OpenAM Client API

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenAM Client API

Koen Serneels

Hello,

 

For initiating saml2p and validating assertions afterwards, we use openam in our webapps.

To instruct openam to start the authentication (creating the authnrequest based on the metadata) we extracted the relevant code from the fedlet samples.

For ex, "SPSSOFederate.initiateAuthnRequest" would be used (in our case from Spring Security) to trigger the whole process for creating the authnrequest and instructing the browser to get it delivered at the IDP side.

However, these API's seem to be fit for the fedlet components. More specifically for being used within JSPs. We have noticed that there are pre configured JSP files to which the API sometimes redirects.

Also, the information that needs to be supplied to this API is not so clear. I you open such JSP you’ll notice that there is a lot of code extracting parameters and the likes before the actual init happens. With a bit of patience it’s perfectly possible to extract the bits & pieces so that it can be used from a plain Java class, but it is still a bit cumbersome.

 

So my question; is there perhaps a better, more view tech agnostic, kind of API that we can use to operate openam?

For example, it is a bit weird that the implementation expects that there are JSPs to be used, which is of course not always the case.

Also, the way of using the API is scattered over different JSP files which supply all parts of the configuration together with the meta-data

 

Thanks,

 

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM Client API

Bernhard Thalmayr
as you already use Spring you should have a look at Spring Security SAML
extension (it implements a SAMLv2 SP) ... way easier and quicker to use
as Fedlet sample code.


-Bernhard

Am 17/03/16 um 08:54 schrieb Koen Serneels:

> Hello,
>
>  
>
> For initiating saml2p and validating assertions afterwards, we use
> openam in our webapps.
>
> To instruct openam to start the authentication (creating the
> authnrequest based on the metadata) we extracted the relevant code from
> the fedlet samples.
>
> For ex, "SPSSOFederate.initiateAuthnRequest" would be used (in our case
> from Spring Security) to trigger the whole process for creating the
> authnrequest and instructing the browser to get it delivered at the IDP
> side.
>
> However, these API's seem to be fit for the fedlet components. More
> specifically for being used within JSPs. We have noticed that there are
> pre configured JSP files to which the API sometimes redirects.
>
> Also, the information that needs to be supplied to this API is not so
> clear. I you open such JSP you’ll notice that there is a lot of code
> extracting parameters and the likes before the actual init happens. With
> a bit of patience it’s perfectly possible to extract the bits & pieces
> so that it can be used from a plain Java class, but it is still a bit
> cumbersome.
>
>  
>
> So my question; is there perhaps a better, more view tech agnostic, kind
> of API that we can use to operate openam?
>
> For example, it is a bit weird that the implementation expects that
> there are JSPs to be used, which is of course not always the case.
>
> Also, the way of using the API is scattered over different JSP files
> which supply all parts of the configuration together with the meta-data
>
>  
>
> Thanks,
>
>  
>
>  
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM Client API

Koen Serneels
Thanks for the tip. That was already on my list. So what this basically
means is; stay away from OpenAM? :-)

That aside, is it then correct that there no cleaner API within open AM to
do this? In the beginning I thought of the "fedlet" as a kind of helper or
demo if you want to illustrate the entire chain.
Maybe also as a  reusable component in case you are using JSPs and you want
a drop in without having to do a lot yourself.
I always assumed that this was using some kind of API which could then be
used without the entire fedlet stuff.

For ex. right now I'm trying SLO via POST binding.  When triggering SLO via
SPSingleLogout.initiateLogoutRequest , it endsup in SAML2Utils where is does
this:
request.getRequestDispatcher("/saml2/jsp/autosubmitaccessrights.jsp").forwar
d(request, response); this stuff is all hard coded so now I'm obliged to
have this self posting mechanism in a JSP and on that specific path?

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: donderdag 17 maart 2016 10:44
To: [hidden email]
Subject: Re: [OpenAM] OpenAM Client API

as you already use Spring you should have a look at Spring Security SAML
extension (it implements a SAMLv2 SP) ... way easier and quicker to use as
Fedlet sample code.


