-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SAML authentication #29403
base: main
Are you sure you want to change the base?
Support SAML authentication #29403
Conversation
Closes go-gitea#5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
as per #29358 and #25165 (comment) the pull is resubmitted for review |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
@@ -90,6 +90,8 @@ require ( | |||
github.com/quasoft/websspi v1.1.2 | |||
github.com/redis/go-redis/v9 v9.4.0 | |||
github.com/robfig/cron/v3 v3.0.1 | |||
github.com/russellhaering/gosaml2 v0.9.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found a more popular package(crewjam/saml) that we can use. It looks like russellhaering/gosaml2 only supports HTTP POST binding, but crewjam/saml supports both HTTP Redirect binding and HTTP POST binding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you make a pull against my feature branch we can test that lib :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PS: it's no simple drop-in replacement :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Zettat123 the pull is not originally from me but was just resubmited for review.
so @techknowlogick or @jackHay22 might know more about why thy have choosen the lib?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Zettat123 I'll added it to the followups is that ok or should we wait for the others to respond?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a strong opinion here; if the additional features are useful this would be a good time to make the switch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Zettat123 It looks like gosaml2 supports HTTP redirect binding. Let me know if I'm missing something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found an issue related to the Redirect binding. I haven't looked into this issue, but it looks like there is a workaround. But I think this issue not being solved for a long time means that the project is not very active.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't disagree but I think the crewjam/saml
repo also has signs of inactivity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think at some point a saml lib is just completed and only needs version bumps if it has dependencys?
so in this regards if there are no issues open anymore I'm fine with a inactive lib.
here both repos still have open issues :/
IdentityProviderMetadataURL: fmt.Sprintf("http://%s/simplesaml/saml2/idp/metadata.php", samlURL), | ||
InsecureSkipAssertionSignatureValidation: false, | ||
NameIDFormat: 4, | ||
ServiceProviderCertificate: "", // SimpleSAMLPhp requires that the SP certificate be specified in the server configuration rather than SP metadata |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is true? I've been using SimpleSAMLphp and it does accept SP certificates in the XML-format metadata directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would make sense; I just wasn't able to get it to work. Perhaps the version we use doesn't support it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@grawity could you provide an example of your config for this so we can adjust the tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to find the sources of the Docker image being used, so I don't know what it does with the SP metadata, but given the separate settings to specify ACS/SLO endpoints, I suspect it doesn't look at the XML metadata at all and just builds its own version like this?
But on a full SimpleSAMLphp 2.x installation (and I believe 1.19.x as well), you can list the whole XML file in config.php
and it will happily accept signed requests. (Although plain sign-on requests don't use the SP certificate at all; it's just a) encrypted assertions or b) signed single-logout requests that need it; but I re-tested the latter to verify that SimpleSAMLphp pays attention to the certificate in the SP's XML file and it does.)
$config = [
...
"metadata.sources" => [
["type" => "flatfile"], // the PHP-format saml20-sp-remote.php
["type" => "xml", "file" => "metadata/gitea.xml"], // an XML-format metadata file
],
];
Even if you're using the PHP-format SP metadata file (saml20-sp-remote.php
), where it might look like the certificate has to be in a separate file:
$metadata["https://SOME_ENTITY_ID"] = [
"AssertionConsumerService" => "https://SOME_URL",
"certificate" => "exlibris-alma.crt",
...
];
it is still possible to specify it inline, and the XML-to-PHP metadata converter that comes with SimpleSAMLphp (Admin > Federation) will include any found certificates inline as part of the PHP-format metadata:
$metadata["https://SOME_ENTITY_ID"] = [
"AssertionConsumerService" => "https://SOME_URL",
"keys" => [
["type" => "X509Certificate", "encryption" => true, "signing" => true, "X509Certificate" => "MII…"]
]
...
];
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's the repository with the configuration: https://github.com/AllSpiceIO/docker-test-saml-idp/tree/master
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not certain on how thorough Gitea's requirements for test cases are, so take this with a grain of salt. But I don't think it's important to test SAML request signing because Gitea isn't making any claims that the IdP will rely on for the request. Also, (I sure hope) IdPs will be using HTTPS so there's no concern of tampering or confidentiality leaks anyways (not that there's any confidential data being sent by Gitea to begin with).
We need to know soon, if switching the library is a breaking change ! if it its, we should move it into the next release else merge it early and build upon it |
@techknowlogick @jackHay22 @Zettat123 We need a decision soon, otherwise this PR won't be part of Gitea 1.22 |
Tailwind migration done. |
Thanks :) |
Will this make it into the 1.23 release? I've been looking forward for this feature :) |
Even though @6543 pinged me when we last saw each other, I'm sorry for letting this one drop off my radar. I think we should seriously consider switching to the other SAML lib as reading more into the spec it seems that the missing option from the existing library in use in this PR is a somewhat common option to use. I have access to push to this branch so I can resolve existing conflicts and start to work on that (I don't want to ask others to do the work, as they have already done so much, and to ask to do even more would be too much to ask). |
If you want you can also fetch this branch and create your own pull, as this would indicate you as the main author again 😅 ... anyway good to hear you had time to read the actual spec. can you suggest an library or is it to early? @techknowlogick |
Resubmit #25165 for review
Closes #5512
This PR adds basic SAML support
Future PRs:
github.com/crewjam/saml
is more suitedCo-Authored-By: @jackHay22