Add support for SAML auth backend

[eladkal]

Body

Previously also asked in Jira https://issues.apache.org/jira/browse/AIRFLOW-4539

Committer

• I acknowledge that I am a maintainer/committer of the Apache Airflow project.

[subkanthi]

can I take a look at this if no one is working on this. Thanks

[eladkal]

@subkanthi assigned

[Jedsman]

There is this solution that works for airflow 1.x.x, but for some reason does not for airflow 2.x. Maybe it can be used as a reference for this. The solution is here https://www.manishpoddar.com/post/how-to-implement-aws-single-sign-on-sso-on-airflow

[HaloKo4]

looking forward for this integration!

[victorphoenix3]

Hi, I would like to attempt this implementation.

[subkanthi]

Hi @victorphoenix3 , Im working on the API support for SAML, please feel free to take on SAML support for the webserver, it might need some digging into the FAB support.
#11305

[potiuk]

assigned you @victorphoenix3 !

[eladkal]

Probably dependent on dpgaspar/Flask-AppBuilder#1028

[jjournet]

does that mean that today, we can't use a SSO solution (like keycloak) with Airflow ?

[LucaSoato]

Do we have any news about SSO for Airflow?

[potiuk]

You can use keycloak this can be done independently of SAML support for Airlfow. You need to forward the right Authorisation headers from Keycloak and make Airflow/FAB use them AFAIK.

[merovigen]

@jjournet you can use OAuth for Keycloak integration.
Please take a look at this example, it helped me with a custom OAuth identity provider.

[potiuk]

This is a very cool article. Thanks for bringing my attention to it @merovigen

[koskoskos]

Hello!
Any updates on SAML auth for Airflow? I'm looking for the way to authenticate Airflow with ADFS, no luck at the moment.

[potiuk]

Hello! Any updates on SAML auth for Airflow? I'm looking for the way to authenticate Airflow with ADFS, no luck at the moment.

@koskoskos As of Airlfow 2.8, Airflow supports Auth Manager interface, which allows anyone to write any Auth Manager. We have currently two Auth Managers: FAB (back-compatibiltiy) and AWS (experimental). We would love to have somoene to develop and contribute a KeyCloak Auth Manager that would open Airflow to way more schemes than FAB currently support, but also there is nothing to prevent anyone to write their own Auth Manager - for example SAML Auth Manager. So if you would like to have certaintly SAML authentication is there - you (or your company) could work on contributing one of the Auth Managers I mentioned above. Or pay someone to do it. Otherwise, it will have to wait for someone to implement it.

The Auth Manager interface / API of Airflow is described here https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/auth-manager.html#auth-manager

Would you like to help with that?

[rroblik]

Old topic but lack of SAML support is disapointing for such product. In the documentation we can see pip install 'apache-airflow[saml]' so... what does it mean?

thanks

[anton-didenko-moc]

I have the same question here.
Seems like there is some kind of SAML support. I've found a few articles about it, but couldn't make it work yet. Does anybody have a working solution?

[potiuk]

SAML "extra" is only used to install package that is needed by some providers (for example amazon provider has optional SAML support for their connection to AWS). Authentication in Airflow is implemented by FAB - Flask Application Builder. So as long as SAML is not implemented there as a valid option, it will not be implemented in Airflow - so best course of action is to have somene (ideally who already has SAML and wants to get it implemented, implements it and contributes to FAB).

There are currently 3 closed issues about that in FAB: https://github.com/dpgaspar/Flask-AppBuilder/issues?q=is%3Aissue+saml+is%3Aclosed - but if someone comes with a PR and tests it, I am sure maintainer of FAB will work with that person to implement SAML support - so if any of you @rroblik @anton-didenko-moc would like to spend your or your companies engineering efforts, I believe this is the most successful path for Airflow to support SAML.

And I'd encourage you to follow it.

Also for Airlfow 3 we turn FAB into optional dependency and ideally there will be a replacement for FAB - we are discussing it at our dev calls for Airflow 3 https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+3+Dev+call%3A+Meeting+Notes#Airflow3Devcall:MeetingNotes-4June2024 and there various replacements are being discussed and some efffort to evaluate those is made. But this will be Airflow 3 and the exact scope or implementation of it is not yet finalized. But again, the most successful path you can take there is to help in those efforts - taking part in the dev calls and committing and helping to test/evaluate/implement the replacement is absolutely best you can do to make sure it will happen @rroblik and @anton-didenko-moc

Which I also encourage you to do.