-
Notifications
You must be signed in to change notification settings - Fork 61
Inbound Saml Module Persistence Api
- Where in the LDAP tree the data goes
- objectclass definition for the entity
- Endpoint names
- how customers will manage this data.
- any services that will need to run for this to work… (no more surprises about a database or some other component that needs to run)
The entity should have the same name everywhere, as it's the same entity.
I'm using trusted-idp
, as it's an idp that is trusted by gluu-server to receive third party (aka inbound) saml.
We still have the the following options:
inbound-idp
saml-idp
To implement the Inbound Saml Persistence API, we gonna create a new ou in ldap i.e. o=gluu,ou=trusted-idps
which contains entries for every trusted Remote Idp used by inbound-saml module.
Each entry will contain the attributes like inum, remoteidpName, remoteIdpHost, selectedSingleSignOnService, supportedSingleSignOnServices, signingCertificate, according to openapi specs here: https://app.swaggerhub.com/apis-docs/chris-hawk/inbound-saml/1.0.0
remoteIdpHost
should be never duplicated.
Here is the sampletrusted-idp
Entry's structure.
Installation Instruction: ` Add the REST API extension to an existing Gluu 4.3.x deployment by following these steps:
- Inside the Gluu chroot, navigate to /opt/gluu/jetty/identity/custom/libs.
- In this folder, download the .jar file corresponding to the Gluu Server version currently installed:
- link jar file https://jenkins.gluu.org/maven/org/gluu/api-rest/4.4.0-SNAPSHOT/api-rest-4.4.0-SNAPSHOT.jar
- Navigate to /opt/gluu/jetty/identity/webapps/.
- Create a file called identity.xml if it does not already exist.
- Add the following to identity.xml as mentioned in doc identity.xml:
./custom/libs/[jarName].jar
-
On the second to last line, replace [jarName] with the name of the .jar file downloaded in step 2.
-
stop 'openDJ' service by command mentioned in document service
-
update the file /opt/openDJ/config/schema/101-ox.ldif with latest schema in ldap https://github.com/GluuFederation/community-edition-setup/blob/master/static/opendj/101-ox.ldif
-
start 'openDJ' service by command mentioned in document service
-
stop 'identity' service by command mentioned in document service
-
Download latest war file identity and rename it 'identity.war'
-
deploy this identity.war in location /opt/gluu/jetty/identity/webapps/
-
start 'identity' service by command mentioned in document service
`
To use Trust-IDP APIs, you have to first enable the oxTrust-api in gluu server, as per docs oxtrust-api
Should be setup according to entity name
/inbound-saml/trusted-idp/<remoteIdpHost>
, if remoteIdpHost = testHost then : /inbound-saml/trusted-idp/testHost
1. To fetch all remote IDPs
Get API Endpoint Url :
https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp
Set Header parameters as per UMA or Test protection mode
2. To fetch remote IDPs by remoteIDPHost
Get API Endpoint Url :
https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp/{remoteIDPHost}
Set Header parameters as per UMA or Test protection mode
3. To create new remote IDP:
Post API Endpoint Url :
https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp
Header : Authorization token or UMA token
Body :
