swedenconnect / swedish-eid-idp Goto Github PK

View Code? Open in Web Editor NEW

2.0 2.0 1.0 1.67 MB

Reference Identity Provider for the Swedish eID Framework

License: Apache License 2.0

Java 50.22% JavaScript 12.73% CSS 16.12% HTML 18.53% Dockerfile 0.35% Shell 2.05%

opensaml saml2 swedish-eid

swedish-eid-idp's People

Contributors

Stargazers

Watchers

Forkers

demesg

swedish-eid-idp's Issues

References error during build.

Hi Martin
I have built and installed swedish-eid-opensaml,opensaml-ext,swedish-eid-shibboleth-base from github. But have some trouble building swedish-eid-idp, seems to be shibboleth-base references to 1.6.2-snapshot.
Changeing to 1.6.1 brings me further, but stops with:

[ERROR] ..eid/swedish-eid-idp/idp/src/main/java/se/e,legnamnden/eid/idp/authn/controller/SimulatedAuthenticationController.java:[54,62] package se.litsec.swedisheid.opensaml.saml2.authentication.psc does not exist
[ERROR] ..eid/swedish-eid-idp/idp/src/main/java/se/elegnamnden/eid/idp/authn/controller/SimulatedAuthenticationController.java:[55,62] package se.litsec.swedisheid.opensaml.saml2.authentication.psc does not exist

even though I have installed opensaml3-ext (1.3/1.4)in my repo.
Maybe it is just me doing wrong.
Keep up the good work, it is very much appreciated
Magnus

Cookie paths are hardwired

The cookie paths for selectedUser and savedUsers are hardwired to /idp. It would be better to have them configurable for the cases where we extend the swedish-eid-idp to build other demo IdPs.

Relay state response

Not sure if this is a bug or an issue with our enviroment settings, but in the SAML request the relay state is 'MA==' (base64 of 0)
But in the response is XML encoded to: MA=&#x3d. Proper URL encoding should be : 'MA%3D%3D'
This makes our SP behave strangely and can not URL decode. Any idea how to make Shibb encode url in propper way or turn off xml encodning in response?

Non-resolvable import POM when trying to build

I am trying to build the current version but get some dependency issue. Any idea what could be the problem?

[user@dev-disp elegnamnden]$ git clone https://github.com/elegnamnden/swedish-eid-idp.git swedish-eid-idp-2
Cloning into 'swedish-eid-idp-2'...
remote: Counting objects: 194, done.
remote: Compressing objects: 100% (74/74), done.
remote: Total 194 (delta 15), reused 94 (delta 13), pack-reused 93
Receiving objects: 100% (194/194), 384.74 KiB | 622.00 KiB/s, done.
Resolving deltas: 100% (22/22), done.

[user@dev-disp elegnamnden]$ cd swedish-eid-idp-2/

[user@dev-disp swedish-eid-idp-2]$ less README.md 

[user@dev-disp swedish-eid-idp-2]$ cd idp/

[user@dev-disp idp]$ mvn clean install
[INFO] Scanning for projects...
Downloading: https://build.shibboleth.net/nexus/content/repositories/releases/se/litsec/sweid/idp/shibboleth-base-bom/1.3/shibboleth-base-bom-1.3.pom
Downloading: https://repo.maven.apache.org/maven2/se/litsec/sweid/idp/shibboleth-base-bom/1.3/shibboleth-base-bom-1.3.pom
Downloaded: https://repo.maven.apache.org/maven2/se/litsec/sweid/idp/shibboleth-base-bom/1.3/shibboleth-base-bom-1.3.pom (3 KB at 10.2 KB/sec)
Downloading: https://build.shibboleth.net/nexus/content/repositories/releases/se/litsec/sweid/idp/shibboleth-base-parent/1.3/shibboleth-base-parent-1.3.pom
Downloading: https://repo.maven.apache.org/maven2/se/litsec/sweid/idp/shibboleth-base-parent/1.3/shibboleth-base-parent-1.3.pom
Downloaded: https://repo.maven.apache.org/maven2/se/litsec/sweid/idp/shibboleth-base-parent/1.3/shibboleth-base-parent-1.3.pom (11 KB at 66.5 KB/sec)
Downloading: https://build.shibboleth.net/nexus/content/repositories/releases/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3-SNAPSHOT/maven-metadata.xml
Downloading: https://repo1.maven.org/maven2/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3-SNAPSHOT/maven-metadata.xml
Downloading: http://repo.spring.io/release/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3-SNAPSHOT/maven-metadata.xml
Downloading: https://repo1.maven.org/maven2/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3-SNAPSHOT/shibboleth-base-dependency-bom-1.3-SNAPSHOT.pom
Downloading: https://build.shibboleth.net/nexus/content/repositories/releases/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3-SNAPSHOT/shibboleth-base-dependency-bom-1.3-SNAPSHOT.pom
Downloading: http://repo.spring.io/release/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3-SNAPSHOT/shibboleth-base-dependency-bom-1.3-SNAPSHOT.pom
Downloading: https://build.shibboleth.net/nexus/content/repositories/releases/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3/shibboleth-base-dependency-bom-1.3.pom
Downloading: https://repo.maven.apache.org/maven2/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3/shibboleth-base-dependency-bom-1.3.pom
Downloaded: https://repo.maven.apache.org/maven2/se/litsec/sweid/idp/shibboleth-base-dependency-bom/1.3/shibboleth-base-dependency-bom-1.3.pom (22 KB at 46.0 KB/sec)
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] Non-resolvable import POM: Could not find artifact se.litsec.sweid.idp:shibboleth-base-dependency-bom:pom:1.3-SNAPSHOT in central (https://repo1.maven.org/maven2/) @ se.litsec.sweid.idp:shibboleth-base-parent:1.3, /home/user/.m2/repository/se/litsec/sweid/idp/shibboleth-base-parent/1.3/shibboleth-base-parent-1.3.pom, line 90, column 19
[ERROR] 'dependencies.dependency.version' for se.litsec.sweid.idp:shibboleth-authn-support:jar is missing. @ line 90, column 17
[ERROR] 'dependencies.dependency.version' for se.litsec.sweid.idp:shibboleth-attribute-support:jar is missing. @ line 95, column 17
 @ 
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]   
[ERROR]   The project se.elegnamnden.eid.idp:swedish-eid-idp:1.0.0-SNAPSHOT (/home/user/VersionControlled/github/elegnamnden/swedish-eid-idp-2/idp/pom.xml) has 3 errors
[ERROR]     Non-resolvable import POM: Could not find artifact se.litsec.sweid.idp:shibboleth-base-dependency-bom:pom:1.3-SNAPSHOT in central (https://repo1.maven.org/maven2/) @ se.litsec.sweid.idp:shibboleth-base-parent:1.3, /home/user/.m2/repository/se/litsec/sweid/idp/shibboleth-base-parent/1.3/shibboleth-base-parent-1.3.pom, line 90, column 19 -> [Help 2]
[ERROR]     'dependencies.dependency.version' for se.litsec.sweid.idp:shibboleth-authn-support:jar is missing. @ line 90, column 17
[ERROR]     'dependencies.dependency.version' for se.litsec.sweid.idp:shibboleth-attribute-support:jar is missing. @ line 95, column 17
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
[ERROR] [Help 2] http://cwiki.apache.org/confluence/display/MAVEN/UnresolvableModelException
[user@dev-disp idp]$

Certificates in test-credentials expired.

Hi Martin
Just want to mention that the certificates in the test-credentials folder expired 2019-05-25.
kind regards Magnus

Add "simulate error" feature

For testing it would be nice to be able to simulate different SAML errors. We should add that feature.

Change package name from se.elegnamnden to se.swedenconnect.

Since E-legitimationsnämnden is no more, and we have started working with Sweden Connect, we should re-factor the reference IdP to use se.swedenconnect for package name root and also change the groupId for the artifacts.

Port to Spring Boot 3.

Port to Spring Boot 3

Add support for "authentication for signature"

Add support for handling requests sent from signature services.

Add Docker support

Add a Dockerfile and scripts associated with running the IdP in a Docker image.

SSO for signature service

If a Signature Service send an AuthnRequest with ForceAuthn=false and no SignMessage extension, the IdP will issue an assertion without displaying the authn-UI. No SSO for signature services. Ever.

