-
-
Notifications
You must be signed in to change notification settings - Fork 963
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implementing SAML in Kratos #2148
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took a quick peak :)
From what I can say, this looks pretty good in terms of what files and directories are being touched :) Keep going! :)
Hello @aeneasr! Thank you very much for the feedback on my code, it helps me a lot. I will take into consideration all the remarks and improve my code. |
I'm making another comment to describe my progress a little bit. The session creation is working well. I still have a problem with the passing of attributes from the IDP for the session creation. I also have a problem with the database migration scripts. I need to add values at database startup but my scripts are not used, I don't know why. And finally, a last problem with the redirection after authentication where the session cookies are not transmitted and therefore the session is not detected by the /whoami. |
2ec70d0
to
aac5547
Compare
cac09e2
to
92015ba
Compare
6b5b243
to
4272676
Compare
@aeneasr Hello, I'm proud to announce that our implementation of SAML in Kratos is ready for review. The PR for the documentation will come soon. Do not hesitate to give us feedback about our work. I will not be very available next month so take your time to review it (I will still take a look from time to time 😃) |
685b455
to
5a13d4b
Compare
Codecov Report
@@ Coverage Diff @@
## master #2148 +/- ##
==========================================
- Coverage 76.30% 75.42% -0.88%
==========================================
Files 316 327 +11
Lines 17463 18026 +563
==========================================
+ Hits 13326 13597 +271
- Misses 3195 3445 +250
- Partials 942 984 +42
Continue to review full report at Codecov.
|
c7d132c
to
e70a0f3
Compare
Hey, |
Really great feature, thanks so much for working on this! |
Hey, Following a mistake that accidentally caused this PR to automatically change to "Merged" status, we've reopened it here: #2653 To answer to your question @kmherrmann, we've made good progress since our last update, we're about to ask for a review :) |
Fantastic, thanks for the update! |
Completion Progress
We thought about 5 main tasks :
First Part
Concerning the first part, the goal is to develop the two main endpoints :
/metadata
(GET) : Generate the metadata of the SP (Kratos)/acs
(POST) : Handle SAML requestSecond Part
The second part will deal with the way endpoints work. The library already implements what we want to make these endpoints work. The library allows you to create a metadata file very easily so we will need to incorporate it into Kratos to allow the endpoint
/metadata
to create them easily. Concerning the endpoint/acs
, the Crewjam library allows to receive the SAML requests, to understand them and to treat them accordingly.Third Part
The goal here is to allow the SDK to call our SAML function. Currently, the SDK allows to protect a route via a redirection to the login page. We should copy this system a little and allow to protect a route via SAML by a redirection to the IDP. After authentication, the IDP will redirect the user to the desired page. There is also the very important problem of converting the session created by the Crewjam/saml library into a Kratos session to remain homogeneous.
Fourth Part
Now that the endpoints are created, the SAML requests must be processed by Kratos. This means that the endpoint
/acs
must receive the SAML requests, understand them and translate them into a language that Kratos can understand. More clearly, this endpoint must allow Kratos to support SAML requests and to perform the actions associated with these requests.It is also in this part that you must check if the session has not expired (according to the duration indicated in option). If it is the case, you have to send a SAML Request to the IDP.
Fifth part
Finally, the last part will concern the configuration. Not everyone wants to use SAML so we will have to use the YAML and Kratos configuration system to adapt it to SAML by adding new options to indicate if we want to use SAML and fill in the endpoints. The objective here is to make the final link between Kratos and SAML and thus be able to create instances of Kratos implementing SAML.
Concerning the options, here are the variables we can modify :
Related issue(s)
Design Document
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works.
Disclaimer
At the moment, this is only a first version which is not intended to be merge. All the documentation and tests are still to be done.