Re: [pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

Re: [pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[Dietmar Maurer]

> > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> > to store that on the local file system?
> On the one hand, I enjoyed reusing your work.
> On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/

No, I consider this less secure. Especially if the write is triggered by unauthenticated request...

> Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.
> 
> > Unfortunately, your code depends on code not packaged for Debian. Any idea
> > how to replace that (cpanm Net::SAML2)?
> 
> Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?

This module has way to much dependencies (Moose). I do not want to use that.

> > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> > for that and reuse the code with Proxmox Backup Server.
> 
> Do you have a specific project or library in mind?
> 
> Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.

All those SAML libs are basically unmaintained, without any large user base.

> I'll tell you again,nothing is fixed, you are free to do what you want.

I also wonder why SAML? Would it be an option to use OpenId connect instead?

[pve-devel] RE : RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[wb]

> I also wonder why SAML? Would it be an option to use OpenId connect instead?
As I was able to use SAML, I know the functional part and therefore, if I used SAML, it is only by ease.

Switch to OpenID, why not. The time I set up a functional POC. 

On the other hand, I would like to know your constraints.

Do you still want to use Rust? If yes, I am curious to know how to bind perl to Rust? Do you have an example?
I noticed from our exchange :
During an API call, if the user is not authenticated, do not pass in private and privileged the writing on /tmp/.

Waiting for your feedback,

Sincerely,

Julien Blais


De : Dietmar Maurer
Envoyé le :mercredi 2 juin 2021 11:00
À : wb; Proxmox VE development discussion
Objet :Re: RE : [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

> > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> > to store that on the local file system?
> On the one hand, I enjoyed reusing your work.
> On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/

No, I consider this less secure. Especially if the write is triggered by unauthenticated request...

> Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.
> 
> > Unfortunately, your code depends on code not packaged for Debian. Any idea
> > how to replace that (cpanm Net::SAML2)?
> 
> Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?

This module has way to much dependencies (Moose). I do not want to use that.

> > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> > for that and reuse the code with Proxmox Backup Server.
> 
> Do you have a specific project or library in mind?
> 
> Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.

All those SAML libs are basically unmaintained, without any large user base.

> I'll tell you again,nothing is fixed, you are free to do what you want.

I also wonder why SAML? Would it be an option to use OpenId connect instead?

[pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

[wb]

> I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> to store that on the local file system?
On the one hand, I enjoyed reusing your work.
On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/
Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.

> Unfortunately, your code depends on code not packaged for Debian. Any idea 
> how to replace that (cpanm Net::SAML2)?

Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?

> Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> for that and reuse the code with Proxmox Backup Server.

Do you have a specific project or library in mind?

Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.

I'll tell you again,nothing is fixed, you are free to do what you want.

I test with lemonldapng which is less simple to install and to handle than keycloak.

I remain at your disposal if needed.

Yours sincerely,


De : Dietmar Maurer
Envoyé le :mardi 1 juin 2021 11:04
À : Proxmox VE development discussion; Julien BLAIS
Objet :Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

Unfortunately, your code depends on code not packaged for Debian. Any idea 
how to replace that (cpanm Net::SAML2)?

Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
for that and reuse the code with Proxmox Backup Server.

Other ideas?

> diff --git a/src/PVE/Auth/SAML.pm b/src/PVE/Auth/SAML.pm
> new file mode 100644
> index 0000000..4653cb7
> --- /dev/null
> +++ b/src/PVE/Auth/SAML.pm
> @@ -0,0 +1,248 @@
> +# Instructions for installation :
> +# apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus
> +# cpanm Net::SAML2
> +# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2
> +# ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2