REST and SOAP Auth with Talend IDM from Outside Applications

Out of the box, Talend ESB provides built-in accommodations to manage credentials for SAML token authentication using Talend Identity Management (Apache Syncope) and the Security Token Service (STS). One key concept behind this configuration is that use of the STS is contained within the Talend Runtime, and by extension both the service provider and client both have to run inside of the Runtime. So how do I provide a service for various applications and use Syncope to manage credentials?

When using Talend Identity Manager to manage SOAP and REST credentials, how can I authenticate from an outside application?

Approach

Since the ESB Runtime is required for SAML clients, we need to provide a different pathway than SAML and STS to support authentication from general applications. The Runtime container primarily relies on the Java Authentication and Authorization Service (JAAS) based authentication for container administration as well as web service users. Out of the box, JAAS in Karaf is configured to use a properties file for login credentials; specifically etc/users.properties.

In order to change this behavior, you simply need to configure a different Login Module which leverages the authentication source of your choice. Talend provides guidance for switching Login Modules for LDAP or another users file. The solution provided here is to configure JAAS to authenticate using Syncope. To leverage this JAAS configuration with web services, the service must be configured for non-SAML authentication (so Basic HTTP Auth for REST or Username/Password for SOAP).

Configuring the Syncope Login Module

Available within the Karaf libraries is a Syncope Login Module for exactly this kind of use case. Jean-Baptiste Onofré provides further details and background on this in his blog. A template for this configuration is shown below (paste into a file and use a ‘.xml’ extension). The address property needs to be configured to reference your Syncope server. Credentials to access Syncope can also be added.

Place the XML file into the deploy/ folder to install the Login Module, and override the default container Login Module. The next step will be to configure the required users in Syncope.

Setting up Talend Identity Management

Inside TIDM, define the desired service user credentials. These users will be available for service authentication.

You will also need to define the Runtime container users – reference the etc/users.properties file for users and roles. These will be needed for future container administration and TAC control. For a production deployment you will want to modify credentials, but for an initial configuration you may want to replicate directly. Don’t forget to add roles to each user as they appear in users.properties.

Service and Client Configuration

Configure your service to require Basic HTTP authentication on tRestRequest or cCXFRS. Deploy to the runtime using TAC or the deploy/ folder.

image2016-9-2-15-8-8

Configure your service client to use Basic HTTP Authentication and provide credentials. The client can be tRestClient, cCXFRS, or a non-Talend client like Postman, SoapUI or an application. Test the authentication from outside the Talend container (like from Studio or the testing application).

image2016-9-2-15-9-4

Conclusion

As of Talend 6.2, there is no packaged feature to support Syncope Auth from applications running outside of the Talend Runtime. But thanks to JAAS, configuring this is only a few steps away.

3 thoughts on “REST and SOAP Auth with Talend IDM from Outside Applications

  • May 4, 2017 at 6:22 pm
    Permalink

    Thanks Ben that’s great!
    As you guided me later, for people who when to work in conjunction with Talend Adminsitration Center. The users which are present in etc/users.properties must be created in Talend IDM (Syncope).
    users are created a users and group must be created as roles. Then each user must be given the associated roles as described in the users.properties file.

    Thanks again!

    Reply
    • August 29, 2017 at 5:06 pm
      Permalink

      Hi Ben & Adrien,

      It seems that for Syncope version 2.0.4 with Karaf 4.0.1 (Talend ESB 6.0.1), the mapping of users seem a bit confusing since Syncope is introducing the concepts of users within a realm, belonging to a specific group, and where roles could be assigned to users or groups…

      I am able to do Authentication with LDAP using the password pass-through mechanism, however, authorization based on roles is not working (including the Syncope backing engine) and despite turning up the logging level I get no errors. I tried different user-group-role configuration to no avail… Any pointers or a list of steps to setup RBAC with Syncope against Talend REST/SOAP services deployed on the ESB?

      Your guidance would be greatly appreciated.

      Cheers

      Reply
  • August 30, 2017 at 4:02 pm
    Permalink

    Still trying to configure Syncope v2.0.4 to work with Karaf 4.0.1 (Talend ESB 6.0.1) and followed your instructions about creating users, roles, and groups – here is my Syncope user able to authenticated on karaf, however, cannot run admin (jaas:update) command in trun even when assigned admin role with all privileges in Syncope. That same user is working fine with LDAPlogin module and recognized role and allow to run admin commands…

    Anything that seems obvious to you?

    {
    “@class”: “org.apache.syncope.common.lib.to.UserTO”,
    “creator”: “admin”,
    “creationDate”: “2017-08-09T21:32:09.976+0000”,
    “lastModifier”: “admin”,
    “lastChangeDate”: “2017-08-30T15:50:28.677+0000”,
    “key”: “ee68af8b-ceae-46db-a8af-8bceae76db2c”,
    “type”: “USER”,
    “realm”: “/ESB”,
    “status”: “active”,
    “password”: null,
    “token”: null,
    “tokenExpireTime”: null,
    “username”: “jpfortin”,
    “lastLoginDate”: “2017-08-30T15:40:48.869+0000”,
    “changePwdDate”: “2017-08-09T22:48:12.916+0000”,
    “failedLogins”: 0,
    “securityQuestion”: null,
    “securityAnswer”: null,
    “mustChangePassword”: false,
    “dynRealms”: [],
    “auxClasses”: [],
    “plainAttrs”: [
    {
    “schemaInfo”: {
    “@class”: “org.apache.syncope.common.lib.to.PlainSchemaTO”,
    “key”: “email”,
    “anyTypeClass”: “BaseUser”,
    “type”: “String”,
    “mandatoryCondition”: “false”,
    “multivalue”: false,
    “uniqueConstraint”: false,
    “readonly”: false,
    “conversionPattern”: null,
    “validatorClass”: “org.apache.syncope.core.persistence.jpa.attrvalue.validation.EmailAddressValidator”,
    “enumerationValues”: null,
    “enumerationKeys”: null,
    “secretKey”: null,
    “cipherAlgorithm”: null,
    “mimeType”: null
    },
    “schema”: “email”,
    “values”: [
    “jpfortin@xhpsi.com”
    ]
    }
    ],
    “derAttrs”: [],
    “virAttrs”: [],
    “resources”: [
    “resource_pbs_ldap”
    ],
    “roles”: [
    “admin”
    ],
    “dynRoles”: [],
    “relationships”: [],
    “memberships”: [
    {
    “type”: “Membership”,
    “rightType”: “GROUP”,
    “rightKey”: “e493a52c-397b-43bb-93a5-2c397b43bb72”,
    “groupName”: “admin”,
    “plainAttrs”: [],
    “derAttrs”: [],
    “virAttrs”: []
    },
    {
    “type”: “Membership”,
    “rightType”: “GROUP”,
    “rightKey”: “fb7f5ead-3f68-46ef-bf5e-ad3f68e6ef28”,
    “groupName”: “ESBAdmins”,
    “plainAttrs”: [],
    “derAttrs”: [],
    “virAttrs”: []
    }
    ],
    “dynGroups”: []
    }

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: