-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DNM] SAML Authentication #1593
base: master
Are you sure you want to change the base?
Conversation
…system: * don't assume we have github ssh key installed - this would make sense on a dev system but not for a production system * make is not necessarily already installed * in recent versions of docker, "docker compose" (via docker-compose-plugin) is used instead of "docker-compose" * sudo is not necessarily installed, and should not be required
…was the only way I could find to get SAML auth to work. I would very much prefer another solution or workaround.
…will need to enable SAML authentication for autolab. The "Enterprise Applications" admin will need to provide the fingerprint and target URL/entity ID specific to your site. (They may call this "metadata")
Apart from the CSRF thing, the most significant problem I see here is that you are embedding microsoft's (OASIS WS-Security) attribute mappings, which are not the same as the ones used by IdPs in the incommon federation. The attribute uris need to be configurable by the end institution, and there should be some exception handling or other validation. it may make sense to start parameterizing the LDAP lookups too and remove the embedded fixed domain (andrew.cmu.edu) |
@@ -60,6 +60,8 @@ gem 'omniauth', '>=1.2.2' | |||
gem 'omniauth-facebook', '>=2.0.0' | |||
gem 'omniauth-google-oauth2', '>=0.2.5' | |||
gem 'omniauth-shibboleth', '>=1.1.2' | |||
gem 'omniauth-saml', '>=1.7.0' | |||
gem 'omniauth-rails_csrf_protection' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be unnecessary with omniauth v2.0.0
Description
Motivation and Context
Add SAML authentication to Autolab for universities that use Microsoft IdP.
Note:
verify_authenticity_token
). Ideally, we should be usingaction_no_auth
to selectively disable the protection for routes that do not require authenticationGemfile.lock
How Has This Been Tested?
Types of changes
Checklist:
overcommit --install && overcommit --sign
to use pre-commit hook for linting