Merge pull request neuvector#1090 from holyspectral/saml-slo

NVSHAS-7616 SAML Single Logout (SLO) support

controller/api/apis.go

@@ -239,8 +239,15 @@ type RESTFedAuthData struct {
 	MasterToken    string `json:"master_token"`
 }
 
+// Used to generate redirect request for integration like SAML or OIDC.
 type RESTTokenRedirect struct {
+	// The NeuVector URL to redirect after authentication/logout.
 	Redirect string `json:"redirect_endpoint"`
+	// (Optional)
+	// When absent, the redirect url will be used as issuer in SAML request.
+	// When it is specified, the value here will be used as the issuer.
+	// This is for Single Logout where redirect url and issue can be different.
+	Issuer string `json:"issuer"`
 }
 
 type RESTToken struct {
@@ -346,6 +353,12 @@ type RESTServerSAML struct {
 	DefaultRole      string                    `json:"default_role"`
 	RoleGroups       map[string][]string       `json:"role_groups,omitempty"`        // role -> groups
 	GroupMappedRoles []*share.GroupRoleMapping `json:"group_mapped_roles,omitempty"` // group -> (role -> domains)
+
+	AuthnSigningEnabled bool   `json:"authn_signing_enabled,omitempty"` // Optional. Enable signing AuthnRequest.  Default off.
+	SigningCert         string `json:"signing_cert,omitempty"`          // Optional.
+	//SigningKey          string `json:"signing_key,omitempty"`           // Optional.
+	SLOEnabled bool   `json:"slo_enabled,omitempty"` // Optional.
+	SLOURL     string `json:"slo_url,omitempty"`     // Optional.
 }
 
 type RESTServerOIDC struct {
@@ -420,6 +433,12 @@ type RESTServerSAMLConfig struct {
 	RoleGroups       *map[string][]string       `json:"role_groups,omitempty"`        // role -> groups. deprecated since 4.2
 	GroupMappedRoles *[]*share.GroupRoleMapping `json:"group_mapped_roles,omitempty"` // group -> (role -> domains)
 	X509CertExtra    *[]string                  `json:"x509_cert_extra,omitempty"`
+
+	AuthnSigningEnabled *bool   `json:"authn_signing_enabled,omitempty"` // Optional. Enable signing AuthnRequest.  Default off.
+	SigningCert         *string `json:"signing_cert,omitempty"`          // Optional.
+	SigningKey          *string `json:"signing_key,omitempty"`           // Optional.
+	SLOEnabled          *bool   `json:"slo_enabled,omitempty"`           // Optional.
+	SLOURL              *string `json:"slo_url,omitempty"`               // Optional.
 }
 
 type RESTServerSAMLConfigCfgMap struct {
@@ -1043,14 +1062,14 @@ type RESTConversationEndpointConfigData struct {
 }
 
 type RESTConversationReportEntry struct {
-	Bytes        uint64   `json:"bytes"`
-	Sessions     uint32   `json:"sessions"`
-	Port         string   `json:"port,omitempty"`
-	Application  string   `json:"application,omitempty"`
-	PolicyAction string   `json:"policy_action"`
-	CIP          string   `json:"client_ip,omitempty"`
-	SIP          string   `json:"server_ip,omitempty"`
-	FQDN         string   `json:"fqdn,omitempty"`
+	Bytes        uint64 `json:"bytes"`
+	Sessions     uint32 `json:"sessions"`
+	Port         string `json:"port,omitempty"`
+	Application  string `json:"application,omitempty"`
+	PolicyAction string `json:"policy_action"`
+	CIP          string `json:"client_ip,omitempty"`
+	SIP          string `json:"server_ip,omitempty"`
+	FQDN         string `json:"fqdn,omitempty"`
 }
 
 type RESTConversationReport struct {

controller/api/apis.yaml

@@ -9704,6 +9704,15 @@ definitions:
         type: array
         items:
           $ref: '#/definitions/RESTX509CertInfo'
+      slo_enabled:
+        type: boolean
+        example: true
+      slo_url:
+        type: string
+        example: https://dev.oktapreview.com/app/examplesamlapp_1/exjlpo0/slo/saml
+      signing_cert:
+        type: string
+        example: E7B0OS/N3KMVCL6KNMZ2+LOV90S7854NSD84P0BF
   RESTServer:
     type: object
     required:
@@ -9837,6 +9846,18 @@ definitions:
         items:
           type: string
         example: ["E7B0OS/N3KMVCL6KNMZ2+LOV90S7854NSD84P0BF", "E7B0OS/N3KMVCL6KNMZ2+LOV90S7854NSD84P0BF"]
+      slo_enabled:
+        type: boolean
+        example: true
+      slo_url:
+        type: string
+        example: https://dev.oktapreview.com/app/examplesamlapp_1/exjlpo0/slo/saml
+      signing_cert:
+        type: string
+        example: E7B0OS/N3KMVCL6KNMZ2+LOV90S7854NSD84P0BF
+      signing_key:
+        type: string
+        example: E7B0OS/N3KMVCL6KNMZ2+LOV90S7854NSD84P0BF
   RESTServerConfig:
     type: object
     required:

