SAML Provider

[rahilwazir]

• I have created my request on the Product Board before I submitted this issue
• I have looked at all the other requests on the Product Board before I submitted this issue

Please describe your feature request:

I'm trying to add a new provider, which is based on SAML. The SAML provider is OKTA. My integration is based on the following example: https://github.com/gbraad/passport-saml-example

To use the SAML strategy, I have added the Koa passport middlewares into users-permission plugin

Into this file users-permissions/middlewares/users-permissions/index.js

...
const passport = require('koa-passport');

module.exports = strapi => {
  return {
    beforeInitialize: function() {
      strapi.config.middleware.load.before.unshift('users-permissions');
      strapi.app.use(passport.initialize()) // Initialize passport
      strapi.app.use(passport.session()) // // Use passport session
    },
    ...

And in the connect method on plugins/users-permissions/controllers/Auth.js

    if (!_.get(config, 'enabled')) {
      return ctx.badRequest(null, 'This provider is disabled.');
    }

    // Adding my custom provider to redirect?
    if (provider === 'oktaSAML') {
      const saml = require('../services/Saml');
      saml.auth({
        path: '/connect/oktaSAML/callback',
        entryPoint: '...', // Provided by OKTA
        issuer: '...', // Provided by OKTA
        cert: null // Optional
      });
      return strapi.koaMiddlewares.compose([saml.strategy])(ctx, next);
    ...

But when I navigate to http://localhost:1337/connect/oktaSAML it gives me 404 not found.

I have already followed Adding a Provider guide and added the OKTA SAML to the provider's list.

I believe the Purest package does not support SAML integration, thus I have to register either a new route or modify the connect method to handle our login integration.

• Is this even a correct approach?
• Does it scale well?
• Am I working on correct files?

I'm lost right now, is it even possible to integrate SAML in Strapi? Or I have to choose to proxy my way into Strapi as suggested by @opgbaudouin.

Also, how do I modify my OKTA SAML Provider popup form fields in the back-office? Since SAML accept different inputs than Auth 2.0

[lauriejim]

If Purest not support your provider, the documentation will not work.

We plan to reviews the auth providers system to make it easier to add new one.

For now you will have to customize the Strapi server to make it work with your own système for your provider.
And yes I think you work on correct files (don't have time for more investigation on my side)

[TechupBusiness]

@lauriejim We would appreciate if you add passport js support, this would allow also other login providers besides just OAuth ...

[lauriejim]

This issue has been mentioned on Strapi Community. There might be relevant details there:

https://forum.strapi.io/t/user-permissions-saml-provider/466/1