{ "name": "test", "host": "test", "signingCertificates": "MIIDBDCCAeygAwIBAgIhAOqA6qeE/ZnT2aXMzo57OYSY2iv/Qc83nIGyAK2Cw8ofMA0GCSqGSIb3DQEBDAUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjIwMTE1MTIyMTUxWhcNMjIwMTE3MTIyMTU5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjjPLe5gJcQc0tooQgGlajL/3xxvaVHbF/dpqelOQLKoKhC2apA5IKXBqG6elZVDPejAAmoGgnqurTF4YO8RslHSXr1NliikMOPayuzsA1kYObDhIu8W6jsSAaGErtuZPA0EnBK3/UcWkyuh04E25Lys4Du8Aj3i1DDMJXNlidSCT8Lp99nGpJM4syqScS4cDeLavwZ75oQfBLr1zA75e1pxvlo19x+lEox7fHcXD6HOGXiKGo240d+7GwbHjRdX092bSQCy0ahcvHhRIvW/6yNZjVLNUiKlYD757yVWg2qSO0bo6MIb6XJILEcw5bfpPPHX2kMW3/C7j0y9fxF6uRQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEMBQADggEBAIWRtCXzZrhPBANzp63ebRnboB1rZRDpUcOpwYKOv2P6/cRU6sspwpKbGMgPGeoulfvemXrvMP0MX0RmXuw+ZEH6Jsh6lY/VLnYUmxhM9mkGKHkeXnMOgU09tyWBLwCy2EibVMrmZUb4NuWZP2E89E+zoFW8R4S6i0xoB4SgUM+8s/0c7RTLXH4Eqwah0bwI1DKr/9ucWTTGTxM2CQL6g04EVhuaBqvso9NrktvQR2GRUriuFuwZC6Y3Y661Qm9lHfoZa7IEWHzcSxAQTvK0O6InFi+LVzRsHGU72+ShJs495ltzNv+kxvAq6BEM7DvBW2xL2VTrhGiPvdIRnL8+waw=", "selectedSingleSignOnService": { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, "supportedSingleSignOnServices": [ { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location": "https://samltest.id/idp/profile/SAML2/POST/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, { "binding": "urn:mace:shibboleth:1.0:profiles:AuthnRequest", "location": "https://samltest.id/idp/profile/Shibboleth/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign", "location": "https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO" } ] }
4. To update new remote IDP by remoteIDPHost:
Put API Endpoint Url :
https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp/{remoteIDPHost}
Header : Authorization token or UMA token
Body :
{ "name": "test", "host": "test", "signingCertificates": "MIIDBDCCAeygAwIBAgIhAOqA6qeE/ZnT2aXMzo57OYSY2iv/Qc83nIGyAK2Cw8ofMA0GCSqGSIb3DQEBDAUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjIwMTE1MTIyMTUxWhcNMjIwMTE3MTIyMTU5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjjPLe5gJcQc0tooQgGlajL/3xxvaVHbF/dpqelOQLKoKhC2apA5IKXBqG6elZVDPejAAmoGgnqurTF4YO8RslHSXr1NliikMOPayuzsA1kYObDhIu8W6jsSAaGErtuZPA0EnBK3/UcWkyuh04E25Lys4Du8Aj3i1DDMJXNlidSCT8Lp99nGpJM4syqScS4cDeLavwZ75oQfBLr1zA75e1pxvlo19x+lEox7fHcXD6HOGXiKGo240d+7GwbHjRdX092bSQCy0ahcvHhRIvW/6yNZjVLNUiKlYD757yVWg2qSO0bo6MIb6XJILEcw5bfpPPHX2kMW3/C7j0y9fxF6uRQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEMBQADggEBAIWRtCXzZrhPBANzp63ebRnboB1rZRDpUcOpwYKOv2P6/cRU6sspwpKbGMgPGeoulfvemXrvMP0MX0RmXuw+ZEH6Jsh6lY/VLnYUmxhM9mkGKHkeXnMOgU09tyWBLwCy2EibVMrmZUb4NuWZP2E89E+zoFW8R4S6i0xoB4SgUM+8s/0c7RTLXH4Eqwah0bwI1DKr/9ucWTTGTxM2CQL6g04EVhuaBqvso9NrktvQR2GRUriuFuwZC6Y3Y661Qm9lHfoZa7IEWHzcSxAQTvK0O6InFi+LVzRsHGU72+ShJs495ltzNv+kxvAq6BEM7DvBW2xL2VTrhGiPvdIRnL8+waw=", "selectedSingleSignOnService": { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, "supportedSingleSignOnServices": [ { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location": "https://samltest.id/idp/profile/SAML2/POST/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, { "binding": "urn:mace:shibboleth:1.0:profiles:AuthnRequest", "location": "https://samltest.id/idp/profile/Shibboleth/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign", "location": "https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO" } ] }
5. To Delete remote IDPs by remoteIDPHost
Delete API Endpoint Url :
https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp/{remoteIDPHost}
Set Header parameters as per UMA or Test protection mode
- Using this api endpoint (as openapi specs), calling an endpoint.
- using the "create from metadata url" feature in inbound-saml module,
POST to
/inbound-saml/trusted-idps/metadata
usingBASIC auth
(for MVP), json containing- name(any name),
- url (metadata url).
- oxAuth
- oxTrust
- InboundSaml
- OpenDJ