ICAM Auth via Filter - Githubissues

cedardevs / onestop

OneStop is a data discovery system being built by CIRES researchers on a grant from the NOAA National Centers for Environmental Information. We welcome contributions from the community!

GNU General Public License v2.0

43 stars 21 forks source link

ICAM Auth via Filter #597

Closed zebdelk closed 6 years ago

zebdelk commented 6 years ago

some learning needed

see example at https://github.com/18F/identity-saml-java/blob/master/src/main/java/gov/gsa/samplesp/App.java

[ ] login redirects to a boring page that says "Congrats, you have logged in!"

forgo commented 6 years ago

Have cleaned up OpenSAML 3 code based mostly on : https://bitbucket.org/srasmusson/webprofile-ref-project-v3

Login.gov is now working, as before, with latest library updates.

Looking very closely at the SP/IDP bindings and making sure configurations make sense -- from there sent Shabaz on ICAM team my latest information in order to move forward.

Update 6/25: Shabaz needed to clean something in our metadata, but should be updating our SP metadata to reflect the "short-term" solution where api-metadata bakes in the SAML endpoints and logic (hopefully through a shareable library once we get the kinks worked out).

forgo commented 6 years ago

I have fixed the problem with an infinite redirect loop in spring security by extending SingleRequestFilter (instead of GenericBeanFilter) and explicitly ignoring when the path is not starting with '/admin/'.

forgo commented 6 years ago

This SSO service is largely how we are addressing the stop-gap between locking down loading metadata through a secure api-metadata endpoint and whatever long term solution (e.g. Keycloak/RH-SSO) we choose for MSN/NOAA as a whole that integrates well in many contexts (SpringBoot, React, Angular, microservices, etc.)

forgo commented 6 years ago

Authentication

[ ] successful AuthnRequest to identity providers
- [ ] ICAM (see if SigAlg in request will fix the invalid AuthnRequest) #597
- [x] login.gov
[x] assertion consumer endpoint can decrypt assertions and redirect
- [ ] redirect based on RelayState
[ ] tie in call to authz service (see below) should this happen before/after authn?
[ ] can handle logout behavior to ICAM and login.gov
[ ] tests for valid mocked authentication responses
- [ ] 401 unauthenticated
- [ ] 200 success

Authorization (short-term solution for api-metadata)

See #600

[x] create separate SpringBoot app
[x] user model/domain object
[x] handles a very basic concept of users/roles using Postgres or H2
[x] tests for valid/invalid authorization request responses
- [x] 200 success
- [x] 403 unauthorized

forgo commented 6 years ago

should try AbstractAuthenticationProcessingFilter: https://www.ebayinc.com/stories/blogs/tech/customizing-spring-security-with-multiple-authentications/