From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0D0D874C49 for ; Thu, 3 Jun 2021 10:34:40 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EF38911B97 for ; Thu, 3 Jun 2021 10:34:39 +0200 (CEST) Received: from sonic306-20.consmr.mail.ne1.yahoo.com (sonic306-20.consmr.mail.ne1.yahoo.com [66.163.189.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7CF1811B81 for ; Thu, 3 Jun 2021 10:34:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1622709270; bh=NPhnm4R5OreFaRsA+rYs8zwBegDL8mGTZTGr8spSIbQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From:Subject:Reply-To; b=lnUiAnVRRxsOU9SUdTI1q3ItKer7yHRItQHfa2WzMwh6xn9nGElbMC/8i/qKXbytI1/tjvVfoZo6NfI11wkANlaNxgg5bpl0Gexr61V5SYmXoVBsIDBtZohKYglwQO4To7uaG5Y4qVoRfrCvI4e76BpbO15J8VRyQEc+Oe60HgAECuq8y3bKqUYqBnlxR17RZyv2LpxOIhO3uFDD5gepEUitnuyjH26JSkUX6jVfMu1X2dePLO1Mxy7GvW3OkGS+HomwF8cMf1uqjRd2T5Y4aWh74ZUsq090JgcNciiAZQv7OPLFcY6r9QTMbw3V2FZeoCuG/hmEp21mp5LXu31mDA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1622709270; bh=tvgDsSVOivcW5qpxLWXWX+hMPpt2NALcYqztIes59BS=; h=X-Sonic-MF:From:Date:Subject:To:From:Subject; b=fvVaoUtqkflEEh3L6FtaZooJmnLvmrqI00aq5KchnGaen5rhTmk8wSXrC8AsKGTs1xulacUaSNHEal73865rFbvfSZZWoGaWVCMA/ZmnZixwInsQboc7JNhZdI+qsLA+kRTdhRGgQ96c1o89c2HWQ+39f6kgt2uv1bPwHjEIHbcVmPWGSeStpdpZkOY1EznsB9wG7o2wp930yHcax9w69zB3hNfvmWyteAG4VBmhCAIdgidae9pk/RGgjrtQ3jhKs6xno7iUE5ssxCrm7yr5t4aXBk7EnZL5npqwlrYgPHD0G+HlQZXJtZQbt3vkuORVfMU37RgGELIcM2ajhVx0KQ== X-YMail-OSG: KT0iQRsVM1msNYxxfoFIHUrSkTjHgx3uaBgQHvZQv69kp8QleCbkPwaNTFfGusi vh.Ps87HDbdF.KesyjUbl.0yPdu9vkGgyEIJhyQrbVLrXvAx0wUCVf837aM8WlJgmfC59HwYir8J ApLPfWuijk5H3YM7OfkDb7Ls2G1gKr5caaLvH7g8mRyIA0t46CjIDsSBW5B331hAoWq.yG3QEj8E 46xmEOeJUa0cy1aytHSgIxFsu.GMBNMJQTcQokrZhyrM_R6znbzXS4Lu0yMwqPgOFz3Y9krEE3wc IeQp4PA0zCaeo_.TKoKMS7PAJprENg1aiOk25YiLBvfCQs0rUJIiSXtIIJA9RJ16K8Gs_dwuLD7e NqaaQ2PK3iyp_RWgbL6v9SU_gXyoDfWpnao6yIapsQ2a3nQ597OS58yh_4qzSJOxLE8oO2q.rR6T FG0ieiLiVul2JICPl5L_XMGBU_rPF7W3Ae.bKRjoZ90531gjV_bcyCglk5I6HV5ZzHNm5iMtPfrJ VSiVPv5Wr0uuYco7AyjSgjv9bmre9tDYIW.W9zmScj56CnfP8IB4iATX_VmCYtok5LUJaON89OEy 44FycQF7lwF13jFuQ4KHrtNePb6wV.q31WEZM8N5F7CWesXr1LVJcktVX9Ica8q_dZL8YtQJ2855 mKTKWMiVv1hGI4uPEXXlctFEXGxPtSGCZ7tgFIVuE8zKVxMB6wRgI4HLNLOhxYmV3q2JnfT9zD3d _4NxvnjVXMmoOQ_cNqM4GFwiBJITBSV9dpf3evq5_COl0.jwhOGqIZbaOqKMJQmdAKAEACXNvaVI sUSPTFngoa9yxnaTLU9_yXEfwb0CMZiexBH_uSjTgjbcn6K47mBwe5lXIjNH8Ta8s0S5ZxAhcFnh K9xPXTx365twQWNA7XPRlLoJiAre33xUv9jLFJu1DpJCV9EJoE3du8gzCNpI8ohQ5l5FArAK.jEQ T2FPT7qGzTeyPh80KPYAGAL0rAghemGsi0jxLfJphe62maKjbeqA0Mf4wpv_XQ1P4GvRpUlDOjC. EzDfHw1_3DeJiUEULVpdYet7hyQLvon8MlGNRvdArYturiE3FJ2Uq0dnuYxnbqo2_JfQyAMT_CYO .TebLNC2cVibknh7FmOffphmGjHEB7w_qo5RNIpzN_6D0jx38ScqKnT_ebTewjrQGDPexhrkCJwS FNfgV1FeOii_eDrFJKdX2BBecklfoXabuUEDG.EO8AWCebI.52pBqAs7QUr6FiO1muM4Q87bl4Kd Ndd1wHM.QAwtqUS.Lcy1SD2uZ5yM6A32Zw28UC5vYAplQU8.h1dCV5igW_hoQI6nXTJvhl0nP.6n IzWjbrkz7X8Df7JHih39MIpmwTgQL7wWEZU4ehqYJuzpnCdjFhlNNOkIdEyaf.4ZdQkZvar1Uj5x