Skip to content

Added SAML as auth provider for SSO authentication #569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 14, 2025
Merged

Added SAML as auth provider for SSO authentication #569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .env-cmdrc-template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,16 @@
"GOOGLE_RECAPTCHA_SECRET": "[GOOGLE_RECAPTCHA_SECRET]",
"GOOGLE_SKIP_AUTH": true,

"SAML_ENTRY_POINT": "https://<your-idp>/sso/saml",
"SAML_ISSUER": "switcher-api",
"SAML_CALLBACK_ENDPOINT_URL": "http://localhost:3000",
"SAML_REDIRECT_ENDPOINT_URL": "http://localhost:4200",
"SAML_CERT": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
"SAML_PRIVATE_KEY": "",
"SAML_IDENTIFIER_FORMAT": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"SAML_ACCEPTED_CLOCK_SKEW_MS": 10000,
"SESSION_SECRET": "SESSION_SECRET",

"SWITCHER_API_LOGGER": true,
"SWITCHER_API_LOGGER_LEVEL": "debug",
"SWITCHER_API_ENABLE": false,
Expand Down Expand Up @@ -50,6 +60,12 @@
"GOOGLE_RECAPTCHA_SECRET": "[GOOGLE_RECAPTCHA_SECRET]",
"GOOGLE_SKIP_AUTH": false,

"SAML_ENTRY_POINT": "http://localhost:3000/sso/saml",
"SAML_CALLBACK_ENDPOINT_URL": "http://localhost:3000",
"SAML_REDIRECT_ENDPOINT_URL": "http://localhost:4200",
"SAML_CERT": "SAML_CERT",
"SESSION_SECRET": "SESSION_SECRET",

"SWITCHER_API_LOGGER": false,
"SWITCHER_API_LOGGER_LEVEL": "debug",
"SWITCHER_API_ENABLE": false,
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/master.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@ jobs:
RELAY_BYPASS_VERIFICATION: true
PERMISSION_CACHE_ACTIVATED: true
METRICS_MAX_PAGE: 50
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
SAML_CERT: SAML_CERT
SESSION_SECRET: SESSION_SECRET
SWITCHER_API_ENABLE: false
SWITCHER_API_LOGGER: false

Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/re-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ jobs:
RELAY_BYPASS_VERIFICATION: true
PERMISSION_CACHE_ACTIVATED: true
METRICS_MAX_PAGE: 50
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
SAML_CERT: SAML_CERT
SESSION_SECRET: SESSION_SECRET
SWITCHER_API_ENABLE: false
SWITCHER_API_LOGGER: false

Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ jobs:
RELAY_BYPASS_VERIFICATION: true
PERMISSION_CACHE_ACTIVATED: true
METRICS_MAX_PAGE: 50
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
SAML_CERT: SAML_CERT
SESSION_SECRET: SESSION_SECRET
SWITCHER_API_ENABLE: false
SWITCHER_API_LOGGER: false

Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/sonar.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ jobs:
RELAY_BYPASS_VERIFICATION: true
PERMISSION_CACHE_ACTIVATED: true
METRICS_MAX_PAGE: 50
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
SAML_CERT: SAML_CERT
SESSION_SECRET: SESSION_SECRET
SWITCHER_API_ENABLE: false
SWITCHER_API_LOGGER: false

Expand Down
27 changes: 24 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,7 @@ Main features:

### Auth Providers

Switcher API supports multiple auth providers such as email/password-based authentication or GitHub, Bitbucket OAuth.

Follow the steps below to set up your OAuth App in GitHub and Bitbucket.
Switcher API supports multiple auth providers such as email/password-based authentication, SAML 2.0 for Single Sign-On (SSO), or GitHub/Bitbucket OAuth.

#### GitHub OAuth App setup

Expand Down Expand Up @@ -79,6 +77,29 @@ Follow the steps below to set up your OAuth App in GitHub and Bitbucket.
- BIT_OAUTH_CLIENT_SECRET=your_client_secret
8. Update Switcher Management BITBUCKET_CLIENTID environment variable with your_client_id

#### SSO with SAML 2.0 setup

1. Obtain the following information from your Identity Provider (IdP):
- Entry Point URL
- X.509 Certificate
- (Optional) Private Key

2. Update your .env-cmdrc file or ConfigMap/Secret in Kubernetes with the following variables:
- SAML_ENTRY_POINT=your_idp_entry_point_url
- SAML_ISSUER=your_issuer
- SAML_CALLBACK_ENDPOINT_URL=service_provider_callback_endpoint_url
- SAML_REDIRECT_ENDPOINT_URL=web_app_redirect_endpoint_url
- SAML_CERT=your_x509_certificate_base64_encoded
- SAML_PRIVATE_KEY=your_private_key_base64_encoded (if applicable)
- SAML_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- SAML_ACCEPTED_CLOCK_SKEW_MS=5000
- SESSION_SECRET=SESSION_SECRET

3. Enable SAML authentication in Switcher Management by setting the environment variable SAML_ENABLE=true

* `service_provider` refers to Switcher API
* `web_app` refers to Switcher Management

### Running Switcher API from Docker Composer manifest file

This option leverages Switcher API and Switcher Management with minimum settings required.
Expand Down
11 changes: 11 additions & 0 deletions config/.env.dev
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,17 @@ METRICS_MAX_PAGE=50
GOOGLE_SKIP_AUTH=true
SWITCHER_API_LOGGER=true

### SAML Configuration
SAML_ENTRY_POINT=
SAML_ISSUER=switcher-api
SAML_CALLBACK_ENDPOINT_URL=http://localhost:3000
SAML_REDIRECT_ENDPOINT_URL=http://localhost:4200
SAML_CERT=
SAML_PRIVATE_KEY=
SAML_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SAML_ACCEPTED_CLOCK_SKEW_MS=5000
SESSION_SECRET=SESSION_SECRET

### Switcher Management
SSL_ENABLED=false
SWITCHERAPI_URL=http://localhost:3000
Expand Down
10 changes: 10 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,16 @@ services:
- BITBUCKET_OAUTH_SECRET=${BITBUCKET_OAUTH_SECRET}
- GOOGLE_RECAPTCHA_SECRET=${GOOGLE_RECAPTCHA_SECRET}
- GOOGLE_SKIP_AUTH=${GOOGLE_SKIP_AUTH}

- SAML_ENTRY_POINT=${SAML_ENTRY_POINT}
- SAML_ISSUER=${SAML_ISSUER}
- SAML_CALLBACK_ENDPOINT_URL=${SAML_CALLBACK_ENDPOINT_URL}
- SAML_REDIRECT_ENDPOINT_URL=${SAML_REDIRECT_ENDPOINT_URL}
- SAML_CERT=${SAML_CERT}
- SAML_PRIVATE_KEY=${SAML_PRIVATE_KEY}
- SAML_IDENTIFIER_FORMAT=${SAML_IDENTIFIER_FORMAT}
- SAML_ACCEPTED_CLOCK_SKEW_MS=${SAML_ACCEPTED_CLOCK_SKEW_MS}
- SESSION_SECRET=${SESSION_SECRET}

- SWITCHER_API_LOGGER=${SWITCHER_API_LOGGER}
- SWITCHER_API_LOGGER_LEVEL=${SWITCHER_API_LOGGER_LEVEL}
Expand Down
Loading