Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update BioID.md #25

Open
wants to merge 50 commits into
base: 5.0
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
c756452
Updated FIDO 2 tab location
shmorri Jul 27, 2020
06d73ea
Update fido2.md
shmorri Jul 27, 2020
7ad9244
Typo
jgomer2001 Jul 28, 2020
8df511d
Device authorization gran type documentation. https://github.com/Gluu…
miltonbo Jul 25, 2020
0ebe62a
Proofreading and formatting sweep
shmorri Jul 27, 2020
ea0a867
Merge pull request #19 from GluuFederation/device-flow
yuriyz Jul 29, 2020
c10122f
Testing link fix
shmorri Jul 29, 2020
46cd638
Testing link fix
shmorri Jul 29, 2020
9c8f9d1
Testing link fix
shmorri Jul 29, 2020
0008615
Update ports.md
d3cxxxx Jul 29, 2020
b4ecfe7
Link fix
shmorri Jul 30, 2020
3fe3f21
Added missing note
shmorri Jul 30, 2020
c455817
Added authn flow extension pics
shmorri Jul 30, 2020
fae1afb
Added Authn Flow Extension info
shmorri Jul 30, 2020
f914637
Updated script location
shmorri Aug 3, 2020
cfe4b99
Updated openDJ commands
shmorri Aug 4, 2020
3d170d0
Update backup.md
christian-hawk Aug 4, 2020
50240e0
Merge pull request #21 from GluuFederation/christian-hawk-export-ldif…
shmorri Aug 5, 2020
2aa9ca5
Formatting fix
shmorri Aug 5, 2020
362148a
Updated install links
shmorri Aug 5, 2020
f4a6e54
Update test-drive.md
moabu Aug 6, 2020
171b6cd
Delete test-drive.md
moabu Aug 6, 2020
f95e8fd
Updated ldap backup command
shmorri Aug 7, 2020
a1fcdc3
Update install-kubernetes.md
moabu Aug 7, 2020
97d786d
docker: add service support section
iromli Aug 7, 2020
b0bbc2c
Add docs for https://github.com/GluuFederation/community-edition-setu…
jgomer2001 Aug 8, 2020
48505f3
Update certificate.md
moabu Aug 10, 2020
067481b
docs : added note about skipRefreshTokenDuringRefreshing flag.
yuriyz Aug 10, 2020
f5ce822
Creating WIP SNAP installation instructions
shmorri Aug 10, 2020
278ec28
docs : added note about dynamicRegistrationAllowedPasswordGrantScopes…
yuriyz Aug 11, 2020
f8309d6
Updated with current process
shmorri Aug 13, 2020
cd77a0d
docs : added description of new software statement validation options.
yuriyz Aug 17, 2020
d2f3d8a
Updated versions in uninstallation doc
shmorri Aug 17, 2020
dd254b3
Minor proofreading on Software Statements
shmorri Aug 18, 2020
33feb7d
docs : added description of refreshTokenExtendLifetimeOnRotation to docs
yuriyz Aug 19, 2020
c38f97b
Merge remote-tracking branch 'origin/4.2' into 4.2
yuriyz Aug 19, 2020
ac23180
Update refs
jgomer2001 Aug 20, 2020
fe7624f
Fixed code block formatting
shmorri Aug 21, 2020
d8349bc
Conform to 4.2 CE
jgomer2001 Aug 26, 2020
54b213d
Added (commented out) 4.2.1 release notes
shmorri Aug 26, 2020
4ab6ee0
Update certificate.md
mzico Aug 27, 2020
51b7ff9
Update faq.md
oniz93 Aug 31, 2020
75c4d35
Merge pull request #20 from d3c1978/patch-1
shmorri Sep 3, 2020
e5accd1
Merge pull request #22 from oniz93/patch-1
shmorri Sep 3, 2020
ff5cecf
Added os-changes.log to Setup logs
shmorri Sep 4, 2020
5d15114
Fixed dead link for code reference for class UserService in Developer…
axandar Sep 5, 2020
e780ab1
Merge pull request #24 from axandar/4.2
yuriyz Sep 5, 2020
0d7b9cf
Adjust per https://github.com/GluuFederation/scim/issues/6
jgomer2001 Sep 9, 2020
482fb83
Update BioID.md
maduvena Sep 14, 2020
aae4cea
Merge branch '4.2' into patch-4
shmorri Sep 14, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions docs/source/admin-guide/certificate.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
The private key cannot be password protected, and the public key must be base64 X.509.

