From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <dietmar@proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 22372747B9 for <pve-devel@lists.proxmox.com>; Wed, 2 Jun 2021 11:00:45 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 154E3942C for <pve-devel@lists.proxmox.com>; Wed, 2 Jun 2021 11:00:45 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 46D72941C for <pve-devel@lists.proxmox.com>; Wed, 2 Jun 2021 11:00:44 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 111EA466BE; Wed, 2 Jun 2021 11:00:44 +0200 (CEST) Date: Wed, 2 Jun 2021 10:59:59 +0200 (CEST) From: Dietmar Maurer <dietmar@proxmox.com> To: wb <webmaster@jbsky.fr>, Proxmox VE development discussion <pve-devel@lists.proxmox.com> Message-ID: <361453332.3258.1622624399545@webmail.proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.5-Rev11 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL -0.045 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] =?utf-8?b?UkXCoDogIFtQQVRDSF0gW1BBVENIIHB2ZS1hY2Nl?= =?utf-8?q?ss-control=5D_SSO_feature=3Alogin_with_SAMLv2?= X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> X-List-Received-Date: Wed, 02 Jun 2021 09:00:45 -0000 > > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough > > to store that on the local file system? > On the one hand, I enjoyed reusing your work. > On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/ No, I consider this less secure. Especially if the write is triggered by unauthenticated request... > Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want. > > > Unfortunately, your code depends on code not packaged for Debian. Any idea > > how to replace that (cpanm Net::SAML2)? > > Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)? This module has way to much dependencies (Moose). I do not want to use that. > > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings > > for that and reuse the code with Proxmox Backup Server. > > Do you have a specific project or library in mind? > > Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael. All those SAML libs are basically unmaintained, without any large user base. > I'll tell you again,nothing is fixed, you are free to do what you want. I also wonder why SAML? Would it be an option to use OpenId connect instead?