Skip to content

Implement SAML authentication for GL3#5476

Open
Ithanil wants to merge 3 commits intobigbluebutton:masterfrom
Ithanil:saml
Open

Implement SAML authentication for GL3#5476
Ithanil wants to merge 3 commits intobigbluebutton:masterfrom
Ithanil:saml

Conversation

@Ithanil
Copy link
Contributor

@Ithanil Ithanil commented Oct 20, 2023
edited
Loading

This PR enables SAML authentication for GL3 and is based on similar PRs for GL2: #1334 and #2270 . We are using this feature in production, but it was not developed with the goal to be merged upstream. Because SAML for GL2 was never merged, I guess it won't happen for GL3 as well. However, I'd like to provide our development to the public for anyone in need of this.

This is the part of a series of similar PR submissions (Redis Sentinel, SAML integration, LDAP integration).

Details / How to use:

  • SAML is added analogous to OIDC via omniauth
  • OIDC takes precedence, so configure any OIDC variables if you want to use SAML
  • Documention on configuration is provided in sample.env and SAMLConfiguration.md
  • Notably, some configuration may be obtained from IDP metadata, especially SAML_IDP_URL, SAML_IDP_CERT_FINGERPRINT and the SAML_NAME_IDENTIFIER, so try to not configure these manually if possible
  • The PR also removes any Sign-Up buttons if external authentication is used

@farhatahmad
Copy link
Collaborator

farhatahmad commented Oct 23, 2023

Thanks for these PR's - I will definitely keep these open and will mark them as approved by maintainers for others who are interested in deploying these

@Ithanil Ithanil mentioned this pull request Oct 23, 2023
Merged
@Ithanil
Copy link
Contributor Author

Ithanil commented Oct 23, 2023

@farhatahmad Thank you, that's great.

FYI: I have made another PR #5480 , which is a subset of this one here. It is designed to be easily mergeable and lessen the burden of maintaining custom provider extensions. Please let me know your thoughts on that one.

Ithanil

This comment was marked as duplicate.

Sign in to view

Ithanil
Ithanil commented Oct 27, 2023
View reviewed changes
app/controllers/api/v1/migrations/external_controller.rb
# Re-write LDAP and Google to greenlight
user_hash[:provider] = %w[greenlight ldap google openid_connect].include?(user_hash[:provider]) ? 'greenlight' : user_hash[:provider]
# Re-write list of providers to greenlight
user_hash[:provider] = %w[greenlight ldap google openid_connect saml].include?(user_hash[:provider]) ? 'greenlight' : user_hash[:provider]
Copy link
Contributor Author

@Ithanil Ithanil Oct 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that SAML is in this list, the V2 migration task should work without modification. Beforehand I had a modification in place which did match the provider to greenlight already in the migration task.

@Ithanil Ithanil force-pushed the saml branch 2 times, most recently from 43bb040 to 80b81c2 Compare November 2, 2023 08:36
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 15, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 21, 2023

Quality Gate Passed Quality Gate passed

The SonarCloud Quality Gate passed, but some issues were introduced.

1 New issue
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 12, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 22, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@Ithanil Ithanil mentioned this pull request Jun 17, 2024
Closed
@hex-m
Copy link

hex-m commented Sep 19, 2024

Common vulnerability with ruby projects implementing SAML: https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/

(Not a dev - can't say if this implementation is affected)

@Ithanil
Copy link
Contributor Author

Ithanil commented Sep 19, 2024
edited
Loading

Common vulnerability with ruby projects implementing SAML: https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/

(Not a dev - can't say if this implementation is affected)

Many thanks for the heads-up. Indeed, it appears as if this PR is implementation is affected. I will update the branch later, bumping omniauth-saml to 2.2.1 and ruby-saml to 1.17.0.

EDIT: Fixed by 8eb2638

@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 19, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved by maintainers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ithanil @farhatahmad @hex-m