 |
Would you like to prepare a patch for SAML in RackTables, update the documentation and maintain this feature? |
 |
diff file for auth.php has been attached to case. Things to do: configuration has now to be done hardcoded in auth.php; Need to make some changes where configuration will be configurable from inside e.g. secret.php. We assume simplesaml is installed in ../simplesaml; We assume service provider default-sp has to be used; We assume SAML attribute eduPersonPrincipalName is used for $remote_username attribute We assume SAML attribute fullname is used for $remote_displayname |
|
|
Could you add the parameters below to secret.php (through install.php) like below and update the code to use these? Also the ChangeLog and the release notes should be updated. $saml_dir = '../simplesaml'; $saml_sp = 'default-sp'; $saml_remusername = 'eduPersonPrincipalName'; $saml_remdispname = 'fullname'; Also please mind the code style: if (! file_exists ('../simplesaml/lib/_autoload.php')) throw new RackTablesError ('Configured for SAML authentication, but simplesaml is not found.', RackTablesError::MISCONFIGURED); require_once ('../simplesaml/lib/_autoload.php'); $as = new SimpleSAML_Auth_Simple ('default-sp'); if (! $as->isAuthenticated()) $as->requireAuth(); $attributes = $as->getAttributes(); $remote_username = $attributes['eduPersonPrincipalName'][0]; I can accept this through a GitHub pull request, if you would like. |
|
|
Removed original auth.diff and recreated a new diff file. Updated with new code style and rewrote code to make it configurable from inside secret.php; Based on how LDAP is configured, to configure SAML you can add the following to secret.php (With your permission): $SAML_options = array ( 'simplesamlphp_basedir' => '../simplesaml', 'sp_profile' => 'default-sp', 'usernameAttribute' => 'eduPersonPrincipName', 'fullnameAttribute' => 'fullName', ); To activate, change $user_auth_src = 'saml'; in secret.php. Update: code has been implemented in install.php. See patch. |
|
|
This is better, although the very first case block is taken wrong and file_exists() still tests the hardcoded path. $SAML_options is a good idea. |
|
|
auth-and-install.diff (3,935 bytes) |
|
|
Fixed file_exists check. Changed some code in the first case block. Problem occurs due to the fact the first case block assumes there allready is a valid username available (Otherwise $userinfo = constructUserCell ($remote_username); will fail). Therefore full authorization already has to be done in the first case block. Now, in the first case block $remote_username is resolved. In the second case block $remote_displayname is additional requested. |
|
|
|
|
|
Thank you. I will review more thoroughly later today and let you know. |
|
|
Well... It is almost complete. The authenticate() function implements the following generic steps: 1. Assert basic configuration variables (not method-specific). 2. Initialize $remote_username from the method-specific source, possibly involving password verification. 3. Satisfy the $require_local_account condition, initialize $user_given_tags and merge user-specific autotags (not method-specific). 4. Initialize $remote_displayname from method-specific source, possibly involving password verification if not done above. This approach was introduced long time ago to justify the three currently implemented authentication methods and it can also work for SAML. The first case block should be the only calling authenticated_via_saml() to set $remote_username immediately and keep the value of the displayed name. The second case block should set $remote_displayname. This may look complicated, but the code should be as uniform as possible to ease future auditing of this core function. |
|
|
I can make the remaining fixes myself. |
|
|
Your code and the associated fixes are now in the master branch, please test. |
|
|
I close the issue as fixed, please make any future fixes/improvements against the released tar.gz source code or the git master branch. Thank you for the contribution! |
- Anonymous
