Re: [pve-devel] [PATCH] [PATCH pve-http-server] SSO feature: login with SAMLv2

Re: [pve-devel] [PATCH] [PATCH pve-http-server] SSO feature: login with SAMLv2

[Dietmar Maurer]

I am trying to test your code, so I need a SAML Identity provider. What is
the best OSS implementation for that?

I tried lemonldap-ng, but there example configuration is a nightmare and
I was unable to get that running. Is there anything else I can use to test?. 

- Dietmar

[pve-devel] RE : [PATCH] [PATCH pve-http-server] SSO feature: loginwith SAMLv2

[wb]

Hi,

You can find the instructions on your forum at this address with keycloak as IdP.
⇨ https://forum.proxmox.com/threads/auth-module-openid-connect.79987/#post-390606

Keycloak is very easy to set up. You can even start from a docker container.

I will test later with lemonldap-ng to see if my code works with it.

Sincerely,

Julien Blais


De : Dietmar Maurer
Envoyé le :lundi 31 mai 2021 10:04
À : Proxmox VE development discussion; Julien BLAIS
Objet :Re: [pve-devel] [PATCH] [PATCH pve-http-server] SSO feature: loginwith SAMLv2

I am trying to test your code, so I need a SAML Identity provider. What is
the best OSS implementation for that?

I tried lemonldap-ng, but there example configuration is a nightmare and
I was unable to get that running. Is there anything else I can use to test?. 

- Dietmar

[pve-devel] [PATCH] [PATCH pve-http-server] SSO feature: login with SAMLv2

[Julien BLAIS]

Add a formatted page that allows redirection.
For performance reasons, a raw format is used instead of a redirection initiated by the HTTP header.

/!\ Modification of the redirection URL for the /access/ticket endpoint.

Signed-off-by: Julien BLAIS <webmaster@jbsky.fr>
---
 src/PVE/APIServer/Formatter/HTML.pm | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/PVE/APIServer/Formatter/HTML.pm b/src/PVE/APIServer/Formatter/HTML.pm
index 743d0ad..3a90aa8 100644
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@@ -277,7 +277,7 @@ PVE::APIServer::Formatter::register_page_formatter(
 	    my $cookie = PVE::APIServer::Formatter::create_auth_cookie(
 		$data->{ticket}, $config->{cookie_name});
 
-	    my $headers = HTTP::Headers->new(Location => $get_portal_base_url->($config),
+	    my $headers = HTTP::Headers->new(Location => '/',
 					     'Set-Cookie' => $cookie);
 	    return HTTP::Response->new(301, "Moved", $headers);
 	}
@@ -293,4 +293,27 @@ PVE::APIServer::Formatter::register_page_formatter(
 	return ($raw, $portal_ct);
     });
 
+PVE::APIServer::Formatter::register_page_formatter(
+    'format' => $portal_format,
+    method => 'GET',
+    path => "/access/saml",
+    code => sub {
+	my ($res, $data, $param, $path, $auth, $config) = @_;
+
+	# Get realm from cookie, see TODO part in POST /access/ticket
+	my $cookie = PVE::APIServer::Formatter::create_auth_cookie(
+	$data->{realm}, 'realm');
+
+	my $page = qq[<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+	<html>
+	<body>
+	<script type="text/javascript">if ('$data->{url}' != '') window.location.href='$data->{url}';</script>
+	</body>
+	</html>
+	];
+	my $headers = HTTP::Headers->new('Set-Cookie' => $cookie);
+	return HTTP::Response->new(200, "Moved", $headers, $page);
+
+    });
+
 1;
-- 
2.20.1