-Bernhard

Am 17/03/16 um 08:54 schrieb Koen Serneels:

> Hello,
>
>  
>
> For initiating saml2p and validating assertions afterwards, we use
> openam in our webapps.
>
> To instruct openam to start the authentication (creating the
> authnrequest based on the metadata) we extracted the relevant code
> from the fedlet samples.
>
> For ex, "SPSSOFederate.initiateAuthnRequest" would be used (in our
> case from Spring Security) to trigger the whole process for creating
> the authnrequest and instructing the browser to get it delivered at
> the IDP side.
>
> However, these API's seem to be fit for the fedlet components. More
> specifically for being used within JSPs. We have noticed that there
> are pre configured JSP files to which the API sometimes redirects.
>
> Also, the information that needs to be supplied to this API is not so
> clear. I you open such JSP you'll notice that there is a lot of code
> extracting parameters and the likes before the actual init happens.
> With a bit of patience it's perfectly possible to extract the bits &
> pieces so that it can be used from a plain Java class, but it is still
> a bit cumbersome.
>
>  
>
> So my question; is there perhaps a better, more view tech agnostic,
> kind of API that we can use to operate openam?
>
> For example, it is a bit weird that the implementation expects that
> there are JSPs to be used, which is of course not always the case.
>
> Also, the way of using the API is scattered over different JSP files
> which supply all parts of the configuration together with the
> meta-data
>
>  
>
> Thanks,
>
>  
>
>  
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM Client API

Nicolas Seigneur
The Fedlet is a SAML Service Provider implementation that demonstrates the various SAML capabilities of OpenAM. In many cases, you will generate the Fedlet from the OpenAM Wizard, which automatically populates the various configuration required by your OpenAM instance.

As Bernhard said, if you are looking for a "generic" SAML implementation, you should look into Spring Security SAML. There's a guide that should provide a good start here: https://wikis.forgerock.org/confluence/display/openam/OpenAM+with+Spring+Security+SAML

By doing the above procedure, you will be using a "clean" SAML implementation where OpenAM is the IDP and Spring is the SP.

Nicolas Seigneur
Indigo Consulting Canada



On Thu, Mar 17, 2016 at 8:16 AM, Koen Serneels <[hidden email]> wrote:
Thanks for the tip. That was already on my list. So what this basically
means is; stay away from OpenAM? :-)

That aside, is it then correct that there no cleaner API within open AM to
do this? In the beginning I thought of the "fedlet" as a kind of helper or
demo if you want to illustrate the entire chain.
Maybe also as a  reusable component in case you are using JSPs and you want
a drop in without having to do a lot yourself.
I always assumed that this was using some kind of API which could then be
used without the entire fedlet stuff.

For ex. right now I'm trying SLO via POST binding.  When triggering SLO via
SPSingleLogout.initiateLogoutRequest , it endsup in SAML2Utils where is does
this:
request.getRequestDispatcher("/saml2/jsp/autosubmitaccessrights.jsp").forwar
d(request, response); this stuff is all hard coded so now I'm obliged to
have this self posting mechanism in a JSP and on that specific path?

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: donderdag 17 maart 2016 10:44
To: [hidden email]
Subject: Re: [OpenAM] OpenAM Client API

as you already use Spring you should have a look at Spring Security SAML
extension (it implements a SAMLv2 SP) ... way easier and quicker to use as
Fedlet sample code.


-Bernhard

Am 17/03/16 um 08:54 schrieb Koen Serneels:
> Hello,
>
>
>
> For initiating saml2p and validating assertions afterwards, we use
> openam in our webapps.
>
> To instruct openam to start the authentication (creating the
> authnrequest based on the metadata) we extracted the relevant code
> from the fedlet samples.
>
> For ex, "SPSSOFederate.initiateAuthnRequest" would be used (in our
> case from Spring Security) to trigger the whole process for creating
> the authnrequest and instructing the browser to get it delivered at
> the IDP side.
>
> However, these API's seem to be fit for the fedlet components. More
> specifically for being used within JSPs. We have noticed that there
> are pre configured JSP files to which the API sometimes redirects.
>
> Also, the information that needs to be supplied to this API is not so
> clear. I you open such JSP you'll notice that there is a lot of code
> extracting parameters and the likes before the actual init happens.
> With a bit of patience it's perfectly possible to extract the bits &
> pieces so that it can be used from a plain Java class, but it is still
> a bit cumbersome.
>
>
>
> So my question; is there perhaps a better, more view tech agnostic,
> kind of API that we can use to operate openam?
>
> For example, it is a bit weird that the implementation expects that
> there are JSPs to be used, which is of course not always the case.
>
> Also, the way of using the API is scattered over different JSP files
> which supply all parts of the configuration together with the
> meta-data
>
>
>
> Thanks,
>
>
>
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM Client API

Susan Liebeskind
On 03/17/2016 02:50 PM, Nicolas Seigneur wrote:
The Fedlet is a SAML Service Provider implementation that demonstrates the various SAML capabilities of OpenAM. In many cases, you will generate the Fedlet from the OpenAM Wizard, which automatically populates the various configuration required by your OpenAM instance.

As Bernhard said, if you are looking for a "generic" SAML implementation, you should look into Spring Security SAML. There's a guide that should provide a good start here: https://wikis.forgerock.org/confluence/display/openam/OpenAM+with+Spring+Security+SAML

By doing the above procedure, you will be using a "clean" SAML implementation where OpenAM is the IDP and Spring is the SP.

Be aware that the Spring Security SAML implementation may not support all the SAML functionality that the OpenAM Fedlet does. In particular, it does not support the SAML Attribute Query.  There was a JIRA ticket asking for AttributeQuery support in Spring SAML created back in May 2014, but it was apparently closed out without comment (or implementation as best I can tell) in February of this year.

What my team did was reimplement all the work that was done in the fedlet JSPs in our own Java classes, using them as a guideline.

Susan

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM Client API

Koen Serneels

HI Susan,

 

This is exactly what we did. But doing so I was wondering if there isn’t anything cleaner than going through a dozen of JSPs stacked with scriptlets.

Also, the API is partly inside the JSPs. For ex. When initiating SLO some information is parsed from the saml response inside the JSP and then simply passed along to openam.

It would make more sense of an API to ask for the response and hide these details. Perhaps offering some possibilities for extension  or to modify it before openam uses them.

 

Anyway, I believe my question got answered. Apparently there isn’t anything better, besides using Spring saml. So we’ll probably look at that the next time.

We are not using attribute query so no problem there. In fact I investigated spring saml a while back when we decided going with openam for the SP, but it was still in dev phase

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Susan Liebeskind
Sent: donderdag 17 maart 2016 20:08
To: Users
Subject: Re: [OpenAM] OpenAM Client API

 

On 03/17/2016 02:50 PM, Nicolas Seigneur wrote:

The Fedlet is a SAML Service Provider implementation that demonstrates the various SAML capabilities of OpenAM. In many cases, you will generate the Fedlet from the OpenAM Wizard, which automatically populates the various configuration required by your OpenAM instance.

 

As Bernhard said, if you are looking for a "generic" SAML implementation, you should look into Spring Security SAML. There's a guide that should provide a good start here: https://wikis.forgerock.org/confluence/display/openam/OpenAM+with+Spring+Security+SAML

 

By doing the above procedure, you will be using a "clean" SAML implementation where OpenAM is the IDP and Spring is the SP.

 

Be aware that the Spring Security SAML implementation may not support all the SAML functionality that the OpenAM Fedlet does. In particular, it does not support the SAML Attribute Query.  There was a JIRA ticket asking for AttributeQuery support in Spring SAML created back in May 2014, but it was apparently closed out without comment (or implementation as best I can tell) in February of this year.

What my team did was reimplement all the work that was done in the fedlet JSPs in our own Java classes, using them as a guideline.

Susan


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM Client API

Bernhard Thalmayr
In reply to this post by Susan Liebeskind
at the moment the 'Fedlet' is nothing more than jars and meta data. The
sample application is not really usable. Unfortunately it's still an
"unfinished" sample. I already tried to adress this, but you know ... so
many things to do, so less time.

If you want more, like session management, seemless authentication you
have to build everything yourself.

Of course everything depends on the needs...

For sure you get more OOTB using Spring Security SAML extension.

An yes, Spring Security SAML extension is also missing using 'passive'
request to perform session check on the IdP, but either does the
'Fedlet' sample app.

-Bernhard


Am 17/03/16 um 20:07 schrieb Susan Liebeskind:

> On 03/17/2016 02:50 PM, Nicolas Seigneur wrote:
>> The Fedlet is a SAML Service Provider implementation that demonstrates
>> the various SAML capabilities of OpenAM. In many cases, you will
>> generate the Fedlet from the OpenAM Wizard, which automatically
>> populates the various configuration required by your OpenAM instance.
>>
>> As Bernhard said, if you are looking for a "generic" SAML
>> implementation, you should look into Spring Security SAML. There's a
>> guide that should provide a good start
>> here: https://wikis.forgerock.org/confluence/display/openam/OpenAM+with+Spring+Security+SAML
>>
>> By doing the above procedure, you will be using a "clean" SAML
>> implementation where OpenAM is the IDP and Spring is the SP.
>>
> Be aware that the Spring Security SAML implementation may not support
> all the SAML functionality that the OpenAM Fedlet does. In particular,
> it does not support the SAML Attribute Query.  There was a JIRA ticket
> asking for AttributeQuery support in Spring SAML created back in May
> 2014, but it was apparently closed out without comment (or
> implementation as best I can tell) in February of this year.
>
> What my team did was reimplement all the work that was done in the
> fedlet JSPs in our own Java classes, using them as a guideline.
>
> Susan
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam