Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[46092] adds idp_sso_service_binding config to ssoe_settings_service #10631

Merged
merged 0 commits into from Oct 12, 2022
Merged

[46092] adds idp_sso_service_binding config to ssoe_settings_service #10631

merged 0 commits into from Oct 12, 2022

Conversation

bramleyjl
Copy link
Contributor

@bramleyjl bramleyjl commented Sep 6, 2022
edited

Description of change

This change adds an idp_sso_service_binding setting that changes vets-api's SSOe authentication request service binding from Artifact to POST in order to enable the request to be signed. It also changes the RubySAML gem that is used to generate vets-api's SAML requests to a forked version in order to fix a bug with SAML signing as base gem repository is no longer under active maintainence. A devops change and a vsp infra change have already landed to populate this setting in all environments: local, dev, review, and staging instances will all have the new POST binding while production will keep the Artifact binding until lower environment testing can be performed.

In addition, it includes a Gemfile change to the RubySAML library to fix a bug that was improperly rendering our passed XMLto nil.

I have also removed the deprecated settings.security[:embed_sign] RubySAML setting, the idp_sso_service_binding setting that has been added performs the same function.

Original issue(s)

department-of-veterans-affairs/va.gov-team#46092

Testing

This feature has been disabled by default for localhost, to enable it you will need to set the following settings in your settings.local.yml:

  • saml_ssoe.request_signing: true
  • saml_ssoe.cert_path: link to this public cert file in your devops repository
  • saml_ssoe.key_path: can be found in AWS Parameter store, search for /dsva-vagov/identity-team/dev/ssoe-sp-dev-va-gov-key, download the private key to your config/certs directory in vets-api and link to it here

To test, attempt to authenticate with any CSP through SSOe. You should see a substantially longer SAML payload that includes a signature:

<ds:SignatureValue>TbhUvKTDBFx8St+f2EkK/SarCOvQnZwBrXjjAIqocA6lbu9kVHGU6CPM7CEOBZNbl+c02aMoJoCfqJ1FzSYXDnZOjpcZ3OPtx7tfpoiC6Ua7P4o/vS58uvHzlNxN+h0ZDpreybU39Qy6lSaz2M/mQnjnb3TOGr7qW0kZXmHFQPuHvauxck8HvVbGkTfBmQ3Dwm/vSIb/7iJo0krwNpzsCLKl1+EYzbYEZB/O5ZOYOr9QV+u08P3BwhgyvYvBXZhK/qll1U+clLDD94S1h8eBf2p8Oxk8AW/kxxnSu6mJGBJeCO3KQpDuK21FrTUSwE9v31gJqtAQUopTqPXWHqxxeA==</ds:SignatureValue>

@bramleyjl bramleyjl requested review from a team as code owners September 6, 2022 22:15
ericboehs
ericboehs previously approved these changes Sep 7, 2022
View reviewed changes
joeniquette
joeniquette previously approved these changes Sep 7, 2022
View reviewed changes
@bramleyjl bramleyjl self-assigned this Sep 7, 2022
@bramleyjl bramleyjl added identity identity-backend Identity team backend label labels Sep 7, 2022
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main September 19, 2022 20:05 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main September 20, 2022 16:27 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main September 21, 2022 23:11 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main September 22, 2022 16:08 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 5, 2022 22:30 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 6, 2022 15:12 Inactive
@bramleyjl
Copy link
Contributor Author

This PR has been updated to include the VA.gov-forked RubySAML library, which has been updated to include the necessary change.

@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 6, 2022 15:22 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 6, 2022 18:06 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 6, 2022 21:33 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 7, 2022 16:34 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 7, 2022 19:59 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 10, 2022 17:45 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 46092_saml_request_signing/main/main October 10, 2022 18:22 Inactive
bosawt
bosawt approved these changes Oct 11, 2022
View reviewed changes
Copy link
Contributor

@bosawt bosawt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@bramleyjl bramleyjl merged commit cfeabbf into master Oct 12, 2022
@bramleyjl bramleyjl deleted the 46092_saml_request_signing branch October 12, 2022 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holdenhinkle holdenhinkle holdenhinkle approved these changes

@bosawt bosawt bosawt approved these changes

@joeniquette joeniquette joeniquette approved these changes

@ericboehs ericboehs Awaiting requested review from ericboehs

Assignees

@bramleyjl bramleyjl

Labels
console-services-review identity identity-backend Identity team backend label
Projects
Console Services Team
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@bramleyjl @ericboehs @holdenhinkle @bosawt @joeniquette @va-vfs-bot