Is support for SAML on the Obreon roadmap?
34 views
Skip to first unread message
Jonathan Bartels
Jan 16, 2015, 5:42:03 PM1/16/15
to orb...@googlegroups.com
I'm evaluating Obreon for my employer. Our applications support single-sign-on via a SAML identity provider. Is support for SAML on the Obreon roadmap?
acs...@gmail.com
Jan 16, 2015, 7:28:35 PM1/16/15
to orb...@googlegroups.com
On Friday, January 16, 2015 at 4:42:03 PM UTC-6, Jonathan Bartels wrote:
> I'm evaluating Obreon for my employer. Our applications support single-sign-on via a SAML identity provider. Is support for SAML on the Obreon roadmap?
I can't speak for the devs, but my understanding is that authentication protocols happen outside of Orbeon. For example I'm using Orbeon with SAML via Jasig's CAS.
> I'm evaluating Obreon for my employer. Our applications support single-sign-on via a SAML identity provider. Is support for SAML on the Obreon roadmap?
ada.birkoff
Feb 10, 2017, 11:55:09 AM2/10/17
to orb...@googlegroups.com
Hello, any news on this? We are choosing forms engine for our customer and
SAML2 is one of the main requirement.
Thx.
Adam
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662205.html
Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
SAML2 is one of the main requirement.
Thx.
Adam
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662205.html
Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Alessandro Vernet
Feb 10, 2017, 12:11:06 PM2/10/17
to orb...@googlegroups.com
Hi Adam,
As mentioned by Aaron back in 2015, authentication, when needed, is handled
before requests reach Orbeon Forms, either through some integration with the
application server, or some other mechanism, like a servlet filter or
reverse proxy redirecting users to a login page when necessary. For SAML
2.0, PicketLink (http://picketlink.org/) is widely used and well maintained,
so maybe good place to get started if you don't already have another
implementation in mind.
Alex
-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662207.html
As mentioned by Aaron back in 2015, authentication, when needed, is handled
before requests reach Orbeon Forms, either through some integration with the
application server, or some other mechanism, like a servlet filter or
reverse proxy redirecting users to a login page when necessary. For SAML
2.0, PicketLink (http://picketlink.org/) is widely used and well maintained,
so maybe good place to get started if you don't already have another
implementation in mind.
Alex
-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662207.html
ada.birkoff
Feb 10, 2017, 2:06:41 PM2/10/17
to orb...@googlegroups.com
Hello Alex,
OK, now I've got it, it was stupid question :) Haven't read much about
Orbeon project yet, but I really like it. Thank you for such a quick
response, now it's time for some experiments.
Adam
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662208.html
OK, now I've got it, it was stupid question :) Haven't read much about
Orbeon project yet, but I really like it. Thank you for such a quick
response, now it's time for some experiments.
Adam
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662208.html
Alessandro Vernet
Feb 10, 2017, 3:00:31 PM2/10/17
to orb...@googlegroups.com
Not stupid at all Adam :). You'll let us know how your experiments go, and of
course feel free to reach out if there is anything we can help with along
the way.
Alex
-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662209.html
course feel free to reach out if there is anything we can help with along
the way.
Alex
-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
View this message in context: http://discuss.orbeon.com/Is-support-for-SAML-on-the-Obreon-roadmap-tp4659450p4662209.html
Aaron Spike
Jan 29, 2020, 12:38:21 PM1/29/20
to Orbeon Forms
When this topic was last discussed, PicketLink was a suggested solution. Now Keycloak is the apparent successor to PicketLink. When I look at the documentation for Keycloak Tomcat Adapter (https://www.keycloak.org/docs/latest/securing_apps/#_tomcat_adapter), particularly the section about configuring adapters (https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config), I get the impression that the KeycloakAuthenticatorValve is meant specifically to interact with a Keycloak server. Is this impression correct?
Is anyone else authenticating Orbeon via SAML? What is currently the simplest path to container based SAML authentication with Tomcat?
Oscar
Jan 29, 2020, 2:05:58 PM1/29/20
to Orbeon Forms
Aaron,
We have setup SAML authentication with Orbeon. However, the authentication happens before reaching Orbeon. We have utilized Apache server and Shibboleth SP to integrate with the SSO portal. I don't know specifically with Keycloak, but in theory it should work.
Regards,
Oscar
Aaron Spike
Jan 29, 2020, 3:15:58 PM1/29/20
to Orbeon Forms
Oscar,
Are you able to share additional details about your setup? I'm running Orbeon behind an Apache reverse proxy. I'd be happy with anything that authenticates against a SAML IdP (simpleSAMLPhp in this case) and gets the user and groups to Orbeon.
Aaron
Oscar
Jan 29, 2020, 4:27:53 PM1/29/20
to Orbeon Forms
Aaron,
We are utilizing Shibboleth SP to be the relying proxy trust alongside Apache Server. This would proxy the Tomcat application with AJP.
This would make the user authenticate (if they haven't authenticated) before being able to continue to the Obreon form. However, you would need to setup header attributes in simpleSAMLphp that would disclose the information requested. Then, Shibboleth has to be able to see these attributes. Orbeon can then tap into these headers with the function xxf:get-request-headers('AttributeName').
Hopefully this gives you a general idea of what is required.
Regards,
Oscar
Reply all
Reply to author
Forward
0 new messages