You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Ingo Hornberger <in...@gmx.net> on 2018/01/07 14:33:10 UTC
Re: SAML
Hi Dave,
thanks for your reply. I waited a bit longer with mine, as I wanted to have
the chance to dig deeper into SAML and have some first hands-on.
Actually I did a proof of concept now, and am still not sure how the best
integration looks like.
Currently I see the SAML authentication as an "add on" to your normal user
authentication providers. Because, actually I don't care if the additional
user data is stored in LDAP, Mongo or wherever. I'm just creating an open
session for a user, if my trusted IDP tells me to.
So my current proof of concept is an app controller, which is taking care
about the communication with the IDP and logs the user in, when he is
authorized.
Doing this in an App is not the ideal solution obvisously. Having an own
mount point for SAML would be by far better (e.g. http://myside.com/saml or
http://myside.com/auth/saml). But I found no way to achieve that with
Allura other than patching the root controller.
What I would need is a mount point for a controller and a view, which
doesn't depend on a project or Application.
What do you think would be the best practice for that?
BR,
Ingo
2018-01-04 2:34 GMT+01:00 <de...@allura.apache.org>:
> From: Dave Brondsema <da...@brondsema.net>
> To: dev@allura.apache.org
> Cc:
> Bcc:
> Date: Thu, 28 Dec 2017 12:53:12 -0500
> Subject: Re: SAML
> Hi Ingo,
>
> The short answer unfortunately is that Allura uses some of the basics of
> Turbogears but does its own thing for most stuff, including
> authentication. The
> authentication system is pluggable in Allura, so it should be possible to
> write
> a SAML plugin, but the turbogears extension wouldn't work.
>
> These docs explain the methods that would have to be implemented:
> https://forge-allura.apache.org/docs/api/lib/plugin.html#
> allura.lib.plugin.AuthenticationProvider
>
> And
> https://forge-allura.apache.org/p/allura/git/ci/master/
> tree/Allura/allura/lib/plugin.py
> has the base AuthenticationProvider and the LocalAuthenticationProvider and
> LdapAuthenticationProvider code, which could be useful references.
>
> -Dave
>
> On 12/25/17 1:26 PM, Ingo Hornberger wrote:
> > Hey guys!
> > I just did some research how allura could be extended with SSO
> > functionality. I encountered that OpenID was once supported but
> > discontinued.
> >
> > Then I found out that turbogears itself supports SAML with a pluggable
> > extension:
> >
> > https://pypi.python.org/pypi/tgapp-samlauth/0.0.2
> >
> > This sounded promising from an outside point of view. But I am new to TG,
> > so I wanted to ask you guys for some hints to find the best and most
> > pragmatical approach to get SAML or a similar protocol to work. It should
> > just cooperate with keycloack. So a few configurations are possible,
> while
> > SAML would be prefered.
> >
> > Could such an extension work in allura, or did you change too much in the
> > authentification system?
> >
> > Thanks in advance!
> >
> > Ingo
> >
>
>
>
> --
> Dave Brondsema : dave@brondsema.net
> http://www.brondsema.net : personal
> http://www.splike.com : programming
> <><
>
>
>
Re: SAML
Posted by Dave Brondsema <da...@brondsema.net>.
Hi Ingo,
I wanted to check and see how your SAML work was going. Any other issues we can
help with?
If my suggestion for a new extension point sounds useful, I could work on adding
that for you. Especially if you are interested in contributing back your SAML
work. If not that's fine, but it would be great.
-Dave
On 1/9/18 11:54 AM, Dave Brondsema wrote:
> Exciting to hear you have a proof of concept working! If you get it to a point
> where you are able to share it, that would be a nice contribution to the project.
>
> I am not very familiar with SAML, but I understand now what you are saying about
> how it supplements instead of replaces the normal authentication. I think the
> App is the best option right now - you could install it at the neighborhood so
> it is at /p/saml or something like that. And then set `max_instances = 0` in
> the App so no other project can install it too. I've done that for a few things
> that just need to exist in one place. Obviously not great though.
>
> The only other extension option available right now
> (https://forge-allura.apache.org/docs/development/extending.html) is middleware,
> but I think that would be make it too separate and not as nice of an integration.