o_.x_efnOfbezxdghBXWZrmWLlWZ_JWwzzjMpKcAZaFfNdrTM8zDCPaiaQzdpMeGtXnkVwKkGvp_ 1JHkSfag7sZAq1y4jNACAZLn1n4JvRxTJvH.W3Y1YU5l4UwAlVgRt3M881Uu6ChxSYvIeM6rj7lo Bk4M6WKoVxoO2Iq8L9.LVinqAPnh_QmE0JC.dRgH717FISUBwxeLmvb8irLcO4c8WXRybO53BSSm 6oCKXZnGdDt0mTI4fZXpxfwenP9caiz0l7kvgYenlGXni6idMVsLL61jPlvg.9GlRDJIfYk2lM5B 12xDgzsgmgjon5.u259o7.bKAFqEGksOW74oIsRdXMoRwPpLpYfSfCXJDdewiKzxRzhP.WBqvnv2 PiCqPKeYdT5Db9bmncAR8qP78QrsNnR0XF8tzhVZd07ZpwBKZCMrNNPg9DzahqJq5c5GJUHX9bEO GN_impEFJ3HamNhVsEWNu.VEwWUyNIKV5k7oPK0izUxZAZqB31OGfFAfTWtFV5KTWUmTmMcP2qBQ SiAfRiqbFgiDgdKGh7zKWJ1XkAlFo54pv8LNMZFdXCMSYX.2zAWDvy7Mn3hyV.4kz6eJeNO9cRiP h9ABXP0kpVCJcaJLI7ITAO7h1IbJKL1CqtXIa5mDjgIdPbBHNYqQN3.7v0PtuQW5XYKhifDdmK2Z _GuEPmORpRtVl7VyRiXhHxhckaMj1w6YizuET4C628wI2ZsebZfmpXd4Q_X2Wwf4vl40.GPheQNo 7CDV3VA9kgv2RjKvG4mo2Fec3uwdbwt4cCFOb5ds6F.MzGhRsIQtXT89dpIbAzJCse7OCKoahJjX CKSR8K1hwKffM2fMDxmyGrlelE4vzgJjjYvu4ptw55k5dsbG5ZzCFDyk7dNdAvGlmQUtpQ6VKJ54 IjRIzIPnnb1hlnd4nReFi6Nn_zSfAk3wVhDQGQUD3GkD2wEl.ptv2FzeYy2pkCM5q0AzVjhp9m7N Z._HYbyPShq6eJmZyIFoOZ98S2es30.yfjjliITJDhTyBU.qnQaCgcaenftvaVFkrXYepxYeXtfN Sz5LWrx66Lh1c6WuChOT.94vHboithvZg1ZS2bnPRam37sy5uIZOEsEu5pVe.sbSv8sxLc7wxbtY mTnOM1p6_kRkPcjNKMpkOLcQFNQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Thu, 3 Jun 2021 08:34:30 +0000 Received: by kubenode520.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 8df76055f40cba3b567876647c5fe66b; Thu, 03 Jun 2021 08:24:19 +0000 (UTC) Received: by mail-wr1-f52.google.com with SMTP id a11so3034614wrt.13 for ; Thu, 03 Jun 2021 01:24:19 -0700 (PDT) X-Gm-Message-State: AOAM532BvXgClprfv7QOujXbg0EB/3BUvGk0Z8UdWEwDAcWg+nx0lYfd NRrp15WyRVHR8UJqWYDty4NgtVz2UOKCbVx76V0= X-Google-Smtp-Source: ABdhPJwF+jP/5Y87V9EZDVr/2JOADVBZutXPMHV1wxG6SZsp3Ij9MIDHaOokuKX5iuwavi807c7J3HDS8wbZylS/mlg= X-Received: by 2002:adf:ded0:: with SMTP id i16mr2949892wrn.30.1622708658125; Thu, 03 Jun 2021 01:24:18 -0700 (PDT) MIME-Version: 1.0 References: <966663888.3483.1622630895184@webmail.proxmox.com> In-Reply-To: <966663888.3483.1622630895184@webmail.proxmox.com> From: Victor Hooi Date: Thu, 3 Jun 2021 18:24:04 +1000 X-Gmail-Original-Message-ID: Message-ID: To: Proxmox VE development discussion Cc: wb X-Mailer: WebService/1.1.18368 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-SPAM-LEVEL: Spam detection results: 0 AWL -0.350 Adjusted score from AWL reputation of From: address DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HTML_MESSAGE 0.001 HTML included in message KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years KAM_SHORT 0.001 Use of a URL Shortener for very short URL POISEN_SPAM_PILL_4 0.1 random spam to be learned in bayes RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record TRACKER_ID 0.1 Incorporates a tracking ID number Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jun 2021 08:34:40 -0000 Hi, I'm super excited to see this SSO support come to Proxmox. This is really awesome stuff! One question - I wonder if it would be