Add support for UserMessage extension

Add support for the User Message Extension in SAML Authentication Requests.

Remove use of JSTL 1.2

Snyk reports the following vulnerability for JSTL v 1.2:

  High severity vulnerability found in jstl:jstl
  Description: XML External Entity (XXE) Injection
  Info: https://snyk.io/vuln/SNYK-JAVA-JSTL-30453
  Introduced through: jstl:[email protected]
  From: jstl:[email protected]

We need to fix this (through update of swedish-eid-shibboleth-base).

SAD attribute no longer requires that a SignMessage has been received and displayed

See swedenconnect/technical-framework#189

Vulnerabilities in dependencies

Hi!
Multiple vulnerabilities in your dependencies have been detected by Snyk[1]. For example:

Arbitrary Code Execution:
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: net.shibboleth.idp:[email protected], net.shibboleth.idp:[email protected] and others
- Vulnerable module: ch.qos.logback:logback-classic
- Introduced through: net.shibboleth.idp:[email protected], net.shibboleth.idp:[email protected] and others
- Vulnerable module: commons-collections:commons-collections
- Introduced through: net.shibboleth.idp:[email protected], net.shibboleth.idp:[email protected] and others
Deserialization of Untrusted Data
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: net.shibboleth.idp:[email protected], net.shibboleth.idp:[email protected] and others
Directory Traversal
- Vulnerable module: org.springframework:spring-webmvc
- Introduced through: org.springframework.mobile:[email protected]
Elliptic Curve Key Disclosure
- Vulnerable module: com.nimbusds:nimbus-jose-jwt
- Introduced through: se.litsec.sweid.idp:[email protected]
Invalid Elliptic Curve Attack
- Vulnerable module: com.nimbusds:nimbus-jose-jwt
- Introduced through: se.litsec.sweid.idp:[email protected]
XML External Entity (XXE) Injection
- Vulnerable module: jstl:jstl
- Introduced through: jstl:[email protected]

[1] https://snyk.io/test/github/elegnamnden/swedish-eid-idp/master%2Fidp?tab=issues&severity=high&severity=medium&severity=low

Start using jib for Docker image builds

Provide documentation of how to configure the IdP

Add documentation for how to configure the IdP.

Can't build the project. No Shibboleth bin directory!

Hi, I can't build the project with mvn clean install. It says that the Shibboleth bin file does not exist.
Here's the error:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-antrun-plugin:1.8:run (run-shibboleth-build) on project swedish-eid-idp: An Ant BuildException has occured: The directory /home/vakho/Desktop/swedish-eid-idp-1.2.0-release/idp/target/shibboleth/bin does not exist [ERROR] around Ant part ...<exec dir="/home/vakho/Desktop/swedish-eid-idp-1.2.0-release/idp/target/shibboleth/bin/" executable="./build.sh" osfamily="unix">... @ 34:132 in /home/vakho/Desktop/swedish-eid-idp-1.2.0-release/idp/target/antrun/build-main.xml

Metadata cache folder missing in Docker image?

During startup of the Docker container there are errors printed:

2018-04-07 12:06:55,051 - ERROR [org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver:240] - Metadata Resolver FileBackedHTTPMetadataResolver FederationMetadata: Unable to create backup file /opt/swedish-eid-idp/shibboleth/metadata/cache/cached-metadata.xml
java.io.IOException: No such file or directory
	at java.io.UnixFileSystem.createFileExclusively(Native Method)
2018-04-07 12:06:55,059 - ERROR [org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver:342] - Metadata Resolver FileBackedHTTPMetadataResolver FederationMetadata: Unable to write metadata to backup file: /opt/swedish-eid-idp/shibboleth/metadata/cache/cached-metadata.xml
net.shibboleth.utilities.java.support.resolver.ResolverException: Unable to create backup file /opt/swedish-eid-idp/shibboleth/metadata/cache/cached-metadata.xml
	at org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver.validateBackupFile(FileBackedHTTPMetadataResolver.java:241)
Caused by: java.io.IOException: No such file or directory
	at java.io.UnixFileSystem.createFileExclusively(Native Method)

Opening a shell in the container and creating the folder /opt/swedish-eid-idp/shibboleth/metadata/cache and the error is not printed on the next start.