controller/api/internal_apis.yaml

@@ -0,0 +1,155 @@
+swagger: '2.0'
+
+################################################################################
+#                     Internal API Information                                 #
+################################################################################
+info:
+  description: Secure Docker and Kubernetes based container deployments with the NeuVector run-time security solution.
+  title: NeuVector Internal API
+  version: '1.0'
+schemes:
+  - https
+
+################################################################################
+#                                   Tags                                       #
+################################################################################
+tags:
+  - name: Authentication
+    description: Authenticates login or logout
+
+################################################################################
+#                                  Paths                                       #
+################################################################################
+paths:
+  /v1/token_auth_server/{server}:
+    get:
+      summary: Generate login request for integration, e.g., OIDC or SAML.
+      tags:
+        - Authentication
+      parameters:
+        - in: body
+          name: body
+          description: OIDC/SAML login data
+          required: true
+          schema:
+            $ref: '#/definitions/RESTGenerateServerLoginRequest'
+      produces:
+        - application/json
+      responses:
+        '200':
+          description: Success
+          schema:
+            $ref: '#/definitions/RESTGenerateServerLoginResponse'
+        '400':
+          description: Bad request
+          schema:
+            $ref: '#/definitions/RESTError'
+    post:
+      summary: Create login token via integration, e.g., OIDC or SAML.
+      tags:
+        - Authentication
+      parameters:
+        - in: body
+          name: body
+          description: OIDC/SAML login data
+          required: true
+          schema:
+            $ref: '#/definitions/RESTGenerateServerLoginRequest'
+      produces:
+        - application/json
+      responses:
+        '200':
+          description: Success
+          schema:
+            $ref: '#/definitions/RESTGenerateServerLoginResponse'
+        '400':
+          description: Bad request
+          schema:
+            $ref: '#/definitions/RESTError'
+  /v1/token_auth_server/{server}/slo:
+    get:
+      summary: Create redirect url for Single Signout request.  Currently only SAML is supported.
+      tags:
+        - Authentication
+      security:
+        - TokenAuth: []
+      parameters:
+        - in: body
+          name: body
+          description: OIDC/SAML logout data
+          required: true
+          schema:
+            $ref: '#/definitions/RESTGenerateServerLogoutRequest'
+      produces:
+        - application/json
+      responses:
+        '200':
+          description: Success
+          schema:
+            $ref: '#/definitions/RESTGenerateServerLogoutResponse'
+        '400':
+          description: Bad request
+          schema:
+            $ref: '#/definitions/RESTError'
+        '401':
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/RESTError'
+################################################################################
+#                                 Definitions                                  #
+################################################################################
+definitions:
+  RESTGenerateServerLoginRequest:
+    required:
+      - 'redirect_endpoint'
+    type: object
+    properties:
+      redirect_endpoint:
+        description: 'The URL used in redirect request, e.g., SAML Authn request.'
+        type: string
+        example: 'https://<server>/token_auth_server'
+      issuer:
+        description: 'The issuer of the login request.  When absent, redirect_endpoint will be used.'
+        type: string
+        example: 'https://<server>/token_auth_server'
+  RESTGenerateServerLoginResponse:
+    required:
+      - 'redirect_endpoint'
+    type: object
+    properties:
+      redirect:
+        type: object
+        properties:
+          redirect_url:
+            description: 'The URL to be used by browser to make redirect request.'
+            type: string
+            example: 'https://login.microsoftonline.com/xxx/saml2?SAMLRequest=lFLLbt...'
+          server_name:
+            description: 'The server resource name used to generate this redirect request'
+            type: string
+            example: 'saml1'
+          server_type:
+            description: 'Type of this redirect request.'
+            type: string
+            enum: [oidc, saml]
+            example: 'saml'
+  RESTGenerateServerLogoutRequest:
+    $ref: '#/definitions/RESTGenerateServerLoginRequest'
+  RESTGenerateServerLogoutResponse:
+    $ref: '#/definitions/RESTGenerateServerLoginResponse'
+  RESTError:
+    type: object
+    required:
+      - code
+      - error
+      - message
+    properties:
+      code:
+        type: integer
+        example: 6
+      error:
+        type: string
+        example: 'Request in wrong format'
+      message:
+        type: string
+        example: 'Get redirect URL request error'