SAML SLO support #45379
Merged
SAML SLO support #45379
Commits on Aug 8, 2024
-
extended auth provider types with flags for logout all support, i.e. …
…supported, enabled, forced. added structures for logout request and response. regenerated code and yaml side work: documented nature of InitializeSamlServiceProvider global logout interceptor callback linked saml logout handler/backend with token manager frontend, via the interceptor callback added guards against UI misbehaviour register the new structures with the norman frame work to enable serialization to and from json added handling of SLO responses. inject slo support flag into the initial authconfigs fix: extended flow state storage with ability to set the cookie path. hardwired acs path is no good when redirecting to the slo endpoint. set proper cookie paths wherever we have state setup added request signing - applies only to logout requests (i.e. auth requests are not signed, as before) (because we apparently use the redirect binding despite the code saying POST) chore: log cleanup, removed some, made some official fix: comment typo in go.mod redirected crewjam/saml to our rancher/saml for decompression fix. fix: missing/different generated files fix KC logout issues with local crewjam patch. fix missing handling of detached signatures on responses import crewjam fix providing proper detached sig on logout requests. KC still ok. OKTA still fails, but different - issuer mismatch, not invalid sig address comment, drop todo note, crewjam/saml is forked, and fork used address comment - reduce saml logging Apply suggestions from code review Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> address comments Apply suggestions from code review Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> fixup of partial change for principled extension of redirect url with error information old code still needed for bad case (unparseable url) implemented todo: Assert "action == logout" && !sloForced, guard against UI misbehaviour. IOW, the UI will get an error now if it tries to perform a regular logout while the provider is configured for forced SLO, i.e. logout all as the only allowed method.
-
fixup: CI error `pkg/auth/providers/saml/saml_provider.go:152:4: fmt.…
…Sprintf does not support error-wrapping directive %w`
Commits on Aug 12, 2024
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.