>
> I think the ideal solution would be to add a new extension point for arbitrary
> controllers. In allura.controllers.root.RootController it could have a _lookup
> function to handle any unknown URL paths and then check in the new extensions
> for a matching controller. Something like that could be useful for many things.
>
> -Dave
>
> On 1/7/18 9:33 AM, Ingo Hornberger wrote:
>> Hi Dave,
>>
>> thanks for your reply. I waited a bit longer with mine, as I wanted to have
>> the chance to dig deeper into SAML and have some first hands-on.
>> Actually I did a proof of concept now, and am still not sure how the best
>> integration looks like.
>>
>> Currently I see the SAML authentication as an "add on" to your normal user
>> authentication providers. Because, actually I don't care if the additional
>> user data is stored in LDAP, Mongo or wherever. I'm just creating an open
>> session for a user, if my trusted IDP tells me to.
>>
>> So my current proof of concept is an app controller, which is taking care
>> about the communication with the IDP and logs the user in, when he is
>> authorized.
>>
>> Doing this in an App is not the ideal solution obvisously. Having an own
>> mount point for SAML would be by far better (e.g. http://myside.com/saml or
>> http://myside.com/auth/saml). But I found no way to achieve that with
>> Allura other than patching the root controller.
>>
>> What I would need is a mount point for a controller and a view, which
>> doesn't depend on a project or Application.
>>
>> What do you think would be the best practice for that?
>>
>> BR,
>> Ingo
>>
>>
>> 2018-01-04 2:34 GMT+01:00 <de...@allura.apache.org>:
>>
>>> From: Dave Brondsema <da...@brondsema.net>
>>> To: dev@allura.apache.org
>>> Cc:
>>> Bcc:
>>> Date: Thu, 28 Dec 2017 12:53:12 -0500
>>> Subject: Re: SAML
>>> Hi Ingo,
>>>
>>> The short answer unfortunately is that Allura uses some of the basics of
>>> Turbogears but does its own thing for most stuff, including
>>> authentication. The
>>> authentication system is pluggable in Allura, so it should be possible to
>>> write
>>> a SAML plugin, but the turbogears extension wouldn't work.
>>>
>>> These docs explain the methods that would have to be implemented:
>>> https://forge-allura.apache.org/docs/api/lib/plugin.html#
>>> allura.lib.plugin.AuthenticationProvider
>>>
>>> And
>>> https://forge-allura.apache.org/p/allura/git/ci/master/
>>> tree/Allura/allura/lib/plugin.py
>>> has the base AuthenticationProvider and the LocalAuthenticationProvider and
>>> LdapAuthenticationProvider code, which could be useful references.
>>>
>>> -Dave
>>>
>>> On 12/25/17 1:26 PM, Ingo Hornberger wrote:
>>>> Hey guys!
>>>> I just did some research how allura could be extended with SSO
>>>> functionality. I encountered that OpenID was once supported but
>>>> discontinued.
>>>>
>>>> Then I found out that turbogears itself supports SAML with a pluggable
>>>> extension:
>>>>
>>>> https://pypi.python.org/pypi/tgapp-samlauth/0.0.2
>>>>
>>>> This sounded promising from an outside point of view. But I am new to TG,
>>>> so I wanted to ask you guys for some hints to find the best and most
>>>> pragmatical approach to get SAML or a similar protocol to work. It should
>>>> just cooperate with keycloack. So a few configurations are possible,
>>> while
>>>> SAML would be prefered.
>>>>
>>>> Could such an extension work in allura, or did you change too much in the
>>>> authentification system?
>>>>
>>>> Thanks in advance!
>>>>
>>>> Ingo
>>>>
>>>
>>>
>>>
>>> --
>>> Dave Brondsema : dave@brondsema.net
>>> http://www.brondsema.net : personal
>>> http://www.splike.com : programming
>>> <><
>>>
>>>
>>>
>>
>
>
>
--
Dave Brondsema : dave@brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming
<><
Re: SAML
Posted by Dave Brondsema <da...@brondsema.net>.
Exciting to hear you have a proof of concept working! If you get it to a point
where you are able to share it, that would be a nice contribution to the project.
