Difference between revisions of "AppSuite:SAML SSO Integration"

(Message Flows)
(Message Flows)
Line 7: Line 7:
  
 
Every SAML request message (i.e. <code>&lt;AuthnRequest&gt;</code> or <code>&lt;LogoutRequest&gt;</code>) is sent via the ''HTTP-Redirect'' binding to a formerly configured endpoint. The binding for <code>&lt;LogoutResponse&gt;</code> messages, that are sent in response to IdP-initiated logout requests is configurable and can be either ''HTTP-Redirect'' or ''HTTP-POST''. Messages of type <code>&lt;Response&gt;</code> are accepted via the ''HTTP-POST'' binding only, while <code>&lt;LogoutRequest&gt;</code> and <code>&lt;LogoutResponse&gt;</code> messages are accepted via ''HTTP-Redirect'' too.
 
Every SAML request message (i.e. <code>&lt;AuthnRequest&gt;</code> or <code>&lt;LogoutRequest&gt;</code>) is sent via the ''HTTP-Redirect'' binding to a formerly configured endpoint. The binding for <code>&lt;LogoutResponse&gt;</code> messages, that are sent in response to IdP-initiated logout requests is configurable and can be either ''HTTP-Redirect'' or ''HTTP-POST''. Messages of type <code>&lt;Response&gt;</code> are accepted via the ''HTTP-POST'' binding only, while <code>&lt;LogoutRequest&gt;</code> and <code>&lt;LogoutResponse&gt;</code> messages are accepted via ''HTTP-Redirect'' too.
 +
 +
Below are illustrations for the supported message flows. For reasons of clarity several query parameters like ''SAMLRequest'' or ''RelayState'' have been omitted.
  
 
==== Login Flow ====
 
==== Login Flow ====

Revision as of 14:55, 7 April 2015

SAML SSO Integration

Introduction

With 7.8.0 OX App Suite supports single sign-on via SAML 2.0. In concrete the backend supports the Web Browser SSO Profile and the Single Logout Profile, supported bindings are HTTP-Redirect and HTTP-POST. The core implemenation of SAML needs always be complemented by an environment-specific counterpart. Such a counterpart is called a SAML backend. It is responsible for resolving users by incoming assertions and can make use of several extension points that allow to customize the SAML messages and response validation.

Message Flows

Every SAML request message (i.e. <AuthnRequest> or <LogoutRequest>) is sent via the HTTP-Redirect binding to a formerly configured endpoint. The binding for <LogoutResponse> messages, that are sent in response to IdP-initiated logout requests is configurable and can be either HTTP-Redirect or HTTP-POST. Messages of type <Response> are accepted via the HTTP-POST binding only, while <LogoutRequest> and <LogoutResponse> messages are accepted via HTTP-Redirect too.

Below are illustrations for the supported message flows. For reasons of clarity several query parameters like SAMLRequest or RelayState have been omitted.

Login Flow

SAML login flow.png

Developers Guide

The core implementation is contained in its own bundle com.openexchange.saml within the backend repository and relies on the OpenSAML library (https://wiki.shibboleth.net/confluence/display/OpenSAML). This guide assumes that you are familiar with the terminology and technological aspects of SAML 2.0.

The SAML backend

A SAML backend consists at least of an implementation of com.openexchange.saml.spi.SAMLBackend. An instance of this implementation must be registered as OSGi service under this interface. It is considered best practice to start with inheriting from com.openexchange.saml.spi.AbstractSAMLBackend instead of implementing the interface directly. This reduces the number of methods to implement while default implementations are used where it is possible. You probably need to override some of the other methods as well to customize their behavior. Especially the validation of SAML responses needs likely to be adjusted, as the default strategy is very strict and will fail if the IdP does not obey the specification in every point. Start with reading the JavaDoc of the mentioned classes and follow their references to get an overview of what you need to implement. Additionally there is an example implementation in the exaples/backend-samples repository that targets WSO2 Identity Server as IdP. The according project is com.openexchange.saml.wso2, its packaging information is contained in open-xchange-saml-wso2.

SAML might replace the web login of OX App Suite but it cannot be used by non-web clients that make use of the HTTP API directly. Therefore it uses sepcial login/logout calls instead of changing the behavior of the calls from the login module. While those calls are based on an installed authentication service (i.e. a package that provides open-xchange-authentication), SAML is not. Nevertheless an authentication service must always be provided. If you want SAML as your only login mechanims, you can simply register an instance of com.openexchange.saml.spi.DisabledAuthenticationService as OSGi service and let your package provide open-xchange-authentication. You can also decide to implement an own authentication service that takes care of authentication for other clients. It is also possible to install one of the existing open-xchange-authentication providers to allow e.g. IMAP or LDAP authentication.

Operators Guide

Installation

After development of the SAML backend is done you can setup OX App Suite as usual. Additionally you need to install open-xchange-saml-core and a package that provides open-xchange-saml-backend. It is also necessary that a package providing open-xchange-authentication is installed. For your convenience you can install the metapackage open-xchange-saml which depends on a core and backend package. Finally a package for SAML support within App Suite UI is needed: open-xchange-appsuite-saml.

$ apt-get install open-xchange-saml open-xchange-appsuite-saml

Configuration

The core configuration takes place in saml.properties. Step through this file and set the property values in accordance to their explanation.