possible to use Google Workspace/Google Auth as the SAMLv2 IDP? I'm definitely not an auth expert, but from casual reading, I think it might be possible via setting up a custom SAML application, per this guide: https://support.google.com/a/answer/6087519 What do you think? I went into one of my Google Workspace domains, and tried adding a new custom SAML app. It then gives you a confirmation page, where you can download an IdP metadata file (.xml) - excerpted below: MIIDdDCCAlygAwIBAgIGAXcZMLKUMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwMTE5 MDU0OTE3WhcNMjYwMTE4MDU0OTE3WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAqXFeh4hdnVNM0NbmrU7DhyZr5fb9l/2s2kohFJgfT2b6nI+3uqLf6eKoQSMfO9Fc WZaWVIXDD9bFncaGMxeqcNjcSo5TS4jc3x3k5es0Phjf/nJZxCLXWsFFpvLY5LT37aX88sJoAYc6 vPZCOo7t+DO/c/H2Kmx26selDVKHMhQWP3k2UJiPAIF4xT3hglkSgiCkvZBjDNqfTVAkuwt1hNIy DH7vqriwn+XHgA/kwlTb78IxU55hVC31V6LlnqPGoilsze4ueGFw3MF00RMSZd+sQpXZQ6751OVH hazyHXS0Rscd4/GTfkKXEHh3/uJlTxlzIkq+76E4m0J6X1U1yQIDAQABMA0GCSqGSIb3DQEBCwUA A4IBAQAkp4W796dK5r7cYan0MeEYaa9qEquxleiviB4J9s5iM45WUChJNF7pYaML+gdWfLasYb9B mJqnG1ZsuH7DsDyr2hkVgGZPav23ZX9S4jAW5w+OsMmVm92MOsNocl4P9uM86WcMJy7eiGe2KIre cSxVfIAsO0hGM7ZZHkH+knjYc6Sq5BnHVtxSGX4a6OlxI56XBpAA22H3egBNGknrglmrVUD2VOCT z9ePxsPnW+CCzD4gPJJHBdliB2GhN/gYUKwyvXesvd8/TlsntzEpdBctnc83rnfCUF6Rx67Kn54c FCaLUeQtqtUjHUK5eRCFU9XNc74oR8AvCHqB9owP3Zvs urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SSO URL - https://accounts.google.com/o/saml2/idp?idpid=C02hq58w2 Entity ID - https://accounts.google.com/o/saml2?idpid=C02hq58w2 Certificate - What do you think - would this work with your integration? I'm willing to set up a Google Workspace domain for testing, and grant access to anybody for testing? Thanks, Victor On Wed, Jun 2, 2021 at 8:48 PM Dietmar Maurer wrote: > > > On 06/02/2021 12:16 PM wb wrote: > > > > > > > I also wonder why SAML? Would it be an option to use OpenId connect > instead? > > As I was able to use SAML, I know the functional part and therefore, if > I used SAML, it is only by ease. > > > > Switch to OpenID, why not. The time I set up a functional POC. > > > > On the other hand, I would like to know your constraints. > > Sorry, what do you want to know exactly? > > > Do you still want to use Rust? > > Yes. But I am still searching for usable crates: > > openidconnect: https://github.com/ramosbugs/openidconnect-rs > > Seems promising, but I have not done any testing so far... > > > If yes, I am curious to know how to bind perl to Rust? Do you have an > example? > > https://git.proxmox.com/?p=perlmod.git;a=summary > > Hope the inline docs and examples are good enough to start... > > > I noticed from our exchange : > > During an API call, if the user is not authenticated, do not pass in > private and privileged the writing on /tmp/. > > yes, unprivileged users should not be able to write anything. > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > >