Orbeon Forms community mailing list

Is support for SAML on the Obreon roadmap?

classic Classic list List threaded Threaded
10 messages Options
JonB
Reply | Threaded
Open this post in threaded view
|

Is support for SAML on the Obreon roadmap?

JonB
I'm evaluating Obreon for my employer. Our applications support single-sign-on via a SAML identity provider. Is support for SAML on the Obreon roadmap?

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
acspike
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

acspike
On Friday, January 16, 2015 at 4:42:03 PM UTC-6, Jonathan Bartels wrote:
> I'm evaluating Obreon for my employer. Our applications support single-sign-on via a SAML identity provider. Is support for SAML on the Obreon roadmap?

I can't speak for the devs, but my understanding is that authentication protocols happen outside of Orbeon. For example I'm using Orbeon with SAML via Jasig's CAS.



--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
ada.birkoff
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

ada.birkoff
Hello, any news on this? We are choosing forms engine for our customer and SAML2 is one of the main requirement.
Thx.
Adam
Alessandro Vernet
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

Alessandro Vernet
Administrator
Hi Adam,

As mentioned by Aaron back in 2015, authentication, when needed, is handled before requests reach Orbeon Forms, either through some integration with the application server, or some other mechanism, like a servlet filter or reverse proxy redirecting users to a login page when necessary. For SAML 2.0, PicketLink (http://picketlink.org/) is widely used and well maintained, so maybe good place to get started if you don't already have another implementation in mind.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
ada.birkoff
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

ada.birkoff
Hello Alex,
OK, now I've got it, it was stupid question :) Haven't read much about Orbeon project yet, but I really like it. Thank you for such a quick response, now it's time for some experiments.

Adam
Alessandro Vernet
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

Alessandro Vernet
Administrator
Not stupid at all Adam :). You'll let us know how your experiments go, and of course feel free to reach out if there is anything we can help with along the way.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Aaron Spike
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

Aaron Spike
In reply to this post by Alessandro Vernet
When this topic was last discussed, PicketLink was a suggested solution. Now Keycloak is the apparent successor to PicketLink. When I look at the documentation for Keycloak Tomcat Adapter (https://www.keycloak.org/docs/latest/securing_apps/#_tomcat_adapter), particularly the section about configuring adapters (https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config), I get the impression that the KeycloakAuthenticatorValve is meant specifically to interact with a Keycloak server. Is this impression correct?

Is anyone else authenticating Orbeon via SAML? What is currently the simplest path to container based SAML authentication with Tomcat?

This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/9f7268c2-1a7f-4455-b9c4-b9e400055d35%40googlegroups.com.
Oscar
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

Oscar
Aaron, 

We have setup SAML authentication with Orbeon. However, the authentication happens before reaching Orbeon. We have utilized Apache server and Shibboleth SP to integrate with the SSO portal. I don't know specifically with Keycloak, but in theory it should work. 

Regards, 

Oscar

On Wednesday, January 29, 2020 at 9:38:21 AM UTC-8, Aaron Spike wrote:
When this topic was last discussed, PicketLink was a suggested solution. Now Keycloak is the apparent successor to PicketLink. When I look at the documentation for Keycloak Tomcat Adapter (<a href="https://www.keycloak.org/docs/latest/securing_apps/#_tomcat_adapter" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2F%23_tomcat_adapter\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG8EWu9Q5uMgTGzFt1byJZ1Z-VddA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2F%23_tomcat_adapter\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG8EWu9Q5uMgTGzFt1byJZ1Z-VddA&#39;;return true;">https://www.keycloak.org/docs/latest/securing_apps/#_tomcat_adapter), particularly the section about configuring adapters (<a href="https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2F%23_java_adapter_config\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEkumQLm3MCSB0URsnh2J9j8befHw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2F%23_java_adapter_config\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEkumQLm3MCSB0URsnh2J9j8befHw&#39;;return true;">https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config), I get the impression that the KeycloakAuthenticatorValve is meant specifically to interact with a Keycloak server. Is this impression correct?

Is anyone else authenticating Orbeon via SAML? What is currently the simplest path to container based SAML authentication with Tomcat?

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/cb1e18d3-3614-49fc-9076-27bb737c75b2%40googlegroups.com.
Aaron Spike
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

Aaron Spike
Oscar,

Are you able to share additional details about your setup? I'm running Orbeon behind an Apache reverse proxy. I'd be happy with anything that authenticates against a SAML IdP (simpleSAMLPhp in this case) and gets the user and groups to Orbeon.

Aaron

This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/52cc75dd-b72c-4765-b8cd-8bec61df0aa2%40googlegroups.com.
Oscar
Reply | Threaded
Open this post in threaded view
|

Re: Is support for SAML on the Obreon roadmap?

Oscar
Aaron, 

We are utilizing Shibboleth SP to be the relying proxy trust alongside Apache Server. This would proxy the Tomcat application with AJP.

This would make the user authenticate (if they haven't authenticated) before being able to continue to the Obreon form. However, you would need to setup header attributes in simpleSAMLphp that would disclose the information requested. Then, Shibboleth has to be able to see these attributes. Orbeon can then tap into these headers with the function xxf:get-request-headers('AttributeName').

Hopefully this gives you a general idea of what is required. 

Regards, 

Oscar



On Wednesday, January 29, 2020 at 12:15:58 PM UTC-8, Aaron Spike wrote:
Oscar,

Are you able to share additional details about your setup? I'm running Orbeon behind an Apache reverse proxy. I'd be happy with anything that authenticates against a SAML IdP (simpleSAMLPhp in this case) and gets the user and groups to Orbeon.

Aaron

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/35d31296-47a8-4434-a8be-693193646857%40googlegroups.com.
Free forum by Nabble Edit this page