenticationFilter), we can create FE agenda for filters (the same as for processors) in future etc.
- LookupService can be used instead IdmIdentityService (identity can be found by different attributes by registered lookup + overridable on projects). Maybe configure forbidden uid as our internal uuid (optionally) could be safer(cannot be changed as username).

I did redesign mentioned above.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/a7793a3883398ca0ed3da79ff5d2fb395eb21f5b
Doc: https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#authentication_filters

Vitek, could you do quick last feedback, pls?

I did review and test.

Works nice, thanks you BOTH, for that.