liferay and eherkenning with saml
TRANSCRIPT
Veilige toegang tot zakelijke diensten
Liferay & eHerkenning
Willem VermeerFreelance java/liferay engineer
Insert User Group Logo Here
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Security
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
The business case
Insert User Group Logo (please resize)
http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2013/05/23/visiebrief-digitale-overheid-2017.html of google op digitale overheid 2017
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
The business case at Immigratie en Naturalisatie Dienst (IND)
Insert User Group Logo (please resize)
Uit jaarverslag 2014:
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Security … hoe zat het ook alweer
Insert User Group Logo (please resize)
• userid/password• LDAP• OpenID• Facebook..
• roles• groups• permissions
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Service provider vs Identity provider
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Security - Identity Providers in Nederland
Insert User Group Logo (please resize)
particulier zakelijk
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
eHerkenning
Insert User Group Logo (please resize)
een gestandaardiseerd inlogsysteem, waarmee
ondernemers met één sleutel kunnen inloggen bij diverse
overheden, instellingen of andere organisaties.ontwikkeld door het
bedrijfsleven in samenwerking met de
overheid
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
eHerkenning makelaars
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
4 Betrouwbaarheidsniveaus
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Aansluiten
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
SAML
Insert User Group Logo (please resize)
• OASIS Standard since 2005
• XML Based
• Assertion about identity (BSN, KvK)
• Open SAML java implementation
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
SAML Assertion Example
Insert User Group Logo (please resize)
1.
2.
3.
4.
5.
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Inlog proces - HTTP POST
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Inlog proces - HTTP Artifact Binding
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Liferay en SAML
Insert User Group Logo (please resize)
is gebaseerd op
bevat ‘glue-code’ om login proces bij SAML IdP vanuit Liferay te starten en in
http session te verwerken
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Liferay en SAML
Insert User Group Logo (please resize)
# keystore typesaml.keystore.type=jks # location of the keystoresaml.keystore.path=/export/www/portal/data/keystore.jks # pwd for accessing the keystoresaml.keystore.password=bigsecret # pwd for accessing the certificate of the entity in the keystoresaml.keystore.credential.password[urn\:nl\:eherkenning\:DV\:00000003507204570000\:entities\:0003]=bigsecret # Service Provider SAML entity idsaml.sp.default.idp.entity.id=urn:nl:eherkenning:HM:00000003273226310000:entities:3017
portal-ext.properties
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Liferay SAML Plugin Customization
Insert User Group Logo (please resize)
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Liferay SAML Plugin Customization
Insert User Group Logo (please resize)
• customize authentication request• customize post-login action
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
After login - then what?
Insert User Group Logo (please resize)
• end result of authentication: information about identity of user
• proceed with authorization (roles, groups, organisation)
• important: we need a persistent Liferay User object
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Limitations of Liferay SAML Plugin
Insert User Group Logo (please resize)
• poor customisation possibilities
• no support for multiple IdPs => cannot connect both Digid and eHerkenning
• no support for Artifact binding
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Our status
Insert User Group Logo (please resize)
• still in testing phase
• need to address plugin limitations - cooperation with Liferay
• more complicated scenarios such as ‘machtigingen’?
• what will happen when live?
WWW.LIFERAY.COM WWW.FACEBOOK.COOM/LIFERAY @LIFERAY
Questions?
Insert User Group Logo (please resize)