-
-
Notifications
You must be signed in to change notification settings - Fork 963
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAML authentication #275
Comments
Triaged - setting priority to "later" because we have many more things to solve before SAML support :) Contributions are however - as always - welcomed! |
Hey @aeneasr, possible for an annual-ish update on this one? |
Only this 😅 |
Hello contributors! I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic. Unfortunately, burnout has become a topic of concern amongst open-source projects. It can lead to severe personal and health issues as well as opening catastrophic attack vectors. The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone. If this issue was marked as stale erroneous you can exempt it by adding the Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! Thank you 🙏✌️ |
Just some more additional context: allowing Kratos to be a service provider in front of a SAML IdP would be extremely useful :) |
Being a SAML Service Provider is out of scope for Ory Kratos, it will most likely be an additional service like Ory Hydra! |
Hopefully my terminology is correct. Just to double check: what I mean is being able to point Kratos at a SAML IdP in the way we can point Kratos at an OIDC provider. |
SAML Service Provider is what you point Kratos at in the above example. So Kratos would be more a "client" than a "provider/server". I think the feature you are looking for (and for this issue) is being worked on in this PR: #2653 |
Am I correct in thinking SAML is the only way to continue using an all-Ory-based auth system in front of Zulip? |
Feel free to open a discussion (on Zulip X Ory) if you want to discuss this further.
Sounds to me as you have the options of email/password and some "Plug-and-play SSO (Google, GitHub, GitLab)". SAML also seems to work with some extra steps - and can be used with Ory using e.g. jackson. |
I'm closing this issue as we have no plans to support SAML natively in Kratos. We recommend using a bridge like https://boxyhq.com/docs/jackson/overview to connect SAML IdPs as needed. |
Bummer, so closing this affects the open PR here as well? Or is there still interest to provide it if there is some movement on this PR? |
Would it be possible to have an Ory engineer show how they implemented SAML Jackson in Ory Network? I thought I'd give Jackson a shot since it was recommended as the alternative, and have been having many fundamental problems (specifically regarding the flowIds and how they work with callbacks in the jackson ecosystem). I'm stuck on a few areas honestly and confused how Ory Network managed to use this. Is it possible to get a small peek in to how Ory Network handles jackson with a browser login OIDC flow? I've typed out steps that I think need to happen (with many gaps) but for the sake of saving people time reading everything, I just wanted to see if there is willingness to share implementation. I know I and the 44 others interested in SAML auth w/ Ory would really appreciate an "olive branch" for help here 🙏 Thank you!! EDIT: I guess the one thing I'll add to foster some conversation about one part im stuck on is the following... To redirect to the correct IdP, you must call the following endpoint with jackson:
This From what it looks like (and I am a total novice in golang) is that this state parameter isn't something the user creates but occurs when the login flow is submitted. It seems like it is generated from the flowId and then some extra data, base64 encoded (split by a So my question is, how can I create this "custom" state that embeds this |
@uncvrd were you able to get the Jackson integration working? |
@tdipadova3rd i talked to the founder of Jackson, there will need to be a dev investment on their end to provide some sort of bespoke proxy between the Kratos oauth request and their platform to extract the tenants. I have not made any progress unfortunately |
Describe the solution you'd like
It would be awesome to have a SAML authentication flow. Meaning kratos acts as a SAML service provider and be able to setup a trust to an external IdP (or multiple IdPs).
Note it may also be possible that kratos acts as an IdP but that would be another feature and I am not really sure if this fits for kratos.
Describe alternatives you've considered
Additional context
There is already a pretty good saml library: https://github.com/crewjam/saml
The text was updated successfully, but these errors were encountered: