Most of SAML integration fixed #605
Conversation
Neven1986
commented
Dec 14, 2019
Neven1986
commented
- Function signatures inside SAML class were fixed
- Redirect URL for /saml/login path was modified (saml_authorized -> index.saml_authorized)
Current status is that SAML metadata can be generated under /saml/metadata and communication to SAML iDP is working
Problems remaining:
- SAML Response doesn't contain any attributes (There is no AttributeStatement on the Response). It can be that problem is on iDP side
- Background thread in retrieve_idp_data() cannot be spawned, this part is currently commented out, old code needs to be revisited
|
This pull request introduces 1 alert when merging cd3535d into ad6b04b - view on LGTM.com new alerts:
|
From my perspective, if agreed, this change can be merged, because the basic SAM auth. functionality is now present and was tested with "samlidp.io" iDP. However, there are further improvements which I would like to integrate, but as a separate features in separate pull requests
|
SAML seems to be reintegrated now. I conducted few tests with samlidp.io as iDP. There are few things which should be implemented, but as new features and as separate pull requests. I will try to take care of it as well in coming week or two. |
|
Hi @Neven1986 , thanks for submitting the PR. The code looks good to me. I wanted to test with samlidp.io as well. Do you know which SAML_SP_ENTITY_ID value and certificate I should use for it? |
|
Hi @ngoduykhanh, SAML SP ENTITY ID is pretty arbitrary thing and can be almost any URI derived from your domain or your domain itself. In my case that was http://pda.<my.domain>:9191/ - simple as that... You can use any self-signed x509 certificate... I used my own generated one and I used in second test certificates generated by PDA from certutils.py Just as side note... With samlidp.io there is one peculiar thing. In order to get attributes in response you need to explicitly request them by defining AttributeConsumingService attributes in your metadata... Which is currently empty 'sp settings' substructure in saml.py. For testing purposes I needed to manually define this in the code since it's not configurable via default_config.py. This is one of improvements which I talked about, that I would like to implement. I did additional test with my company's iDP and it passed went through as well. The only difference is that this iDP will return all attributes without requesting them specifically in SP metadata. A lot of things are dependent on iDP config itself. If you need more heads-up on this I can send you my example metadata. |
|
Hi @Neven1986 , thanks for the explanation and tests. I am going to merge your PR. If you have any adjustments in the feature, feel free to create another one. |
