feat: implementing SAML in Kratos

[ThibHrrd]

Completion Progress

• First Part
• Second Part
• Third Part
• Fourth Part
• Fifth Part

We thought about 5 main tasks :

First Part

Concerning the first part, the goal is to develop the two main endpoints :

• /metadata (GET) : Generate the metadata of the SP (Kratos)
• /acs (POST) : Handle SAML request

Second Part

The second part will deal with the way endpoints work. The library already implements what we want to make these endpoints work. The library allows you to create a metadata file very easily so we will need to incorporate it into Kratos to allow the endpoint /metadata to create them easily. Concerning the endpoint /acs, the Crewjam library allows to receive the SAML requests, to understand them and to treat them accordingly.

Third Part

The goal here is to allow the SDK to call our SAML function. Currently, the SDK allows to protect a route via a redirection to the login page. We should copy this system a little and allow to protect a route via SAML by a redirection to the IDP. After authentication, the IDP will redirect the user to the desired page. There is also the very important problem of converting the session created by the Crewjam/saml library into a Kratos session to remain homogeneous.

Fourth Part

Now that the endpoints are created, the SAML requests must be processed by Kratos. This means that the endpoint /acs must receive the SAML requests, understand them and translate them into a language that Kratos can understand. More clearly, this endpoint must allow Kratos to support SAML requests and to perform the actions associated with these requests.

It is also in this part that you must check if the session has not expired (according to the duration indicated in option). If it is the case, you have to send a SAML Request to the IDP.

Fifth part

Finally, the last part will concern the configuration. Not everyone wants to use SAML so we will have to use the YAML and Kratos configuration system to adapt it to SAML by adding new options to indicate if we want to use SAML and fill in the endpoints. The objective here is to make the final link between Kratos and SAML and thus be able to create instances of Kratos implementing SAML.

Concerning the options, here are the variables we can modify :

• Bindings
• Session duration
• Level of security (Call the RequireAccount method every time that a route protected by Kratos is accessed or not)
• Traits update

Related issue(s)

Design Document

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Disclaimer

At the moment, this is only a first version which is not intended to be merge. All the documentation and tests are still to be done.

[CLAassistant]

All committers have signed the CLA.

[aeneasr]

Took a quick peak :)

From what I can say, this looks pretty good in terms of what files and directories are being touched :) Keep going! :)

[ThibHrrd]

Hello @aeneasr! Thank you very much for the feedback on my code, it helps me a lot. I will take into consideration all the remarks and improve my code.

[ThibHrrd]

I'm making another comment to describe my progress a little bit. The session creation is working well. I still have a problem with the passing of attributes from the IDP for the session creation. I also have a problem with the database migration scripts. I need to add values at database startup but my scripts are not used, I don't know why. And finally, a last problem with the redirection after authentication where the session cookies are not transmitted and therefore the session is not detected by the /whoami.

[ThibHrrd]

https://github.com/ovh/ory-docs/blob/353f9239aa635f3a6420ffe802d594fdc1cfcb93/docs/kratos/guides/sign-in-with-sso-saml.mdx for the documentation

[ThibHrrd]

@aeneasr Hello, I'm proud to announce that our implementation of SAML in Kratos is ready for review. The PR for the documentation will come soon.

Do not hesitate to give us feedback about our work.

I will not be very available next month so take your time to review it (I will still take a look from time to time 😃)

[codecov]

Codecov Report

Merging #2148 (d05acdf) into master (4fe2d25) will decrease coverage by 0.87%.
The diff coverage is 47.77%.

❗ Current head d05acdf differs from pull request most recent head e70a0f3. Consider uploading reports for the commit e70a0f3 to get more accurate results

@@            Coverage Diff             @@
##           master    #2148      +/-   ##
==========================================
- Coverage   76.30%   75.42%   -0.88%     
==========================================
  Files         316      327      +11     
  Lines       17463    18026     +563     
==========================================
+ Hits        13326    13597     +271     
- Misses       3195     3445     +250     
- Partials      942      984      +42     

Impacted Files	Coverage Δ
cmd/remote/status.go	0.00% <0.00%> (ø)
cmd/remote/version.go	0.00% <0.00%> (ø)
identity/credentials.go	69.23% <ø> (ø)
identity/credentials_saml.go	0.00% <0.00%> (ø)
...elfservice/strategy/saml/strategy/strategy_auth.go	0.00% <0.00%> (ø)
ui/node/node.go	90.65% <ø> (ø)
...lfservice/strategy/saml/strategy/strategy_login.go	21.05% <21.05%> (ø)
...ce/strategy/saml/strategy/strategy_registration.go	24.61% <24.61%> (ø)
selfservice/strategy/saml/strategy/strategy.go	35.00% <35.00%> (ø)
selfservice/flow/saml/handler.go	53.43% <53.43%> (ø)
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b682689...e70a0f3. Read the comment docs.

[sebferrer]

Hey,
We have a little more work than expected to finalize the implementation and felt that the current feature wasn't yet complete enough to review.
So we are setting it back to Draft for now.
We will get back to you as soon as it's okay for us, thanks for your patience! 🙂

[kmherrmann]

Really great feature, thanks so much for working on this!
How are things progressing on your end? Any blockers, anything where you'd need our support? Thanks!

[sebferrer]

Hey,

Following a mistake that accidentally caused this PR to automatically change to "Merged" status, we've reopened it here: #2653

To answer to your question @kmherrmann, we've made good progress since our last update, we're about to ask for a review :)

[kmherrmann]

Fantastic, thanks for the update!