Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix new saml provider form, add fields for specifying assertion keys #1962

Merged
merged 4 commits into from
Sep 26, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions options/locale/locale_en-US.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2967,12 +2967,15 @@ auths.sspi_separator_replacement_helper = The character to use to replace the se
auths.sspi_default_language = Default user language
auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
auths.saml_nameidformat = SAML NameID Format
auths.saml_IdentityProviderMetadataURL = Identity Provider Metadata URL
auths.saml_IdentityProviderMetadata = Identity Provider Metadata XML
auths.saml_identity_provider_metadata_url = Identity Provider Metadata URL
auths.saml_identity_provider_metadata = Identity Provider Metadata XML
auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
auths.saml_ServiceProviderCertificate = Service Provider Certificate
auths.saml_ServiceProviderPrivateKey = Service Provider Private Key
auths.saml_SignRequests = Sign SAML Requests
auths.saml_service_provider_certificate = Service Provider Certificate
auths.saml_service_provider_private_key = Service Provider Private Key
auths.saml_sign_requests = Sign SAML Requests
auths.saml_identity_provider_email_assertion_key = Email Assertion Key
auths.saml_identity_provider_name_assertion_key = Name Assertion Key
auths.saml_identity_provider_username_assertion_key = Username Assertion Key
auths.tips = Tips
auths.tips.oauth2.general = OAuth2 Authentication
auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:
Expand Down
3 changes: 3 additions & 0 deletions routers/web/admin/auths.go
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,9 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
ServiceProviderCertificate: form.ServiceProviderCertificate,
ServiceProviderPrivateKey: form.ServiceProviderPrivateKey,
SignRequests: form.SignRequests,
EmailAssertionKey: form.EmailAssertionKey,
NameAssertionKey: form.NameAssertionKey,
UsernameAssertionKey: form.UsernameAssertionKey,
}, nil
}

Expand Down
7 changes: 7 additions & 0 deletions services/auth/source/saml/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ type Source struct {

CallbackURL string

// EmailAssertionKey description: Assertion key for user.Email
EmailAssertionKey string
// NameAssertionKey description: Assertion key for user.NickName
NameAssertionKey string
// UsernameAssertionKey description: Assertion key for user.Name
UsernameAssertionKey string

// reference to the authSource
authSource *auth.Source

Expand Down
14 changes: 6 additions & 8 deletions services/auth/source/saml/source_callout.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,19 +60,17 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
return user, fmt.Errorf("no nameID found in SAML response")
}

// TODO: rather than hardcoding assertion keys, we should allow setting them in the UI

// email
if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]; !ok {
user.Email = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]
if _, ok := samlMap[source.EmailAssertionKey]; !ok {
user.Email = samlMap[source.EmailAssertionKey]
}
// name
if _, ok := samlMap["http://schemas.xmlsoap.org/claims/CommonName"]; !ok {
user.NickName = samlMap["http://schemas.xmlsoap.org/claims/CommonName"]
if _, ok := samlMap[source.NameAssertionKey]; !ok {
user.NickName = samlMap[source.NameAssertionKey]
}
// username
if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]; !ok {
user.Name = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
if _, ok := samlMap[source.UsernameAssertionKey]; !ok {
user.Name = samlMap[source.UsernameAssertionKey]
}

// TODO: utilize groups later on
Expand Down
3 changes: 3 additions & 0 deletions services/forms/auth_form.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,9 @@ type AuthenticationForm struct {
ServiceProviderCertificate string
ServiceProviderPrivateKey string
SignRequests bool
EmailAssertionKey string
NameAssertionKey string
UsernameAssertionKey string
}

// Validate validates fields
Expand Down
25 changes: 20 additions & 5 deletions templates/admin/auth/edit.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -385,11 +385,11 @@
</div>

<div class="field">
<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadataURL"}}</label>
<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
</div>
<div class="field">
<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadata"}}</label>
<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata">{{$cfg.IdentityProviderMetadata}}</textarea>
</div>

Expand All @@ -401,20 +401,35 @@
</div>

<div class=" field">
<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_ServiceProviderCertificate"}}</label>
<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate">{{$cfg.ServiceProviderCertificate}}</textarea>
</div>
<div class=" field">
<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_ServiceProviderPrivateKey"}}</label>
<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
</div>

<div class="inline field">
<div class="ui checkbox">
<label><strong>{{.locale.Tr "admin.auths.saml_SignRequests"}}</strong></label>
<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
</div>
</div>

<div class="field">
<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
<input id="email_assertion_key" name="email_assertion_key" value="{{if not $cfg.EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{$cfg.EmailAssertionKey}}{{end}}">
</div>

<div class="field">
<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
<input id="name_assertion_key" name="name_assertion_key" value="{{if not $cfg.NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{$cfg.NameAssertionKey}}{{end}}">
</div>

<div class="field">
<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
<input id="username_assertion_key" name="username_assertion_key" value="{{if not $cfg.UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{$cfg.UsernameAssertionKey}}{{end}}">
</div>
{{end}}

<!-- SSPI -->
Expand Down
2 changes: 1 addition & 1 deletion templates/admin/auth/new.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
{{template "admin/auth/source/sspi" .}}

<!-- SAML -->
+ {{template "admin/auth/source/saml" .}}
{{template "admin/auth/source/saml" .}}

<div class="ldap field">
<div class="ui checkbox">
Expand Down
19 changes: 17 additions & 2 deletions templates/admin/auth/source/saml.tmpl
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<div class="saml field {{if not (eq .type 99)}}gt-hidden{{end}}">
<div class="saml field {{if not (eq .type 8)}}gt-hidden{{end}}">

<div class="inline required field">
<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
Expand Down Expand Up @@ -41,9 +41,24 @@

<div class="inline field">
<div class="ui checkbox">
<label><strong>{{.locale.Tr "admin.auths.sign_requests"}}</strong></label>
<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
</div>
</div>

<div class="field">
<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
</div>

<div class="field">
<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
<input id="name_assertion_key" name="name_assertion_key" value="{{if not .NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{.NameAssertionKey}}{{end}}">
</div>

<div class="field">
<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
<input id="username_assertion_key" name="username_assertion_key" value="{{if not .UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{.UsernameAssertionKey}}{{end}}">
</div>

</div>
4 changes: 4 additions & 0 deletions web_src/js/features/admin/common.js
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,10 @@ export function initAdminCommon() {
showElem($('.sspi'));
$('.sspi div.required input').attr('required', 'required');
break;
case '8': // SAML
showElem($('.saml'));
$('.saml div.required input').attr('required', 'required');
break;
}
if (authType === '2' || authType === '5') {
onSecurityProtocolChange();
Expand Down
Loading