Re: [pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

Re: [pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[Dietmar Maurer]

> > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> > to store that on the local file system?
> On the one hand, I enjoyed reusing your work.
> On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/

No, I consider this less secure. Especially if the write is triggered by unauthenticated request...

> Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.
> 
> > Unfortunately, your code depends on code not packaged for Debian. Any idea
> > how to replace that (cpanm Net::SAML2)?
> 
> Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?

This module has way to much dependencies (Moose). I do not want to use that.

> > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> > for that and reuse the code with Proxmox Backup Server.
> 
> Do you have a specific project or library in mind?
> 
> Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.

All those SAML libs are basically unmaintained, without any large user base.

> I'll tell you again,nothing is fixed, you are free to do what you want.

I also wonder why SAML? Would it be an option to use OpenId connect instead?

[pve-devel] RE : RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[wb]

> I also wonder why SAML? Would it be an option to use OpenId connect instead?
As I was able to use SAML, I know the functional part and therefore, if I used SAML, it is only by ease.

Switch to OpenID, why not. The time I set up a functional POC. 

On the other hand, I would like to know your constraints.

Do you still want to use Rust? If yes, I am curious to know how to bind perl to Rust? Do you have an example?
I noticed from our exchange :
During an API call, if the user is not authenticated, do not pass in private and privileged the writing on /tmp/.

Waiting for your feedback,

Sincerely,

Julien Blais


De : Dietmar Maurer
Envoyé le :mercredi 2 juin 2021 11:00
À : wb; Proxmox VE development discussion
Objet :Re: RE : [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

> > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> > to store that on the local file system?
> On the one hand, I enjoyed reusing your work.
> On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/

No, I consider this less secure. Especially if the write is triggered by unauthenticated request...

> Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.
> 
> > Unfortunately, your code depends on code not packaged for Debian. Any idea
> > how to replace that (cpanm Net::SAML2)?
> 
> Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?

This module has way to much dependencies (Moose). I do not want to use that.

> > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> > for that and reuse the code with Proxmox Backup Server.
> 
> Do you have a specific project or library in mind?
> 
> Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.

All those SAML libs are basically unmaintained, without any large user base.

> I'll tell you again,nothing is fixed, you are free to do what you want.

I also wonder why SAML? Would it be an option to use OpenId connect instead?

Re: [pve-devel] RE : RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[Dietmar Maurer]

> On 06/02/2021 12:16 PM wb <webmaster@jbsky.fr> wrote:
> 
> 
> > I also wonder why SAML? Would it be an option to use OpenId connect instead?
> As I was able to use SAML, I know the functional part and therefore, if I used SAML, it is only by ease.
> 
> Switch to OpenID, why not. The time I set up a functional POC.
> 
> On the other hand, I would like to know your constraints.

Sorry, what do you want to know exactly?

> Do you still want to use Rust? 

Yes. But I am still searching for usable crates:

openidconnect: https://github.com/ramosbugs/openidconnect-rs

Seems promising, but I have not done any testing so far...

> If yes, I am curious to know how to bind perl to Rust? Do you have an example?

https://git.proxmox.com/?p=perlmod.git;a=summary

Hope the inline docs and examples are good enough to start...

> I noticed from our exchange :
> During an API call, if the user is not authenticated, do not pass in private and privileged the writing on /tmp/.

yes, unprivileged users should not be able to write anything.