Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SAML authentication #275

Closed
raffis opened this issue Mar 5, 2020 · 15 comments
Closed

SAML authentication #275

raffis opened this issue Mar 5, 2020 · 15 comments
Labels
feat New feature or request.
Milestone

Comments

@raffis
Copy link

raffis commented Mar 5, 2020

Describe the solution you'd like
It would be awesome to have a SAML authentication flow. Meaning kratos acts as a SAML service provider and be able to setup a trust to an external IdP (or multiple IdPs).

  • Map SAML attributes to kratos identity
  • Possibility to configure the IdP metadata
  • Attach SSL certificates for the SP or even the ability to generate them and store it in kratos backing storage
  • kratos needs to expose an endpoint which serves the SPs metadata

Note it may also be possible that kratos acts as an IdP but that would be another feature and I am not really sure if this fits for kratos.

Describe alternatives you've considered

Additional context
There is already a pretty good saml library: https://github.com/crewjam/saml

@aeneasr aeneasr added the feat New feature or request. label Mar 13, 2020
@aeneasr aeneasr added this to the unplanned milestone Mar 13, 2020
@aeneasr
Copy link
Member

aeneasr commented Mar 13, 2020

Triaged - setting priority to "later" because we have many more things to solve before SAML support :)

Contributions are however - as always - welcomed!

@tiny-dancer
Copy link

Hey @aeneasr, possible for an annual-ish update on this one?

@aeneasr
Copy link
Member

aeneasr commented Jul 16, 2021

Contributions are however - as always - welcomed!

Only this 😅

@github-actions
Copy link

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue

  • open a PR referencing and resolving the issue;
  • leave a comment on it and discuss ideas how you could contribute towards resolving it;
  • leave a comment and describe in detail why this issue is critical for your use case;
  • open a new issue with updated details and a plan on resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneous you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

@github-actions github-actions bot added the stale Feedback from one or more authors is required to proceed. label Jul 17, 2022
@aeneasr aeneasr removed the stale Feedback from one or more authors is required to proceed. label Jul 17, 2022
@robertlagrant
Copy link

Just some more additional context: allowing Kratos to be a service provider in front of a SAML IdP would be extremely useful :)

@aeneasr
Copy link
Member

aeneasr commented Sep 11, 2022

Being a SAML Service Provider is out of scope for Ory Kratos, it will most likely be an additional service like Ory Hydra!

@robertlagrant
Copy link

Hopefully my terminology is correct. Just to double check: what I mean is being able to point Kratos at a SAML IdP in the way we can point Kratos at an OIDC provider.

@vinckr
Copy link
Member

vinckr commented Sep 12, 2022

Hopefully my terminology is correct. Just to double check: what I mean is being able to point Kratos at a SAML IdP in the way we can point Kratos at an OIDC provider.

SAML Service Provider is what you point Kratos at in the above example. So Kratos would be more a "client" than a "provider/server". I think the feature you are looking for (and for this issue) is being worked on in this PR: #2653

@github-actions github-actions bot added the stale Feedback from one or more authors is required to proceed. label Sep 13, 2023
@aeneasr aeneasr removed the stale Feedback from one or more authors is required to proceed. label Sep 13, 2023
@dm17
Copy link

dm17 commented Oct 26, 2023

Am I correct in thinking SAML is the only way to continue using an all-Ory-based auth system in front of Zulip?
zulip/zulip#19245

@ory ory deleted a comment from github-actions bot Oct 26, 2023
@vinckr
Copy link
Member

vinckr commented Oct 26, 2023

Am I correct in thinking SAML is the only way to continue using an all-Ory-based auth system in front of Zulip? zulip/zulip#19245

Feel free to open a discussion (on Zulip X Ory) if you want to discuss this further.

By default, Zulip allows logging in via email/password as well as various social authentication providers like Google, GitHub, GitLab, and Apple.
LDAP and various custom SSO login methods are currently restricted to self-hosted Zulip organizations only. SAML authentication is supported by Zulip Cloud but requires contacting [email protected] to configure it.

Sounds to me as you have the options of email/password and some "Plug-and-play SSO (Google, GitHub, GitLab)".

SAML also seems to work with some extra steps - and can be used with Ory using e.g. jackson.
This is also available in Ory Network there we integrate and manage the SAML connections for you (using jackson). I think its also on the roadmap, but nothing concrete as of right now.

@kmherrmann
Copy link
Contributor

I'm closing this issue as we have no plans to support SAML natively in Kratos.

We recommend using a bridge like https://boxyhq.com/docs/jackson/overview to connect SAML IdPs as needed.

@uncvrd
Copy link

uncvrd commented Nov 28, 2023

I'm closing this issue as we have no plans to support SAML natively in Kratos.

We recommend using a bridge like https://boxyhq.com/docs/jackson/overview to connect SAML IdPs as needed.

Bummer, so closing this affects the open PR here as well?

#2653

Or is there still interest to provide it if there is some movement on this PR?

@uncvrd
Copy link

uncvrd commented Dec 11, 2023

Would it be possible to have an Ory engineer show how they implemented SAML Jackson in Ory Network? I thought I'd give Jackson a shot since it was recommended as the alternative, and have been having many fundamental problems (specifically regarding the flowIds and how they work with callbacks in the jackson ecosystem). I'm stuck on a few areas honestly and confused how Ory Network managed to use this. Is it possible to get a small peek in to how Ory Network handles jackson with a browser login OIDC flow?

I've typed out steps that I think need to happen (with many gaps) but for the sake of saving people time reading everything, I just wanted to see if there is willingness to share implementation. I know I and the 44 others interested in SAML auth w/ Ory would really appreciate an "olive branch" for help here 🙏

Thank you!!


EDIT:

I guess the one thing I'll add to foster some conversation about one part im stuck on is the following...

To redirect to the correct IdP, you must call the following endpoint with jackson:

https://localhost:5225/api/oauth/authorize
  ?response_type=code&provider=saml
  &client_id=<clientID or tenant and product query params>
  &redirect_uri=<redirect URL>
  &state=<randomly generated state id>

This state parameter is passed to the ory self sign in callback, which in our case would be to one of the oidc callback paths like http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<jackson?>

From what it looks like (and I am a total novice in golang) is that this state parameter isn't something the user creates but occurs when the login flow is submitted. It seems like it is generated from the flowId and then some extra data, base64 encoded (split by a :), and stored in the continuity_containers database table...which happens here

So my question is, how can I create this "custom" state that embeds this flowId and data before calling this authorize endpoint since it seems like it's important to have a reference to this when running through the callback flow?

@tdipadova3rd
Copy link

@uncvrd were you able to get the Jackson integration working?

@uncvrd
Copy link

uncvrd commented Mar 1, 2024

@tdipadova3rd i talked to the founder of Jackson, there will need to be a dev investment on their end to provide some sort of bespoke proxy between the Kratos oauth request and their platform to extract the tenants. I have not made any progress unfortunately

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request.
Projects
None yet
Development

No branches or pull requests

9 participants