!!! Note
Please backup your full `/etc/certs` directory and `cacerts` file under `/opt/jdkx.y.z/jre/lib/security/` folder before updating certificates.
Please backup your full `/etc/certs` directory and `cacerts` file under `/opt/amazon-corretto-x.x.x.x/jre/lib/security/` folder before updating certificates.

Please follow these steps shown below to update the Apache SSL cert:

Expand All @@ -96,9 +96,9 @@
- Import 'httpd.der' into the Java Keystore
/ Convertion to DER, command:<br/> `openssl x509 -outform der -in httpd.crt -out httpd.der`
- Delete the existing certificate to avoid ambiguity due to presence of 2 different certificates for the same entity after importing the new one:
`/opt/jdkx.x.x.x/jre/bin/keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -storepass changeit`
`/opt/jre/bin/keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /opt/jre/lib/security/cacerts -storepass changeit`
- Import certificate into the Java Keystore(cacerts):
`/opt/jdkx.x.x.x/jre/bin/keytool -importcert -file httpd.der -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -alias <hostname_of_your_Gluu_Server>_httpd -storepass changeit`
`/opt/jre/bin/keytool -importcert -file httpd.der -keystore /opt/jre/lib/security/cacerts -alias <hostname_of_your_Gluu_Server>_httpd -storepass changeit`
- [Restart](../operation/services.md#restart) `opendj`, `apache2/httpd`, `oxauth` and `identity` services.

## Install Intermediate Certificates
Expand Down Expand Up @@ -142,7 +142,7 @@
restartPolicy: Never
containers:
- name: web-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm # This may be differnet in Helm
Expand Down Expand Up @@ -194,7 +194,7 @@
path: gluu_https.key
containers:
- name: load-web-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm #This may be differnet in Helm
Expand Down Expand Up @@ -242,7 +242,7 @@
spec:
containers:
- name: oxauth-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
resources:
requests:
memory: "300Mi"
Expand Down Expand Up @@ -292,7 +292,7 @@
restartPolicy: Never
containers:
- name: oxshibboleth-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm
Expand Down Expand Up @@ -334,7 +334,7 @@
restartPolicy: Never
containers:
- name: oxd-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm
Expand Down Expand Up @@ -375,7 +375,7 @@
restartPolicy: Never
containers:
- name: ldap-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm
Expand Down Expand Up @@ -417,7 +417,7 @@
restartPolicy: Never
containers:
- name: passport-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm
Expand Down Expand Up @@ -454,7 +454,7 @@
restartPolicy: Never
containers:
- name: scim-key-rotation
image: gluufederation/certmanager:4.2.0_dev
image: gluufederation/certmanager:4.2.0_01
envFrom:
- configMapRef:
name: gluu-config-cm
Expand All @@ -465,4 +465,4 @@

```bash
kubectl apply -f scim-key-rotation.yaml -n <gluu-namespace>
```
```
10 changes: 9 additions & 1 deletion docs/source/admin-guide/custom-script.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ Interception scripts are written in [Jython](http://www.jython.org), enabling Ja

While the syntax of the script requires Python, most of the functionality can be written in Java. If Python classes are imported, they must be "pure python." For example, a class that wraps C libraries can not be imported.

!!! Note
If Python classes are imported, they must be "pure Python." For example, a class that wraps C libraries can not be imported. The same goes for Python packages which require `cython` during compiling.


### Methods
There are three methods that inherit a base interface:

Expand Down Expand Up @@ -191,7 +195,11 @@ First oxTrust executes the `initRegistration` method to do an initial user entry

oxAuth implements the [OpenID Connect dynamic client registration](https://openid.net/specs/openid-connect-registration-1_0.html) specification. All new clients have the same default access scopes and attributes except password and client ID. The Client Registration script allows an admin to modify this limitation. In this script it is possible to get a registration request, analyze it, and apply customizations to registered clients. For example, a script can give access to specified scopes if `redirect_uri` belongs to a specified service or domain.

This script type adds only one method to the base script type:
This script type adds following methods to the base script type:
- `def createClient(self, registerRequest, client, configurationAttributes)` - called during client creation
- `def updateClient(self, registerRequest, client, configurationAttributes)` - called during client update
- `def getSoftwareStatementHmacSecret(self, context)` - Returns secret key which will be used to validate Software Statement if HMAC algorithm is used (e.g. HS256, HS512). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value. `context` is reference of `org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext` (in https://github.com/GluuFederation/oxauth project )
- `def getSoftwareStatementJwks(self, context)` - Returns JWKS which will be used to validate Software Statement if keys are used (e.g. RS256). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value. `context` is reference of org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext (in https://github.com/GluuFederation/oxauth project )

|Method|`def updateClient(self, registerRequest, client, configurationAttributes)`|
|---|---|
Expand Down
1 change: 1 addition & 0 deletions docs/source/admin-guide/device-authz-grant.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ Content-Type: application/json
Server: Jetty(9.4.19.v20190610)

{"access_token":"c31fc092-453b-4275-a36f-b2740c3eb1a6","id_token":"eyJraWQiOiJlY4.2Tc4NDgxYy05OTJkLTRmN2UtYTkzMS03NjM2NTYyMzgwZjVfc2lnX3JzMjU2IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoidWdMSnAzMkxXdnI4QUdlbmdNTlF3QSIsImF1ZCI6IjEyMy0xMjMtMTIzIiwic3ViIjoiM2M2M25HdWZnWFNkMWFwNU81NFZkVjlUUDdmdjJHc0YtLWl0eVBHeFJBTSIsImlzcyI6Imh0dHBzOi8vdGVzdC5nbHV1Lm9yZzo4NDQzIiwiZXhwIjoxNTk1NjQzOTg0LCJpYXQiOjE1OTU2NDAzODQsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCJ9.fElZtuUslhSSuqTOuvGeafG4QuQoHKLpya25RHWkC5V9Xf9ODYa6tD_Tdav2D9Gff2Zz7pt8WKso-WYOqmJ3NrgMoVU7d1SMj6pYGilTL1JokjB18Yw1TI6oR6Z4wegy8_ajftLLhqosI5-ZE36TzPwoAKzjPl-iZEpV2U1OPHWZrdwc9N3YOyO0I_IJGQmFnXC_oacitMV2VZaTxfuCew5cPwNp5durooFNvv3DPzc9JYEctmaLsiRtfqN7pCaV30B3hnYTYZ4p2HNsUbOewBI8_Brm1v1CByitQPUFqETgmPGbf4HCTEoaH-7DfaXnAsePt73blNwJrlTlUBieew","token_type":"bearer","expires_in":299}

```

**Access denied**
Expand Down
12 changes: 12 additions & 0 deletions docs/source/admin-guide/openid-connect.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,18 @@ To manage this feature in oxTrust, navigate to `Configuration` > `JSON Configura

Expiration of dynamically registered clients is controlled by the `dynamicRegistrationExpirationTime` property, which can also be found in the oxAuth configuration table. Find more details about these oxAuth properties and others in the [reference section](../reference/JSON-oxauth-prop.md).


##### Software statement

A software statement is a JSON Web Token (JWT) that asserts metadata values about the client software as a bundle and can be passed during registration.

There are following options for software statement validation:

- `softwareStatementValidationType=script` - The default (since 4.2.1), JWKs and HMAC secret are returned by [dynamic client registration script](https://github.com/GluuFederation/community-edition-setup/blob/version_4.2.1/static/extension/client_registration/SampleScript.py)
- `softwareStatementValidationType=jwks_uri`, allows to specify `jwks_uri` claim name from `software_statement`. Claim name specified by `softwareStatementValidationClaimName` configuration property
- `softwareStatementValidationType=jwks`, allows to specify `jwks` claim name from `software_statement`. Claim name specified by `softwareStatementValidationClaimName` configuration property
- `softwareStatementValidationType=none`, no validation

### Customizing client registration

During client registration, custom interception scripts can be used to implement custom business logic. For instance, data could be validated, extra client claims could be populated, scopes could be modified, or APIs could be called to determine whether the client should get registered at all.
Expand Down
2 changes: 1 addition & 1 deletion docs/source/admin-guide/saml.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ In order to support SAML SSO, the Gluu Server must include the Shibboleth SAML I

- During a fresh Gluu Server installation, simply opt in when prompted for Shibboleth.

- To add Shibboleth to an existing Gluu Server deployment, follow [these instructions](../operation/faq.md/#adding-passportjs-andor-shibboleth-idp-post-installation).
- To add Shibboleth to an existing Gluu Server deployment, follow [these instructions](../operation/faq.md#adding-passportjs-andor-shibboleth-idp-post-installation).

In addition, the target application must also support SAML. If the app doesn't already support SAML, see the section below about [SAML SP software](#saml-sp).

Expand Down
13 changes: 10 additions & 3 deletions docs/source/admin-guide/sample-client-registration-script.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,15 @@ def updateClient(self, registerRequest, client, configurationAttributes):

return True

def logout(self, configurationAttributes, requestParameters):
return True

def getApiVersion(self):
return 1

# Returns secret key which will be used to validate Software Statement if HMAC algorithm is used (e.g. HS256, HS512). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value.
# context is reference of org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext (in https://github.com/GluuFederation/oxauth project )
def getSoftwareStatementHmacSecret(self, context):
return ""

# Returns JWKS which will be used to validate Software Statement if keys are used (e.g. RS256). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value.
# context is reference of org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext (in https://github.com/GluuFederation/oxauth project )
def getSoftwareStatementJwks(self, context):
return ""
9 changes: 8 additions & 1 deletion docs/source/authn-guide/BioID.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ In order to use this authentication mechanism your organization will need to reg

## Prerequisites
- A Gluu Server ([installation instructions](../installation-guide/index.md));
- [BioID interception script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/bioID/BioIDExternalAuthenticator.py) (included in the default Gluu Server distribution);
- [BioID interception script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/bioid/BioIDExternalAuthenticator.py) (included in the default Gluu Server distribution);
- An account with [BioID](https://bwsportal.bioid.com/register).

## Properties
Expand Down Expand Up @@ -70,3 +70,10 @@ Now applications can request BioID's biometric authentication. To make BioID bio
You can change one or both fields to BioID authentication as you see fit. If you want BioID to be the default authentication mechanism for access to oxTrust and all other applications that leverage your Gluu Server, change both fields to bioid.

![BioID](../img/admin-guide/multi-factor/bioid.png)

## Testing the script
If you use the default BioID interception script, a user's facial and periocular traits are enrolled during the first authentication attempt. Subsequently, the user's facial and periocular traits are verified.

1. Enrolling Biometric traits

2. Validating a user based on their biometric traits:
3 changes: 2 additions & 1 deletion docs/source/authn-guide/inbound-oauth-passport.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ Make sure the Gluu Server installation already has [Passport installed](./passpo
- In oxTrust, navigate to `Configuration` > `Person Authentication Scripts`
- Expand the script labelled `passport_social`, check `enabled`, and click `Update`
![Enable passport_social](../img/user-authn/passport/enable-passport_social.png)
- Navigate to the `UMA RPT Policies` tab, expand the script labelled `scim_access_policy`, check `enabled`, and click `Update`
- Navigate to the `Configuration` > `Other Custom Scripts`, then click the `UMA RPT Policies` tab
- Expand the script labeled `scim_access_policy`, check `enabled`, and click `Update`

1. Enable Passport support:

Expand Down
17 changes: 17 additions & 0 deletions docs/source/authn-guide/intro.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,20 @@ Learn how to customize the look and feel of Gluu Server login pages in the [Desi
## Revert Authentication

New authentication flows and methods should **always** be tested in a different browser to reduce the chance of lockout. However, in case you find yourself locked out of the GUI, refer to the [revert authentication mechanism docs](../operation/faq.md#revert-an-authentication-method).

## Extending the Authentication Flow

The oxAuth Person Authenticator Script (ACR) interface includes methods extend the user authentication flow. There are two entry points of this flow, `prepareForStep` and `authenticate`.

oxAuth calls `prepareForStep` from XTHML, and its role is to prepare data to render the login page or redirect to a third party system for authentication.

oxAuth expects `authenticate` to call from the login page or from `/oxauth/postlogin.htm` (the callback from a third party system). Its role is to verify user data that is submitted by the user.

The following diagram demonstrates the `authenticate` flow:

[![authenticate flow diagram](../img/user-authn/authn_authenticate_flow.png)](../img/user-authn/authn_authenticate_flow.png))

The following diagram demonstrates the `prepareForStep` flow:

[![prepareForStep flow diagram](../img/user-authn/authn_prepareforstep_flow.png)](../img/user-authn/authn_prepareforstep_flow.png)

Loading