Feature #1339

Provide Solution for SAML2.0 Authentication into gCube Portal

Added by George Kakaletris over 3 years ago. Updated over 2 years ago.

Status:ClosedStart date:Nov 11, 2015
Priority:HighDue date:Nov 30, 2015
Assignee:Michalis Nikolopoulos% Done:

100%

Category:portal
Sprint:UnSprintable
Milestones:
Duration: 14

Description

Bring CITE's SAML2.0 / Shibboleth implementation into the gCube portal.

This requires:
1. Carry the code into a public access repository
2. Create a license declaration that points to EUPL 1.1 and GPL (for being safe with Liferay licensing)
2. Integrate component releases with the process of gCube software releases.

Further investigation required if the other social login components of CITE (e.g. twitter) are applicable to the project.


Related issues

Related to gCube - Feature #1405: Enable Federated login on services and iMarine Gateways Closed Nov 17, 2015 Nov 27, 2015

History

#1 Updated by Pasquale Pagano over 3 years ago

@massimiliano.assante@isti.cnr.it please forward the information about the framework on GitHub elaborated by our friends in Catania.
@gkakas@di.uoa.gr, the framework I mentioned above was developed in the large context of EGI-related projects and it has been tested and used with Liferay 6.0 and 6.1 while they are close to release it for Liferay 6.2. @mnikolopoulos@cite.gr could look at it and provide feedback.

#2 Updated by Massimiliano Assante over 3 years ago

@gkakas@di.uoa.gr ,
we already have a solution (in place and working) for SAML2.0 / Shibboleth implementation into the gCube portal implemented by ENG in iMarine (the work was made in part by @ciro.formisano@eng.it and in part by Ermanno). See the documentation page: https://wiki.gcube-system.org/gcube/Shibboleth_and_gCube

We use it for https://social.isti.cnr.it and we federated our institute (ISTI) identity provider to the D4Science Service provider running on https://sp.d4science.org/casshib/shib/app2/login (2-3 years ago)

We never enabled it for the other D4Science gateways because until now we never had another request by any other institute.

However, we do have a request now from the INFN of Catania.
If i correctly remember to enable the federated login it is required to make the INFN Catania's IdP and the D4Science SP trust each other by exchanging their metadata. And to enable CAS on iMarine portal of course (a matter of configuration).

I may liaise with @mnikolopoulos@cite.gr to explain him what are the steps to enable Shibboleth on the D4Science gateways if necessary. While I have no knowledge on how to make the INFN Catania's IdP and the D4Science SP trust each other, but there is "Configure the Federation" part in the wiki, and Michalis may ask for ENG support if necessary?

As for the social login components of CITE (e.g. twitter, Google) we have nothing for Liferay 6.0, so a Solution would be beneficial. Until we move to Liferay 6.2.

@pasquale.pagano@isti.cnr.it I don't think we need the elaborated solution by our friends in Catania in this case.

#3 Updated by Massimiliano Assante over 3 years ago

  • Related to Feature #1405: Enable Federated login on services and iMarine Gateways added

#4 Updated by Pasquale Pagano over 3 years ago

As far as our friends in Catania, please notify also them with the content of this ticket. They offered their solution and it is not polite to ignore their offer.

#5 Updated by Massimiliano Assante over 3 years ago

Pasquale Pagano wrote:

As far as our friends in Catania, please notify also them with the content of this ticket. They offered their solution and it is not polite to ignore their offer.

Let's make sure we're good with Eng Solution, then we will.

#6 Updated by Panagiota Koltsida over 3 years ago

CITE's solution is developed for liferay 6.2 and offers a shiboleth/SAML2.0 hook for the login portlet of liferay.
A service provider must be set up and configured in the portal settings. Any IDP can be used.

If INFN has an IDP it can be connected there.
This SAML login hook can be delivered together with social logins that work with 6.2

We will check the INFN solution and compare it with ours.

#7 Updated by Massimiliano Assante over 3 years ago

Panagiota Koltsida wrote:

CITE's solution is developed for liferay 6.2 and offers a shiboleth/SAML2.0 hook for the login portlet of liferay.
A service provider must be set up and configured in the portal settings. Any IDP can be used.

If INFN has an IDP it can be connected there.
This SAML login hook can be delivered together with social logins that work with 6.2

We will check the INFN solution and compare it with ours.

INFN solution works with Liferay 6.0 and 6.1, not sure you can compare them. However, contact me in private if you need their solution.

#8 Updated by Michalis Nikolopoulos over 3 years ago

  • Status changed from New to In Progress

#9 Updated by Massimiliano Assante almost 3 years ago

  • Priority changed from Normal to High

Dear all,
since we have a Liferay 6.2 instance now I suppose the SAML2.0 Authentication integration into gCube Portal should be straightforward, could you report on the feasibility of this task and an estimated time to delivery such functionality?

#10 Updated by Panagiota Koltsida almost 3 years ago

We can provide the liferay shibboleth login hook and CNR's administration team should set up a service provider on the portal machine.
Which IDP do you plan to use for authentication? Edugain?

#11 Updated by Massimiliano Assante almost 3 years ago

We would like to test it first with our institution IDP: https://idp.isti.cnr.it

#12 Updated by Michalis Nikolopoulos almost 3 years ago

The liferay hook for login using SAML is ready, it uses three attributes: mail(E-mail), givenName(ForeName), sn(Surname) at least these three attributes should be provided by the idp in order for the hook to login succesfully the user. The Configuration page of the hook provides a way to customize the attribute names. Moreover considering that Apache server is used as the proxy of tomcat (i assume the same applies for nginx as well) you should protect the url: /c/portal/shibboleth_login with the necessary module of shibboleth in order for the service provider to delegate the authentication to the idp and the idp to redirect to the aforementioned url, so that the hook can consume the necessary attributes provided by the idp. I have added the shibboleth in the login hook, if anymore info is required let me know.

Shibboleth login hook: http://maven.research-infrastructures.eu/nexus/service/local/repositories/gcube-snapshots/content/gr/cite/shibboleth/shibboleth-hook-login/1.0.0-SNAPSHOT/shibboleth-hook-login-1.0.0-20160830.155421-1.war

Login hook: http://maven.research-infrastructures.eu/nexus/service/local/repositories/gcube-snapshots/content/gr/cite/login/login-hook/1.0.0-SNAPSHOT/login-hook-1.0.0-20160830.155220-67.war

#13 Updated by Panagiota Koltsida over 2 years ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Closed

This is available since the previous release (4.1)

Also available in: Atom PDF