Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support OKTA authentication #17236

Merged
merged 2 commits into from Jan 9, 2019

Conversation

@fyery-chen
Copy link
Contributor

fyery-chen commented Dec 26, 2018

Problem:
Some customers need to authenticate by using OKTA platform.

Solved:
Added another SAML2.0 authentication method OKTA.

Issue:
#15574

Related PR of types:
rancher/types#663

@loganhz loganhz referenced this pull request Dec 27, 2018
@alena1108 alena1108 requested a review from mrajashree Jan 3, 2019
@@ -139,7 +139,7 @@ func InitializeSamlServiceProvider(configToSet *v3.SamlConfig, name string) erro
sp.IDPMetadata.EntityID = idm.EntityID
sp.IDPMetadata.SPSSODescriptors = idm.SPSSODescriptors
sp.IDPMetadata.IDPSSODescriptors = idm.IDPSSODescriptors
if name == ADFSName {
if name == ADFSName || name == OkTAName {

This comment has been minimized.

Copy link
@mrajashree

mrajashree Jan 3, 2019

Member

Is this done because we tested integration between an Okta Identity Provider and Rancher's ADFS provider?

This comment has been minimized.

Copy link
@fyery-chen

fyery-chen Jan 3, 2019

Author Contributor

Year!

@@ -29,6 +29,7 @@ import (
const PingName = "ping"
const ADFSName = "adfs"
const KeyCloakName = "keycloak"
const OkTAName = "okta"

This comment has been minimized.

Copy link
@mrajashree

mrajashree Jan 3, 2019

Member

nit: can we make the 'k' capital as well? OKTAName

This comment has been minimized.

Copy link
@fyery-chen

fyery-chen Jan 3, 2019

Author Contributor

Year, of course, maybe I missed this problem, thanks!

@@ -31,7 +31,8 @@ func (s *Provider) ServeHTTP(w http.ResponseWriter, r *http.Request) {
log.Debugf("RESPONSE: ===\n%s\n===\nNOW: %s\nERROR: %s",
parseErr.Response, parseErr.Now, parseErr.PrivateErr)
}
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
redirectURL := r.URL.Host + "/login"

This comment has been minimized.

Copy link
@orangedeng

orangedeng Jan 3, 2019

Member

Why redirect?

This comment has been minimized.

Copy link
@fyery-chen

fyery-chen Jan 3, 2019

Author Contributor

If do not redirect, it will return an invalid page if we direct access a route path of authentication, I do not think this is a good UX, because we can access Rancher server from other(okta) platform.

This comment has been minimized.

Copy link
@mrajashree

mrajashree Jan 3, 2019

Member

The redirect URL can also include the error code as a query parameter, because UI has logic to handle certain error codes. So can we append the error code here?, like in line
https://github.com/rancher/rancher/blob/master/pkg/auth/providers/saml/saml_client.go#L279
http.Redirect(w, r, redirectURL+"/login?errorCode=403", http.StatusFound)

This comment has been minimized.

Copy link
@fyery-chen

fyery-chen Jan 3, 2019

Author Contributor

Awesome, good idea, thank you!

This comment has been minimized.

Copy link
@fyery-chen

fyery-chen Jan 3, 2019

Author Contributor

@mrajashree I've updated as you suggested, please review again.

This comment has been minimized.

Copy link
@mrajashree

mrajashree Jan 3, 2019

Member

Thanks!

@fyery-chen fyery-chen force-pushed the fyery-chen:okta-pr branch from 0716778 to 7abb9da Jan 3, 2019
@fyery-chen

This comment has been minimized.

Copy link
Contributor Author

fyery-chen commented Jan 3, 2019

@mrajashree I've updated, please review again, thank you!

@fyery-chen fyery-chen force-pushed the fyery-chen:okta-pr branch from 7abb9da to 9230d01 Jan 3, 2019
@mrajashree

This comment has been minimized.

Copy link
Member

mrajashree commented Jan 3, 2019

LGTM

@orangedeng

This comment has been minimized.

Copy link
Member

orangedeng commented Jan 4, 2019

LGTM, should merge after types PR merged. @fyery-chen You might need to rebase types and rancher PR too.

@fyery-chen fyery-chen force-pushed the fyery-chen:okta-pr branch from 9230d01 to f144152 Jan 4, 2019
@fyery-chen

This comment has been minimized.

Copy link
Contributor Author

fyery-chen commented Jan 4, 2019

@orangedeng I've rebased, please check.

@fyery-chen fyery-chen force-pushed the fyery-chen:okta-pr branch from f144152 to e8399b5 Jan 9, 2019
fyery-chen added 2 commits Dec 26, 2018
To support OKTA authentication

Added another SAML2.0 authentication method OKTA

Issue: #15574
@fyery-chen fyery-chen force-pushed the fyery-chen:okta-pr branch from e8399b5 to bae41fa Jan 9, 2019
@alena1108 alena1108 merged commit 7fab64d into rancher:master Jan 9, 2019
1 check passed
1 check passed
continuous-integration/drone/pr the build was successful
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.