Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support SAML and test with aliyun IDaaS #346

Merged
merged 5 commits into from
Dec 6, 2021
Merged

feat: support SAML and test with aliyun IDaaS #346

merged 5 commits into from
Dec 6, 2021

Conversation

seriouszyx
Copy link
Contributor

@seriouszyx seriouszyx commented Dec 3, 2021
edited by hsluoyz
Loading

Signed-off-by: Yixiang Zhao seriouszyx@foxmail.com

Fix: #140

Basically, I implemented authentication using the SAML protocol and tested it with Aliyun IDaaS.

Click on the Aliyun icon to jump to the Aliyun IDaaS platform for login, the user admin in Casdoor corresponds to the username casdoor, the password is Casdoor123!.

After logging in, you can access the resources of Casdoor.

Built-in.Organiz.mp4

The progress is shown in the following diagram.

SAML

The demo link is http://82.156.216.21:8000/.

In fact, there is some overlap with the OAuth protocol implementation, which I may have misunderstood. And there is still more work to be done, including logout and encryption.

If there is anything I haven't explained clearly or if you have any questions, please tell me!

@seriouszyx
feat: support SAML and test with aliyun IDaaS
a2de9c2 
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
@casbin-bot
Copy link
Contributor

@tangyang9464 please review

@hsluoyz
Copy link
Member

hsluoyz commented Dec 3, 2021

@seriouszyx the demo looks good! Does it also support Keycloak SAML? We also need to use Casdoor as SP to connect to Keycloak SAML IDP.

hsluoyz
hsluoyz requested changes Dec 3, 2021
View reviewed changes
controllers/auth.go Outdated Show resolved Hide resolved
web/src/App.js Outdated Show resolved Hide resolved
web/src/App.js Outdated Show resolved Hide resolved
object/saml.go Outdated Show resolved Hide resolved
object/saml.go Outdated Show resolved Hide resolved
object/saml.go Outdated Show resolved Hide resolved
object/saml.go Outdated Show resolved Hide resolved
Steve0x2a
Steve0x2a suggested changes Dec 3, 2021
View reviewed changes
Copy link
Member

@Steve0x2a Steve0x2a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job, But we may need to make some improvements.

web/src/auth/AuthBackend.js Outdated Show resolved Hide resolved
object/saml.go Outdated
}
deStr := strings.Replace(string(de), "\n", "", -1)
res := regexp.MustCompile(`<ds:X509Certificate>(.*?)</ds:X509Certificate>`).FindAllStringSubmatch(deStr, -1)
str := res[0][0]
Copy link
Member

@Steve0x2a Steve0x2a Dec 3, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some idp's response format is inconsistent, the following code works well for me

	res := regexp.MustCompile(`<ds:X509Certificate>(.*?)</ds:X509Certificate>`).FindAllStringSubmatch(deStr, -1)
	if len(res) <= 0 {
		res = regexp.MustCompile(`<X509Certificate>(.*?)</X509Certificate>`).FindAllStringSubmatch(deStr, -1)
	}
	str := res[0][1]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the metadata of Aliyun IDaaS is as below and you can find that the values of two ds:X509Certificate are the same. So res[0][1] and res[0][0] both work well.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="CASDOOR-TEST">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIB5TCCAU6gAwIBAgIIRiyDuM0koEswDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMB4XDTIxMTEyOTEwMTIwMloXDTI0MTEyODEwMTIwMlowNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKxhfTOmQWs7i5dudkFxOHktushcrUloteFAYsKFhmlqtmc6M6upUAr59Yw14f+6myql/pWRdJIHMgJQuEcWF01aj4uHmwRrFpJHT+AbMBxfW8VNGl6JopHTLirAaTDESLhNaYS1YWxPluHRJ+7k3OE02ixQG5GLlf6EH1gm/8/QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADg4loZ7nAkDJqVSQMY8R/IiXemDzbECssSQBtLQLySzM0zkYij07AOTHOVVD6qQs4kULK5zQGWWDywjLFtitnwRWZ/DE3X7dJ5Vo2SwsPNtMQ2GKKXpWsurzUBzA8zjaFjwA1aJEXY/0tNkQuSs/pyNjoNtIq61zdmMdicpwB8X</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIB5TCCAU6gAwIBAgIIRiyDuM0koEswDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMB4XDTIxMTEyOTEwMTIwMloXDTI0MTEyODEwMTIwMlowNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKxhfTOmQWs7i5dudkFxOHktushcrUloteFAYsKFhmlqtmc6M6upUAr59Yw14f+6myql/pWRdJIHMgJQuEcWF01aj4uHmwRrFpJHT+AbMBxfW8VNGl6JopHTLirAaTDESLhNaYS1YWxPluHRJ+7k3OE02ixQG5GLlf6EH1gm/8/QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADg4loZ7nAkDJqVSQMY8R/IiXemDzbECssSQBtLQLySzM0zkYij07AOTHOVVD6qQs4kULK5zQGWWDywjLFtitnwRWZ/DE3X7dJ5Vo2SwsPNtMQ2GKKXpWsurzUBzA8zjaFjwA1aJEXY/0tNkQuSs/pyNjoNtIq61zdmMdicpwB8X</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://geonmahrnw.login.aliyunidaas.com/enduser/api/application/plugin_saml/idaas-cn-beijing-mu34ajc7ktlplugin_saml/sp_sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://geonmahrnw.login.aliyunidaas.com/enduser/api/application/plugin_saml/idaas-cn-beijing-mu34ajc7ktlplugin_saml/sp_sso_post"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

object/saml.go Outdated
IdentityProviderIssuer: provider.IssuerUrl,
ServiceProviderIssuer: samlOrigin + "/api/acs",
AssertionConsumerServiceURL: samlOrigin + "/api/acs",
SignAuthnRequests: false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should implement authnrequest

@seriouszyx
refactor: refactor saml.go and router
db7a42a 
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
@seriouszyx
fix: add param to getSamlLogin()
fb774c7 
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
@seriouszyx
Copy link
Contributor Author

@hsluoyz I refactored codes and added inputs to parse metadata automatically and showed SP ACS Url, SP Entity ID to copy.

The demo link and username/password are not changed.

image

@hsluoyz
Copy link
Member

hsluoyz commented Dec 6, 2021

@seriouszyx lgtm!

@hsluoyz hsluoyz merged commit 113398c into casdoor:master Dec 6, 2021
@casbin-bot
Copy link
Contributor

🎉 This PR is included in version 1.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@hsluoyz hsluoyz mentioned this pull request Dec 30, 2021
Closed
@Juneezee Juneezee mentioned this pull request Dec 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Steve0x2a Steve0x2a Steve0x2a requested changes

@hsluoyz hsluoyz hsluoyz approved these changes

@tangyang9464 tangyang9464 Awaiting requested review from tangyang9464

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SAML besides OAuth 2.0
4 participants
@seriouszyx @casbin-bot @hsluoyz @Steve0x2a