From: Victor Hooi <victorhooi@yahoo.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: wb <webmaster@jbsky.fr>
Subject: Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2
Date: Thu, 3 Jun 2021 18:24:04 +1000 [thread overview]
Message-ID: <CAMnnoUKKmqFri0D5J8Xan9PXosQ0mBm0wp=3ygoBEA8=wJjxZQ@mail.gmail.com> (raw)
In-Reply-To: <966663888.3483.1622630895184@webmail.proxmox.com>
Hi,
I'm super excited to see this SSO support come to Proxmox. This is really
awesome stuff!
One question - I wonder if it would be possible to use Google
Workspace/Google Auth as the SAMLv2 IDP?
I'm definitely not an auth expert, but from casual reading, I think it
might be possible via setting up a custom SAML application, per this guide:
https://support.google.com/a/answer/6087519
What do you think?
I went into one of my Google Workspace domains, and tried adding a new
custom SAML app. It then gives you a confirmation page, where you can
download an IdP metadata file (.xml) - excerpted below:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://accounts.google.com/o/saml2?idpid=C02hq58w2" validUntil=
"2026-01-18T05:49:17.000Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDdDCCAlygAwIBAgIGAXcZMLKUMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwMTE5
MDU0OTE3WhcNMjYwMTE4MDU0OTE3WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqXFeh4hdnVNM0NbmrU7DhyZr5fb9l/2s2kohFJgfT2b6nI+3uqLf6eKoQSMfO9Fc
WZaWVIXDD9bFncaGMxeqcNjcSo5TS4jc3x3k5es0Phjf/nJZxCLXWsFFpvLY5LT37aX88sJoAYc6
vPZCOo7t+DO/c/H2Kmx26selDVKHMhQWP3k2UJiPAIF4xT3hglkSgiCkvZBjDNqfTVAkuwt1hNIy
DH7vqriwn+XHgA/kwlTb78IxU55hVC31V6LlnqPGoilsze4ueGFw3MF00RMSZd+sQpXZQ6751OVH
hazyHXS0Rscd4/GTfkKXEHh3/uJlTxlzIkq+76E4m0J6X1U1yQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQAkp4W796dK5r7cYan0MeEYaa9qEquxleiviB4J9s5iM45WUChJNF7pYaML+gdWfLasYb9B
mJqnG1ZsuH7DsDyr2hkVgGZPav23ZX9S4jAW5w+OsMmVm92MOsNocl4P9uM86WcMJy7eiGe2KIre
cSxVfIAsO0hGM7ZZHkH+knjYc6Sq5BnHVtxSGX4a6OlxI56XBpAA22H3egBNGknrglmrVUD2VOCT
z9ePxsPnW+CCzD4gPJJHBdliB2GhN/gYUKwyvXesvd8/TlsntzEpdBctnc83rnfCUF6Rx67Kn54c
FCaLUeQtqtUjHUK5eRCFU9XNc74oR8AvCHqB9owP3Zvs</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</
md:NameIDFormat>
<md:SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2"/>
<md:SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
SSO URL - https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2
Entity ID - https://accounts.google.com/o/saml2?idpid=C02hq58w2
Certificate - <ETC>
What do you think - would this work with your integration?
I'm willing to set up a Google Workspace domain for testing, and grant
access to anybody for testing?
Thanks,
Victor
On Wed, Jun 2, 2021 at 8:48 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>
> > On 06/02/2021 12:16 PM wb <webmaster@jbsky.fr> wrote:
> >
> >
> > > I also wonder why SAML? Would it be an option to use OpenId connect
> instead?
> > As I was able to use SAML, I know the functional part and therefore, if
> I used SAML, it is only by ease.
> >
> > Switch to OpenID, why not. The time I set up a functional POC.
> >
> > On the other hand, I would like to know your constraints.
>
> Sorry, what do you want to know exactly?
>
> > Do you still want to use Rust?
>
> Yes. But I am still searching for usable crates:
>
> openidconnect: https://github.com/ramosbugs/openidconnect-rs
>
> Seems promising, but I have not done any testing so far...
>
> > If yes, I am curious to know how to bind perl to Rust? Do you have an
> example?
>
> https://git.proxmox.com/?p=perlmod.git;a=summary
>
> Hope the inline docs and examples are good enough to start...
>
> > I noticed from our exchange :
> > During an API call, if the user is not authenticated, do not pass in
> private and privileged the writing on /tmp/.
>
> yes, unprivileged users should not be able to write anything.
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
next prev parent reply other threads:[~2021-06-03 8:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-02 10:48 [pve-devel] RE : RE : " Dietmar Maurer
2021-06-03 8:24 ` Victor Hooi [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-06-01 9:04 [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login " Dietmar Maurer
2021-06-01 8:12 Dietmar Maurer
2021-05-27 21:55 Julien BLAIS
2021-05-28 7:38 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMnnoUKKmqFri0D5J8Xan9PXosQ0mBm0wp=3ygoBEA8=wJjxZQ@mail.gmail.com' \
--to=victorhooi@yahoo.com \
--cc=pve-devel@lists.proxmox.com \
--cc=webmaster@jbsky.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal