-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support SAML and test with aliyun IDaaS #346
Conversation
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
@tangyang9464 please review |
@seriouszyx the demo looks good! Does it also support Keycloak SAML? We also need to use Casdoor as SP to connect to Keycloak SAML IDP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job, But we may need to make some improvements.
object/saml.go
Outdated
} | ||
deStr := strings.Replace(string(de), "\n", "", -1) | ||
res := regexp.MustCompile(`<ds:X509Certificate>(.*?)</ds:X509Certificate>`).FindAllStringSubmatch(deStr, -1) | ||
str := res[0][0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some idp's response format is inconsistent, the following code works well for me
res := regexp.MustCompile(`<ds:X509Certificate>(.*?)</ds:X509Certificate>`).FindAllStringSubmatch(deStr, -1)
if len(res) <= 0 {
res = regexp.MustCompile(`<X509Certificate>(.*?)</X509Certificate>`).FindAllStringSubmatch(deStr, -1)
}
str := res[0][1]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the metadata of Aliyun IDaaS is as below and you can find that the values of two ds:X509Certificate
are the same. So res[0][1]
and res[0][0]
both work well.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="CASDOOR-TEST">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIB5TCCAU6gAwIBAgIIRiyDuM0koEswDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMB4XDTIxMTEyOTEwMTIwMloXDTI0MTEyODEwMTIwMlowNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKxhfTOmQWs7i5dudkFxOHktushcrUloteFAYsKFhmlqtmc6M6upUAr59Yw14f+6myql/pWRdJIHMgJQuEcWF01aj4uHmwRrFpJHT+AbMBxfW8VNGl6JopHTLirAaTDESLhNaYS1YWxPluHRJ+7k3OE02ixQG5GLlf6EH1gm/8/QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADg4loZ7nAkDJqVSQMY8R/IiXemDzbECssSQBtLQLySzM0zkYij07AOTHOVVD6qQs4kULK5zQGWWDywjLFtitnwRWZ/DE3X7dJ5Vo2SwsPNtMQ2GKKXpWsurzUBzA8zjaFjwA1aJEXY/0tNkQuSs/pyNjoNtIq61zdmMdicpwB8X</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIB5TCCAU6gAwIBAgIIRiyDuM0koEswDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMB4XDTIxMTEyOTEwMTIwMloXDTI0MTEyODEwMTIwMlowNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAxMMQ0FTRE9PUi1URVNUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKxhfTOmQWs7i5dudkFxOHktushcrUloteFAYsKFhmlqtmc6M6upUAr59Yw14f+6myql/pWRdJIHMgJQuEcWF01aj4uHmwRrFpJHT+AbMBxfW8VNGl6JopHTLirAaTDESLhNaYS1YWxPluHRJ+7k3OE02ixQG5GLlf6EH1gm/8/QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADg4loZ7nAkDJqVSQMY8R/IiXemDzbECssSQBtLQLySzM0zkYij07AOTHOVVD6qQs4kULK5zQGWWDywjLFtitnwRWZ/DE3X7dJ5Vo2SwsPNtMQ2GKKXpWsurzUBzA8zjaFjwA1aJEXY/0tNkQuSs/pyNjoNtIq61zdmMdicpwB8X</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://geonmahrnw.login.aliyunidaas.com/enduser/api/application/plugin_saml/idaas-cn-beijing-mu34ajc7ktlplugin_saml/sp_sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://geonmahrnw.login.aliyunidaas.com/enduser/api/application/plugin_saml/idaas-cn-beijing-mu34ajc7ktlplugin_saml/sp_sso_post"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
object/saml.go
Outdated
IdentityProviderIssuer: provider.IssuerUrl, | ||
ServiceProviderIssuer: samlOrigin + "/api/acs", | ||
AssertionConsumerServiceURL: samlOrigin + "/api/acs", | ||
SignAuthnRequests: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should implement authnrequest
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
45d2979
to
fb774c7
Compare
… sp-entity-id Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
@seriouszyx lgtm! |
🎉 This PR is included in version 1.2.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Signed-off-by: Yixiang Zhao seriouszyx@foxmail.com
Fix: #140
Basically, I implemented authentication using the SAML protocol and tested it with Aliyun IDaaS.
Click on the Aliyun icon to jump to the Aliyun IDaaS platform for login, the user
admin
in Casdoor corresponds to the usernamecasdoor
, the password isCasdoor123!
.After logging in, you can access the resources of Casdoor.
Built-in.Organiz.mp4
The progress is shown in the following diagram.
The demo link is http://82.156.216.21:8000/.
In fact, there is some overlap with the OAuth protocol implementation, which I may have misunderstood. And there is still more work to be done, including logout and encryption.
If there is anything I haven't explained clearly or if you have any questions, please tell me!