Apache Syncope and Active Directory SSO: modify authentication process

After having seen how to configure an OpenAM authentication module to obtain a Single Sign On witn an Active Directory Server and a second OpenAM Data Store to read a user profile on the same Active Directory Server; in this post we start with configuration of Apache Syncope, to be more precise we analyze the steps to change the Syncope process authentication from Spring Securety to OpenAM; in this particular case we will see how to configure the OpenAM Agent and the Syncope Core module; whereas next post will be focused on the Syncope Console module configuration.

Environment

• Windows Server 2008 R2: acacia.fabioad.controller.tirasa.net
• AD domain:fabioad.controller.tirasa.net:389
• Apache Syncope (port 9080) and OpenAM (port 8080), in two different Tomcat on the same Debian server: joda.tirasa.net

Overall goal: Single Sign On from Active Directory to Apache Syncope

• Authentication on Windows PC with an Active Directory user;
• Go to http://joda.tirasa.net:9080/syncope-console;
• Use of Syncope Console with same user previously authenticated without further authentication.

This post goal: modify authentication process - OpenAM agent and Syncope Core

• Configure OpenAM agent
• Disable Sping Security Authentication on Apache Syncope Core

Overlay

Before writing configuration steps, I think it would be more appropriate to illustrate how Apache Syncope was developed, from software architectural point of view.

One of the main features of Apache Syncope is that it can be customized, class per class, in a simple way thanks to overlay of Apache Maven. Thus is possible to rewrite any Java class of Syncope, to compile downloaded archetype and to deploy new war with new classes.

This introduction is important because, as we see later in this and further posts, to obtain overall goal, we have to modify the follow java classes:

• ./core/src/main/java/org/apache/syncope/core/security/SyncopeAuthenticationProvider.java
• ./console/src/main/java/org/apache/syncope/console/SyncopeApplication.java
• ./console/src/main/java/org/apache/syncope/console/SyncopeSession.java
• ./console/src/main/java/org/apache/syncope/console/pages/Logout.java

Setting up Syncope project

Following Apache Syncope wiki we can create our Syncope overlay. At the end of this operation, we will have on our file system the Syncope overlay directory; compiling with Maven it, we wil obtain the war default files of Syncope Core and of its Console; but our work will be to create and then to develop, into overlay directory, the new Java classes that, at a later stage, will be re-compiled and inserted into new war files to deploying.

In this case, the root directory is sso.ad and this is its contents:

ls -lrt sso.ad

totale 20
              -rw-r--r-- 1 massi massi 4818 10 dic 15.20 pom.xml
              drwxr-xr-x 4 massi massi 4096  9 gen 10.40 target
              drwxr-xr-x 4 massi massi 4096  9 gen 10.40 core
              drwxr-xr-x 4 massi massi 4096  9 gen 10.41 console

OpenAM Agent configuration

Unseeing agent installation process, we need to highlight that its installation and configuration isn't on all Tomcat contest, but only Apache Syncope Console will be protected by it.

As previously stated, our Syncope project is an its overlay, so the only way to have a permanent modified web.xml file is to insert a new copy in our overlay with the addition of agent filter. So in our sso.ad directory we create this ./console/src/main/webapp/WEB-INF/web.xml file with the new snippet code:

    <filter>
        <filter-name>Agent</filter-name>
        <display-name>Agent</display-name>
        <description>SJS Access Manager Tomcat Policy Agent Filter</description>
        <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

Disabling Syncope authentication

To disable authentication process in Syncope we have to modify both its Core module and Console module. For security reasons the communication between Core and Console will be configured with https protocol instead of default http protocol.

Core

The Apache Syncope authentication process is based on Spring Security and the basic authentication.

In our example, to accelerate project development, we don't remove the Spring authentication process but we will modify the Java class that implements org.springframework.security.authentication.AuthenticationProvider therefor the Syncope Console results always authenticated to Core. This solution allows to keep unchenged the Core's mechanism; an explicative example is the entitlements search method; this operation is due to execution of method getOwnedEntitlementNames of the class org.apache.syncope.core.util.EntitlementUtil:

public static Set<String> getOwnedEntitlementNames() {
              final Set<String> result = new HashSet<String>();

              final SecurityContext ctx = SecurityContextHolder.getContext();

              if (ctx != null && ctx.getAuthentication() != null && ctx.getAuthentication().getAuthorities() != null) {
              for (GrantedAuthority authority : ctx.getAuthentication().getAuthorities()) {
              result.add(authority.getAuthority());
              }
              }

              return result;
              }

As we can see, the method in question finds the user into Spring security context.

So, analyzing in details the code of class org.apache.syncope.core.security.SyncopeAuthenticationProvider one notes that the only modification is on the match of username and passowrd of user.

Before

if (adminUser.equals(username)) {
              passwordUser.setPassword(authentication.getCredentials()
              .toString(), CipherAlgorithm.MD5, 0);
              authenticated = adminMD5Password.equalsIgnoreCase(
              passwordUser.getPassword());
              } else {
              user = userDAO.find(username);

              if (user != null) {
              if (user.getSuspended()) {
              throw new DisabledException(
              "User " + user.getUsername() + " is suspended");
              }

              passwordUser.setPassword(authentication.getCredentials()
              .toString(), user.getCipherAlgoritm(), 0);
              authenticated = user.getPassword().equalsIgnoreCase(
              passwordUser.getPassword());
              }
              }

After

if (adminUser.equals(username)) {
              authenticated = true;
              } else {
              user = userDAO.find(username);

              if (user != null) {
              if (user.getSuspended()) {
              throw new DisabledException(
              "User " + user.getUsername() + " is suspended");
              }
              authenticated = true;
              }
              }

We can see that the boolean variable authenticated is always true.

Focus

In this post, in addition to better understand global architecture, one notes as Apache Syncope had the ability to adapt, with the minimun effort, to existing architecture.

Working in IAM for several years, I know that one of bigger difficult of this work is to adapt the Identity Manager at the actual. In this example, the architecture accurately reproduces a real enterprise environment where the Active Directory is the most important profiles storage.

Apache Syncope, thanks to its overlay architecture, can be insert in this environment, pratically , in peinless way.

0 VOTINot rated yet