Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DNM] SAML Authentication #1593

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

[DNM] SAML Authentication #1593

wants to merge 7 commits into from

Conversation

damianhxy
Copy link
Member

@damianhxy damianhxy commented Sep 19, 2022
edited
Loading

Description

Motivation and Context

Add SAML authentication to Autolab for universities that use Microsoft IdP.

Note:

  • This currently overrides shibboleth authentication. Work is needed to add some kind of toggle to switch between the two types of authentication
  • The current changes also appear to comment out a crucial part of Autolab's CSRF protection (inside verify_authenticity_token). Ideally, we should be using action_no_auth to selectively disable the protection for routes that do not require authentication
  • We need to update Gemfile.lock

How Has This Been Tested?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have run rubocop for style check. If you haven't, run overcommit --install && overcommit --sign to use pre-commit hook for linting
  • My change requires a change to the documentation, which is located at Autolab Docs
  • I have updated the documentation accordingly, included in this PR

@mtoupsUNO
installation documentation updates for install onto a bare Debian 11 …
9c7767b 
…system:

* don't assume we have github ssh key installed - this would make sense on a dev system but not for a production system
* make is not necessarily already installed
* in recent versions of docker, "docker compose" (via docker-compose-plugin) is used instead of "docker-compose"
* sudo is not necessarily installed, and should not be required
@mtoupsUNO
add these Gems to get SAML authentication support (including MS Activ…
093005f 
…e Directory)
@mtoupsUNO
modify sign-in page for SAML auth
f5291b2
@mtoupsUNO
here we replace shibboleth with saml for authentication
6be043c
@mtoupsUNO
add function for saml auth
d38b902
@mtoupsUNO
this commit I did not feel great about, but commenting out this line …
d573fd7 
…was the only way I could find to get SAML auth to work. I would very much prefer another solution or workaround.
@mtoupsUNO
This is an example of what a school using Microsoft Active Directory …
7ecc04c 
…will need to enable SAML authentication for autolab. The "Enterprise Applications" admin will need to provide the fingerprint and target URL/entity ID specific to your site. (They may call this "metadata")
@cg2v cg2v self-requested a review September 20, 2022 13:39
@cg2v
Copy link
Member

cg2v commented Sep 20, 2022

Apart from the CSRF thing, the most significant problem I see here is that you are embedding microsoft's (OASIS WS-Security) attribute mappings, which are not the same as the ones used by IdPs in the incommon federation. The attribute uris need to be configurable by the end institution, and there should be some exception handling or other validation. it may make sense to start parameterizing the LDAP lookups too and remove the embedded fixed domain (andrew.cmu.edu)

damianhxy
damianhxy commented Nov 11, 2022
View reviewed changes
Gemfile
@@ -60,6 +60,8 @@ gem 'omniauth', '>=1.2.2'
gem 'omniauth-facebook', '>=2.0.0'
gem 'omniauth-google-oauth2', '>=0.2.5'
gem 'omniauth-shibboleth', '>=1.1.2'
gem 'omniauth-saml', '>=1.7.0'
gem 'omniauth-rails_csrf_protection'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be unnecessary with omniauth v2.0.0

@damianhxy damianhxy changed the title (WIP) Add SAML Authentication functionality Add SAML Authentication Nov 13, 2022
@damianhxy damianhxy changed the title Add SAML Authentication [POC] SAML Authentication Dec 3, 2022
@damianhxy damianhxy changed the title [POC] SAML Authentication [Reference] SAML Authentication Dec 4, 2022
@damianhxy damianhxy mentioned this pull request Feb 26, 2023
Merged
@reviewpad reviewpad bot mentioned this pull request May 16, 2023
Merged
@reviewpad reviewpad bot added the medium Pull request is medium label Jun 16, 2023
@cg2v cg2v mentioned this pull request Jun 29, 2023
Merged
5 tasks
@damianhxy damianhxy changed the title [Reference] SAML Authentication [DNM] SAML Authentication Dec 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cg2v cg2v Awaiting requested review from cg2v

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
do-not-merge medium Pull request is medium
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@damianhxy @cg2v @mtoupsUNO