I am not very familiar with SAML, but I understand now what you are saying about
how it supplements instead of replaces the normal authentication. I think the
App is the best option right now - you could install it at the neighborhood so
it is at /p/saml or something like that. And then set `max_instances = 0` in
the App so no other project can install it too. I've done that for a few things
that just need to exist in one place. Obviously not great though.
The only other extension option available right now
(https://forge-allura.apache.org/docs/development/extending.html) is middleware,
but I think that would be make it too separate and not as nice of an integration.
I think the ideal solution would be to add a new extension point for arbitrary
controllers. In allura.controllers.root.RootController it could have a _lookup
function to handle any unknown URL paths and then check in the new extensions
for a matching controller. Something like that could be useful for many things.
-Dave
On 1/7/18 9:33 AM, Ingo Hornberger wrote:
> Hi Dave,
>
> thanks for your reply. I waited a bit longer with mine, as I wanted to have
> the chance to dig deeper into SAML and have some first hands-on.
> Actually I did a proof of concept now, and am still not sure how the best
> integration looks like.
>
> Currently I see the SAML authentication as an "add on" to your normal user
> authentication providers. Because, actually I don't care if the additional
> user data is stored in LDAP, Mongo or wherever. I'm just creating an open
> session for a user, if my trusted IDP tells me to.
>
> So my current proof of concept is an app controller, which is taking care
> about the communication with the IDP and logs the user in, when he is
> authorized.
>
> Doing this in an App is not the ideal solution obvisously. Having an own
> mount point for SAML would be by far better (e.g. http://myside.com/saml or
> http://myside.com/auth/saml). But I found no way to achieve that with
> Allura other than patching the root controller.
>
> What I would need is a mount point for a controller and a view, which
> doesn't depend on a project or Application.
>
> What do you think would be the best practice for that?
>
> BR,
> Ingo
>
>
> 2018-01-04 2:34 GMT+01:00 <de...@allura.apache.org>:
>
>> From: Dave Brondsema <da...@brondsema.net>
>> To: dev@allura.apache.org
>> Cc:
>> Bcc:
>> Date: Thu, 28 Dec 2017 12:53:12 -0500
>> Subject: Re: SAML
>> Hi Ingo,
>>
>> The short answer unfortunately is that Allura uses some of the basics of
>> Turbogears but does its own thing for most stuff, including
>> authentication. The
>> authentication system is pluggable in Allura, so it should be possible to
>> write
>> a SAML plugin, but the turbogears extension wouldn't work.
>>
>> These docs explain the methods that would have to be implemented:
>> https://forge-allura.apache.org/docs/api/lib/plugin.html#
>> allura.lib.plugin.AuthenticationProvider
>>
>> And
>> https://forge-allura.apache.org/p/allura/git/ci/master/
>> tree/Allura/allura/lib/plugin.py
>> has the base AuthenticationProvider and the LocalAuthenticationProvider and
>> LdapAuthenticationProvider code, which could be useful references.
>>
>> -Dave
>>
>> On 12/25/17 1:26 PM, Ingo Hornberger wrote:
>>> Hey guys!
>>> I just did some research how allura could be extended with SSO
>>> functionality. I encountered that OpenID was once supported but
>>> discontinued.
>>>
>>> Then I found out that turbogears itself supports SAML with a pluggable
>>> extension:
>>>
>>> https://pypi.python.org/pypi/tgapp-samlauth/0.0.2
>>>
>>> This sounded promising from an outside point of view. But I am new to TG,
>>> so I wanted to ask you guys for some hints to find the best and most
>>> pragmatical approach to get SAML or a similar protocol to work. It should
>>> just cooperate with keycloack. So a few configurations are possible,
>> while
>>> SAML would be prefered.
>>>
>>> Could such an extension work in allura, or did you change too much in the
>>> authentification system?
>>>
>>> Thanks in advance!
>>>
>>> Ingo
>>>
>>
>>
>>
>> --
>> Dave Brondsema : dave@brondsema.net
>> http://www.brondsema.net : personal
>> http://www.splike.com : programming
>> <><
>>
>>
>>
>
--
Dave Brondsema : dave@brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming
<><