Skip to content

feat: SAML 2.0 IdP service (SP-initiated Web SSO)#70

Merged
BK1031 merged 6 commits into
mainfrom
bk1031/feat-saml-service
Jun 3, 2026
Merged

feat: SAML 2.0 IdP service (SP-initiated Web SSO)#70
BK1031 merged 6 commits into
mainfrom
bk1031/feat-saml-service

Conversation

@BK1031
Copy link
Copy Markdown
Contributor

@BK1031 BK1031 commented Jun 3, 2026

Adds SAML 2.0 single sign-on to Sentinel via a new saml service, modeled on the existing oauth service. SP-initiated Web SSO only (no IdP-initiated, no SLO).

core

  • Add saml_service_provider table extending an application with SAML SP registration (entity ID, ACS URL, cert, metadata XML)
  • CRUD endpoints under /applications/:id/saml; internal /core/saml/sp/entity/:entityID lookup that resolves an SP to its owning application's client_id

saml service (new)

  • Owns its own RSA signing key + self-signed X.509 cert (saml_signing_key), persisted across restarts; cert published in IdP metadata
  • /saml/metadata (IdP metadata) and /saml/sso (SP-initiated SSO) via crewjam/saml
  • SSO endpoint validates the AuthnRequest, stashes it, and redirects to the SPA consent page (the first-party session is a SPA-held JWT, not a server cookie)
  • /saml/authorize GET (consent info + access gate) and POST (build + sign assertion, return HTTP-POST binding payload for the SPA to submit to the ACS)
  • Reuses core for all identity/group/gate/audit data via the shared kerbecs/sentinel clients; same per-client group filtering and required-group access gate as OAuth
  • Anchors request re-validation to the original SSO time so a slow consent screen can't trip crewjam's 90s MaxIssueDelay, while keeping the issued assertion's validity window fresh

gateway / infra

  • kerbecs: saml upstream + routes (/api/saml/* stripped; /saml/metadata and /saml/sso at the issuer root; /saml/authorize falls through to the web SPA)
  • docker-compose: saml service (port 9996) + gopath volume
  • CI: saml build/push workflow; include saml in the deploy image bump

web

  • SamlAuthorizePage at /saml/authorize: validates + runs the access gate against the session, then auto-submits the signed assertion to the SP's ACS
  • Application edit page: SAML SSO card to register an app as a service provider (SP entity ID, ACS URL, or pasted metadata XML) and surface the IdP metadata URL

verification

  • go build + go vet pass for core and saml
  • web tsc -b + vite build pass
  • docker compose config validates

BK1031 added 6 commits June 3, 2026 12:47
@BK1031
feat(core): add SAML service provider registration
967929c 
Add saml_service_provider table extending application with SAML-specific
registration (entity_id, ACS URL, cert, metadata), CRUD endpoints under
/applications/:id/saml, and an internal /core/saml/sp/entity/:entityID
lookup that resolves an SP to its owning application's client_id for the
saml service's access gate.
@BK1031
feat(saml): add SAML 2.0 IdP service for SP-initiated Web SSO
5730fc1 
New saml service modeled on oauth: owns its own RSA signing key +
self-signed X.509 cert (saml_signing_key), serves IdP metadata at
/saml/metadata, and handles SP-initiated SSO via crewjam/saml.

The SSO endpoint validates the AuthnRequest, stashes it, and redirects
the browser to the SPA consent page (the first-party session is a SPA-held
JWT, not a server cookie). On approval, /saml/authorize re-runs the access
gate, builds the assertion from core identity + per-client filtered groups,
and returns the HTTP-POST binding payload for the SPA to submit to the ACS.
All identity/group/gate/audit data comes from core via the shared
kerbecs/sentinel clients.
@BK1031
build(saml): wire saml service into gateway, compose, and CI
8ae0434 
- kerbecs: add saml upstream + routes (/api/saml/* stripped; /saml/metadata
  and /saml/sso served at the issuer root; /saml/authorize falls through to
  the web SPA)
- docker-compose: add saml service (port 9996) + gopath volume
- add saml Dockerfile + .air.toml (copied from oauth)
- CI: add saml build/push workflow; include saml in the deploy image bump
@BK1031
feat(web): add SAML consent page and SP registration UI
0356c65 
- SamlAuthorizePage at /saml/authorize: the SSO endpoint redirects here, the
  SPA validates + runs the access gate against the session, and on approval
  auto-submits the signed assertion to the SP's ACS via HTTP-POST binding
- application edit page: add a SAML SSO card to register an app as a service
  provider (SP entity ID, ACS URL, or pasted metadata XML) and surface the
  IdP metadata URL
@BK1031
fix(saml): anchor request re-validation clock to the original SSO time
2c3a1c1 
crewjam's Validate re-checks the AuthnRequest IssueInstant against the 90s
MaxIssueDelay using req.Now, and stamps the assertion validity window from
the same field. Anchor Now to the original SSO-endpoint validation time for
the staleness check (so a slow consent screen can't trip the 90s window),
then reset to the real current time so the issued assertion carries a fresh
window.
@BK1031
ci(saml): include saml service in release script and deploy bump
ab1ae9a 
- release.sh: bump saml/config Version and tag the sentinel-saml image
  alongside the other services
- deploy.yml: include saml in the infra image-bump set and changelog
- saml.yml: per-service build/push workflow (mirrors oauth.yml)
@BK1031 BK1031 mentioned this pull request Jun 3, 2026
Merged
@BK1031 BK1031 merged commit ce77eda into main Jun 3, 2026
15 checks passed
@BK1031 BK1031 deleted the bk1031/feat-saml-service branch June 3, 2026 21:31
@gauchoracing gauchoracing mentioned this pull request Jun 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BK1031