Skip to content

Inbound Saml Module Persistence Api

Jump to bottom Edit New page
shekhar16 edited this page Mar 17, 2022 · 21 revisions

Summary

  1. Where in the LDAP tree the data goes
  2. objectclass definition for the entity
  3. Endpoint names
  4. how customers will manage this data.
  5. any services that will need to run for this to work… (no more surprises about a database or some other component that needs to run)

Important Note

The entity should have the same name everywhere, as it's the same entity.

I'm using trusted-idp, as it's an idp that is trusted by gluu-server to receive third party (aka inbound) saml.

We still have the the following options:

  • inbound-idp
  • saml-idp

Where in the LDAP tree the data goes

To implement the Inbound Saml Persistence API, we gonna create a new ou in ldap i.e. o=gluu,ou=trusted-idps which contains entries for every trusted Remote Idp used by inbound-saml module.

Each entry will contain the attributes like inum, remoteidpName, remoteIdpHost, selectedSingleSignOnService, supportedSingleSignOnServices, signingCertificate, according to openapi specs here: https://app.swaggerhub.com/apis-docs/chris-hawk/inbound-saml/1.0.0

remoteIdpHost should be never duplicated.

image

objectclass definition for the entity

Here is the sampletrusted-idp Entry's structure.

image

Installation Instruction: ` Add the REST API extension to an existing Gluu 4.3.x deployment by following these steps:

  1. Inside the Gluu chroot, navigate to /opt/gluu/jetty/identity/custom/libs.
  2. In this folder, download the .jar file corresponding to the Gluu Server version currently installed:
  3. link jar file https://jenkins.gluu.org/maven/org/gluu/api-rest/4.4.0-SNAPSHOT/api-rest-4.4.0-SNAPSHOT.jar
  4. Navigate to /opt/gluu/jetty/identity/webapps/.
  5. Create a file called identity.xml if it does not already exist.
  6. Add the following to identity.xml as mentioned in doc identity.xml:
/identity /identity.war true

./custom/libs/[jarName].jar

  1. On the second to last line, replace [jarName] with the name of the .jar file downloaded in step 2.

  2. stop 'openDJ' service by command mentioned in document service

  3. update the file /opt/openDJ/config/schema/101-ox.ldif with latest schema in ldap https://github.com/GluuFederation/community-edition-setup/blob/master/static/opendj/101-ox.ldif

  4. start 'openDJ' service by command mentioned in document service

  5. stop 'identity' service by command mentioned in document service

  6. Download latest war file identity and rename it 'identity.war'

  7. deploy this identity.war in location /opt/gluu/jetty/identity/webapps/

  8. start 'identity' service by command mentioned in document service

`

Endpoint Names

To use Trust-IDP APIs, you have to first enable the oxTrust-api in gluu server, as per docs oxtrust-api

Should be setup according to entity name /inbound-saml/trusted-idp/<remoteIdpHost>, if remoteIdpHost = testHost then : /inbound-saml/trusted-idp/testHost

1. To fetch all remote IDPs

Get API Endpoint Url : https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp

Set Header parameters as per UMA or Test protection mode

2. To fetch remote IDPs by remoteIDPHost

Get API Endpoint Url : https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp/{remoteIDPHost}

Set Header parameters as per UMA or Test protection mode

3. To create new remote IDP:

Post API Endpoint Url : https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp

Header : Authorization token or UMA token

Body : { "name": "test", "host": "test", "signingCertificates": "MIIDBDCCAeygAwIBAgIhAOqA6qeE/ZnT2aXMzo57OYSY2iv/Qc83nIGyAK2Cw8ofMA0GCSqGSIb3DQEBDAUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjIwMTE1MTIyMTUxWhcNMjIwMTE3MTIyMTU5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjjPLe5gJcQc0tooQgGlajL/3xxvaVHbF/dpqelOQLKoKhC2apA5IKXBqG6elZVDPejAAmoGgnqurTF4YO8RslHSXr1NliikMOPayuzsA1kYObDhIu8W6jsSAaGErtuZPA0EnBK3/UcWkyuh04E25Lys4Du8Aj3i1DDMJXNlidSCT8Lp99nGpJM4syqScS4cDeLavwZ75oQfBLr1zA75e1pxvlo19x+lEox7fHcXD6HOGXiKGo240d+7GwbHjRdX092bSQCy0ahcvHhRIvW/6yNZjVLNUiKlYD757yVWg2qSO0bo6MIb6XJILEcw5bfpPPHX2kMW3/C7j0y9fxF6uRQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEMBQADggEBAIWRtCXzZrhPBANzp63ebRnboB1rZRDpUcOpwYKOv2P6/cRU6sspwpKbGMgPGeoulfvemXrvMP0MX0RmXuw+ZEH6Jsh6lY/VLnYUmxhM9mkGKHkeXnMOgU09tyWBLwCy2EibVMrmZUb4NuWZP2E89E+zoFW8R4S6i0xoB4SgUM+8s/0c7RTLXH4Eqwah0bwI1DKr/9ucWTTGTxM2CQL6g04EVhuaBqvso9NrktvQR2GRUriuFuwZC6Y3Y661Qm9lHfoZa7IEWHzcSxAQTvK0O6InFi+LVzRsHGU72+ShJs495ltzNv+kxvAq6BEM7DvBW2xL2VTrhGiPvdIRnL8+waw=", "selectedSingleSignOnService": { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, "supportedSingleSignOnServices": [ { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location": "https://samltest.id/idp/profile/SAML2/POST/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, { "binding": "urn:mace:shibboleth:1.0:profiles:AuthnRequest", "location": "https://samltest.id/idp/profile/Shibboleth/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign", "location": "https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO" } ] }

4. To update new remote IDP by remoteIDPHost:

Put API Endpoint Url : https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp/{remoteIDPHost}

Header : Authorization token or UMA token

Body : { "name": "test", "host": "test", "signingCertificates": "MIIDBDCCAeygAwIBAgIhAOqA6qeE/ZnT2aXMzo57OYSY2iv/Qc83nIGyAK2Cw8ofMA0GCSqGSIb3DQEBDAUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjIwMTE1MTIyMTUxWhcNMjIwMTE3MTIyMTU5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjjPLe5gJcQc0tooQgGlajL/3xxvaVHbF/dpqelOQLKoKhC2apA5IKXBqG6elZVDPejAAmoGgnqurTF4YO8RslHSXr1NliikMOPayuzsA1kYObDhIu8W6jsSAaGErtuZPA0EnBK3/UcWkyuh04E25Lys4Du8Aj3i1DDMJXNlidSCT8Lp99nGpJM4syqScS4cDeLavwZ75oQfBLr1zA75e1pxvlo19x+lEox7fHcXD6HOGXiKGo240d+7GwbHjRdX092bSQCy0ahcvHhRIvW/6yNZjVLNUiKlYD757yVWg2qSO0bo6MIb6XJILEcw5bfpPPHX2kMW3/C7j0y9fxF6uRQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEMBQADggEBAIWRtCXzZrhPBANzp63ebRnboB1rZRDpUcOpwYKOv2P6/cRU6sspwpKbGMgPGeoulfvemXrvMP0MX0RmXuw+ZEH6Jsh6lY/VLnYUmxhM9mkGKHkeXnMOgU09tyWBLwCy2EibVMrmZUb4NuWZP2E89E+zoFW8R4S6i0xoB4SgUM+8s/0c7RTLXH4Eqwah0bwI1DKr/9ucWTTGTxM2CQL6g04EVhuaBqvso9NrktvQR2GRUriuFuwZC6Y3Y661Qm9lHfoZa7IEWHzcSxAQTvK0O6InFi+LVzRsHGU72+ShJs495ltzNv+kxvAq6BEM7DvBW2xL2VTrhGiPvdIRnL8+waw=", "selectedSingleSignOnService": { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, "supportedSingleSignOnServices": [ { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location": "https://samltest.id/idp/profile/SAML2/POST/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location": "https://samltest.id/idp/profile/SAML2/Redirect/SSO" }, { "binding": "urn:mace:shibboleth:1.0:profiles:AuthnRequest", "location": "https://samltest.id/idp/profile/Shibboleth/SSO" }, { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign", "location": "https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO" } ] }

5. To Delete remote IDPs by remoteIDPHost

Delete API Endpoint Url : https://{gluu.host}/identity/restv1/api/v1/inbound-saml/trusted-idp/{remoteIDPHost}

Set Header parameters as per UMA or Test protection mode

How to manage the data

  • Using this api endpoint (as openapi specs), calling an endpoint.
  • using the "create from metadata url" feature in inbound-saml module, POST to /inbound-saml/trusted-idps/metadata using BASIC auth (for MVP), json containing
    • name(any name),
    • url (metadata url).

Any services that will need to run for this to work

  • oxAuth
  • oxTrust
  • InboundSaml
  • OpenDJ
Add a custom footer
Add a custom sidebar
Clone this wiki locally