From: Victor Hooi <victorhooi@yahoo.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: wb <webmaster@jbsky.fr>
Subject: Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2
Date: Thu, 3 Jun 2021 18:24:04 +1000 [thread overview]
Message-ID: <CAMnnoUKKmqFri0D5J8Xan9PXosQ0mBm0wp=3ygoBEA8=wJjxZQ@mail.gmail.com> (raw)
In-Reply-To: <966663888.3483.1622630895184@webmail.proxmox.com>
Hi,
I'm super excited to see this SSO support come to Proxmox. This is really
awesome stuff!
One question - I wonder if it would be possible to use Google
Workspace/Google Auth as the SAMLv2 IDP?
I'm definitely not an auth expert, but from casual reading, I think it
might be possible via setting up a custom SAML application, per this guide:
https://support.google.com/a/answer/6087519
What do you think?
I went into one of my Google Workspace domains, and tried adding a new
custom SAML app. It then gives you a confirmation page, where you can
download an IdP metadata file (.xml) - excerpted below:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://accounts.google.com/o/saml2?idpid=C02hq58w2" validUntil=
"2026-01-18T05:49:17.000Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDdDCCAlygAwIBAgIGAXcZMLKUMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwMTE5
MDU0OTE3WhcNMjYwMTE4MDU0OTE3WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqXFeh4hdnVNM0NbmrU7DhyZr5fb9l/2s2kohFJgfT2b6nI+3uqLf6eKoQSMfO9Fc
WZaWVIXDD9bFncaGMxeqcNjcSo5TS4jc3x3k5es0Phjf/nJZxCLXWsFFpvLY5LT37aX88sJoAYc6
vPZCOo7t+DO/c/H2Kmx26selDVKHMhQWP3k2UJiPAIF4xT3hglkSgiCkvZBjDNqfTVAkuwt1hNIy
DH7vqriwn+XHgA/kwlTb78IxU55hVC31V6LlnqPGoilsze4ueGFw3MF00RMSZd+sQpXZQ6751OVH
hazyHXS0Rscd4/GTfkKXEHh3/uJlTxlzIkq+76E4m0J6X1U1yQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQAkp4W796dK5r7cYan0MeEYaa9qEquxleiviB4J9s5iM45WUChJNF7pYaML+gdWfLasYb9B
mJqnG1ZsuH7DsDyr2hkVgGZPav23ZX9S4jAW5w+OsMmVm92MOsNocl4P9uM86WcMJy7eiGe2KIre
cSxVfIAsO0hGM7ZZHkH+knjYc6Sq5BnHVtxSGX4a6OlxI56XBpAA22H3egBNGknrglmrVUD2VOCT
z9ePxsPnW+CCzD4gPJJHBdliB2GhN/gYUKwyvXesvd8/TlsntzEpdBctnc83rnfCUF6Rx67Kn54c
FCaLUeQtqtUjHUK5eRCFU9XNc74oR8AvCHqB9owP3Zvs</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</
md:NameIDFormat>
<md:SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2"/>
<md:SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
SSO URL - https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2
Entity ID - https://accounts.google.com/o/saml2?idpid=C02hq58w2
Certificate - <ETC>
What do you think - would this work with your integration?
I'm willing to set up a Google Workspace domain for testing, and grant
access to anybody for testing?
Thanks,
Victor
On Wed, Jun 2, 2021 at 8:48 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>
> > On 06/02/2021 12:16 PM wb <webmaster@jbsky.fr> wrote:
> >
> >
> > > I also wonder why SAML? Would it be an option to use OpenId connect
> instead?
> > As I was able to use SAML, I know the functional part and therefore, if
> I used SAML, it is only by ease.
> >
> > Switch to OpenID, why not. The time I set up a functional POC.
> >
> > On the other hand, I would like to know your constraints.
>
> Sorry, what do you want to know exactly?
>
> > Do you still want to use Rust?
>
> Yes. But I am still searching for usable crates:
>
> openidconnect: https://github.com/ramosbugs/openidconnect-rs
>
> Seems promising, but I have not done any testing so far...
>
> > If yes, I am curious to know how to bind perl to Rust? Do you have an
> example?
>
> https://git.proxmox.com/?p=perlmod.git;a=summary
>
> Hope the inline docs and examples are good enough to start...
>
> > I noticed from our exchange :
> > During an API call, if the user is not authenticated, do not pass in
> private and privileged the writing on /tmp/.
>
> yes, unprivileged users should not be able to write anything.
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
next prev parent reply other threads:[~2021-06-03 8:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-02 10:48 [pve-devel] RE : RE : " Dietmar Maurer
2021-06-03 8:24 ` Victor Hooi [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-06-01 9:04 [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature: login " Dietmar Maurer
2021-06-01 8:12 Dietmar Maurer
2021-05-27 21:55 Julien BLAIS
2021-05-28 7:38 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMnnoUKKmqFri0D5J8Xan9PXosQ0mBm0wp=3ygoBEA8=wJjxZQ@mail.gmail.com' \
--to=victorhooi@yahoo.com \
--cc=pve-devel@lists.proxmox.com \
--cc=webmaster@jbsky.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox