Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FR] SAMl/OIDC(-supported) Authentication #973

Open
patschi opened this issue Aug 9, 2021 · 4 comments
Open

[FR] SAMl/OIDC(-supported) Authentication #973

patschi opened this issue Aug 9, 2021 · 4 comments

Comments

@patschi
Copy link
Contributor

patschi commented Aug 9, 2021

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
I'd appreciate a "SAML/OIDC-supported authentication" when e.g. a Load Balancer/reverse proxy is doing the SAML challenge in front of the Froxlor instance.

In this case it works like:

  1. You visit froxlor.domain.tld
  2. LB/RP redirects to the SAML IDP, does its magic
  3. On success auth, it redirects through to Froxlor

With a bit support of Froxlor it would continue with:
4. A specific HTTP header is added from the LB/RP facing towards Froxlor (e.g. X-User-Authed: user1)
5. Froxlor checks for existence of header X-User-Authed: user1
6. If so, parsing the username and initiating logon without password authentication

This would allow an integration with https://github.com/authelia/authelia or other LBs doing such authentication (proprietary Avi Load Balancer in my case)

(In a perfect world, a standalone authentication to Froxlor via SAML/OIDC would be great)

Describe alternatives you've considered
None.

Additional context
None.

@patschi
Copy link
Contributor Author

patschi commented Aug 21, 2021

A very, very rudimentary hack in index.php I experimented with was:

index.php:

105a106,112
>
>       $samlAuth = false;
>       if (isset($_SERVER['HTTP_X_SAML_USER']) && !empty($_SERVER['HTTP_X_SAML_USER'])) {
>               $samlAuth = true;
>               $_POST['send'] = 'send';
>       }
>
109a117,121
>               if ($samlAuth) {
>                       $loginname = $_SERVER['HTTP_X_SAML_USER'];
>                       $password = '';
>               }
>
214c226
<               } elseif (\Froxlor\System\Crypt::validatePasswordLogin($userinfo, $password, $table, $uid)) {
---
>               } elseif ($samlAuth === true || \Froxlor\System\Crypt::validatePasswordLogin($userinfo, $password, $table, $uid)) {

However not perfect, as this results in errors when the SAML user wasn't previously created in the Froxlor database...

@d00p
Copy link
Member

d00p commented Aug 22, 2021

so, I can fake the HTTP_X_SAML_USER, set it to admin and I'm logged in without any further check? I don't really think this is how this should work....there must be some challenge-hash or similar which is validated from the other side...Never worked woth SAML or similar though, maybe i'm totally misunderstanding

@d00p
Copy link
Member

d00p commented Aug 22, 2021

From what I read/see here, this is way more complex: https://github.com/onelogin/php-saml

@patschi
Copy link
Contributor Author

patschi commented Aug 22, 2021

Depends on the implementation. Of course you can either

  1. integrate SAML completely using onelogin's SAML library and do the SAML authentication directly,
  2. or, what I've decided to, go the easier route which requires less changes to Froxlor itself by letting the authentication up to the reverse proxy.

As described in my first post, there are reverse proxies (authelia)/load balancer (e.g. Avi Load Balancer) which can do the SAML authentication independently before access to the real application is granted. When the authentication succeeds, you can add a HTTP header (with any name, example with Authelia & Jira) with the username, which the real application (in this case Froxlor) can read and work with.

My cheap implementation just has one issue: When the username doesn't exist in the Froxlor account, a PHP error is thrown. So it's really just quick'n'dirty.

I hope this makes sense!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants