View Issue Details

IDProjectCategoryView StatusLast Update
867RackTablesdefaultpublic2013-05-30 07:54
Reportertpowers Assigned Toinfrastation  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Product Version0.20.4 
Target Version0.20.5Fixed in Version0.20.5 
Summary867: SAML authentication does not support groups and logouts are not handled
DescriptionWhen using the new SAML authentication option you can not take advantage of a users groups that are supplied by the IdP. Additionally when you click on the logout URL you are not logged out of the IdP and then you get prompted for browser based authentication which will not work.

I have created a patch for my installation (see attached) and I am submitting it for inclusion in the next release. The patch implements a proper SAML logout and adds tags with '$sgcn_' prefixed to the name of the groups supplied by the IdP for the user (similar to the way groups are handled for LDAP). The SAML attribute to get the list of groups from is specified with the groupListAttribute key in the $SAML_options in the configuration.

TagsNo tags attached.

Activities

tpowers

tpowers

2013-05-24 05:02

reporter  

RackTables-SAML.patch (2,864 bytes)   
diff -ru RackTables-0.20.4.orig/wwwroot/inc/auth.php RackTables-0.20.4/wwwroot/inc/auth.php
--- RackTables-0.20.4.orig/wwwroot/inc/auth.php	2013-05-20 12:19:03.000000000 +0000
+++ RackTables-0.20.4/wwwroot/inc/auth.php	2013-05-21 15:14:49.000000000 +0000
@@ -30,7 +30,11 @@
 	if (!isset ($user_auth_src) or !isset ($require_local_account))
 		throw new RackTablesError ('secret.php: either user_auth_src or require_local_account are missing', RackTablesError::MISCONFIGURED);
 	if (isset ($_REQUEST['logout']))
+	{
+		if (isset ($user_auth_src) and 'saml' == $user_auth_src)
+			saml_logout ();
 		throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED); // Reset browser credentials cache.
+	}
 	// Phase 2. Do some method-specific processing, initialize $remote_username on success.
 	switch (TRUE)
 	{
@@ -261,7 +265,7 @@
 // a wrapper for SAML auth method
 function authenticated_via_saml (&$saml_username = NULL, &$saml_displayname = NULL)
 {
-	global $SAML_options, $debug_mode;
+	global $SAML_options, $debug_mode, $auto_tags;
 	if (! file_exists ($SAML_options['simplesamlphp_basedir'] . '/lib/_autoload.php'))
 		throw new RackTablesError ('Configured for SAML authentication, but simplesaml is not found.', RackTablesError::MISCONFIGURED);
 	require_once ($SAML_options['simplesamlphp_basedir'] . '/lib/_autoload.php');
@@ -271,9 +275,25 @@
 	$attributes = $as->getAttributes();
 	$saml_username = saml_getAttributeValue ($attributes, $SAML_options['usernameAttribute']);
 	$saml_displayname = saml_getAttributeValue ($attributes, $SAML_options['fullnameAttribute']);
+	if (array_key_exists ('groupListAttribute', $SAML_options))
+	{
+		foreach (saml_getAttributeValues ($attributes, $SAML_options['groupListAttribute']) as $autotag)
+			$auto_tags[] = array ('tag' => '$sgcn_' . $autotag);
+	}
 	return $as->isAuthenticated();
 }
 
+function saml_logout ()
+{
+	global $SAML_options;
+	if (! file_exists ($SAML_options['simplesamlphp_basedir'] . '/lib/_autoload.php'))
+		throw new RackTablesError ('Configured for SAML authentication, but simplesaml is not found.', RackTablesError::MISCONFIGURED);
+	require_once ($SAML_options['simplesamlphp_basedir'] . '/lib/_autoload.php');
+	$as = new SimpleSAML_Auth_Simple ($SAML_options['sp_profile']);
+	header("Location: ".$as->getLogoutURL('/'));
+	exit;
+}
+
 function saml_getAttributeValue ($attributes, $name)
 {
 	if (! isset ($attributes[$name]))
@@ -281,6 +301,13 @@
 	return is_array ($attributes[$name]) ? $attributes[$name][0] : $attributes[$name];
 }
 
+function saml_getAttributeValues ($attributes, $name)
+{
+	if (! isset ($attributes[$name]))
+		return array();
+	return is_array ($attributes[$name]) ? $attributes[$name] : array($attributes[$name]);
+}
+
 // a wrapper for two LDAP auth methods below
 function authenticated_via_ldap ($username, $password, &$ldap_displayname)
 {
RackTables-SAML.patch (2,864 bytes)   
infrastation

infrastation

2013-05-29 12:06

administrator   ~0001453

There is no problem accepting this change, except I have to credit someone on the ChangeLog. Patches are also accepted through GitHub pull requests, if that helps.
tpowers

tpowers

2013-05-30 03:15

reporter   ~0001459

Credit the change to "Thomas Powers".
infrastation

infrastation

2013-05-30 07:54

administrator   ~0001461

This change will be available in the next stable release, thank you for the contribution!

Issue History

Date Modified Username Field Change
2013-05-24 05:02 tpowers New Issue
2013-05-24 05:02 tpowers File Added: RackTables-SAML.patch
2013-05-26 20:58 infrastation Assigned To => infrastation
2013-05-26 20:58 infrastation Status new => assigned
2013-05-29 12:06 infrastation Note Added: 0001453
2013-05-29 12:06 infrastation Target Version => 0.20.5
2013-05-30 03:15 tpowers Note Added: 0001459
2013-05-30 07:54 infrastation Note Added: 0001461
2013-05-30 07:54 infrastation Status assigned => closed
2013-05-30 07:54 infrastation Resolution open => fixed
2013-05-30 07:54 infrastation Fixed in Version => 0.20.5