Hi Ingo, I wanted to check and see how your SAML work was going. Any other issues we can help with?
If my suggestion for a new extension point sounds useful, I could work on adding that for you. Especially if you are interested in contributing back your SAML work. If not that's fine, but it would be great. -Dave On 1/9/18 11:54 AM, Dave Brondsema wrote: > Exciting to hear you have a proof of concept working! If you get it to a > point > where you are able to share it, that would be a nice contribution to the > project. > > I am not very familiar with SAML, but I understand now what you are saying > about > how it supplements instead of replaces the normal authentication. I think the > App is the best option right now - you could install it at the neighborhood so > it is at /p/saml or something like that. And then set `max_instances = 0` in > the App so no other project can install it too. I've done that for a few > things > that just need to exist in one place. Obviously not great though. > > The only other extension option available right now > (https://forge-allura.apache.org/docs/development/extending.html) is > middleware, > but I think that would be make it too separate and not as nice of an > integration. > > I think the ideal solution would be to add a new extension point for arbitrary > controllers. In allura.controllers.root.RootController it could have a > _lookup > function to handle any unknown URL paths and then check in the new extensions > for a matching controller. Something like that could be useful for many > things. > > -Dave > > On 1/7/18 9:33 AM, Ingo Hornberger wrote: >> Hi Dave, >> >> thanks for your reply. I waited a bit longer with mine, as I wanted to have >> the chance to dig deeper into SAML and have some first hands-on. >> Actually I did a proof of concept now, and am still not sure how the best >> integration looks like. >> >> Currently I see the SAML authentication as an "add on" to your normal user >> authentication providers. Because, actually I don't care if the additional >> user data is stored in LDAP, Mongo or wherever. I'm just creating an open >> session for a user, if my trusted IDP tells me to. >> >> So my current proof of concept is an app controller, which is taking care >> about the communication with the IDP and logs the user in, when he is >> authorized. >> >> Doing this in an App is not the ideal solution obvisously. Having an own >> mount point for SAML would be by far better (e.g. http://myside.com/saml or >> http://myside.com/auth/saml). But I found no way to achieve that with >> Allura other than patching the root controller. >> >> What I would need is a mount point for a controller and a view, which >> doesn't depend on a project or Application. >> >> What do you think would be the best practice for that? >> >> BR, >> Ingo >> >> >> 2018-01-04 2:34 GMT+01:00 <dev-digest-h...@allura.apache.org>: >> >>> From: Dave Brondsema <d...@brondsema.net> >>> To: dev@allura.apache.org >>> Cc: >>> Bcc: >>> Date: Thu, 28 Dec 2017 12:53:12 -0500 >>> Subject: Re: SAML >>> Hi Ingo, >>> >>> The short answer unfortunately is that Allura uses some of the basics of >>> Turbogears but does its own thing for most stuff, including >>> authentication. The >>> authentication system is pluggable in Allura, so it should be possible to >>> write >>> a SAML plugin, but the turbogears extension wouldn't work. >>> >>> These docs explain the methods that would have to be implemented: >>> https://forge-allura.apache.org/docs/api/lib/plugin.html# >>> allura.lib.plugin.AuthenticationProvider >>> >>> And >>> https://forge-allura.apache.org/p/allura/git/ci/master/ >>> tree/Allura/allura/lib/plugin.py >>> has the base AuthenticationProvider and the LocalAuthenticationProvider and >>> LdapAuthenticationProvider code, which could be useful references. >>> >>> -Dave >>> >>> On 12/25/17 1:26 PM, Ingo Hornberger wrote: >>>> Hey guys! >>>> I just did some research how allura could be extended with SSO >>>> functionality. I encountered that OpenID was once supported but >>>> discontinued. >>>> >>>> Then I found out that turbogears itself supports SAML with a pluggable >>>> extension: >>>> >>>> https://pypi.python.org/pypi/tgapp-samlauth/0.0.2 >>>> >>>> This sounded promising from an outside point of view. But I am new to TG, >>>> so I wanted to ask you guys for some hints to find the best and most >>>> pragmatical approach to get SAML or a similar protocol to work. It should >>>> just cooperate with keycloack. So a few configurations are possible, >>> while >>>> SAML would be prefered. >>>> >>>> Could such an extension work in allura, or did you change too much in the >>>> authentification system? >>>> >>>> Thanks in advance! >>>> >>>> Ingo >>>> >>> >>> >>> >>> -- >>> Dave Brondsema : d...@brondsema.net >>> http://www.brondsema.net : personal >>> http://www.splike.com : programming >>> <>< >>> >>> >>> >> > > > -- Dave Brondsema : d...@brondsema.net http://www.brondsema.net : personal http://www.splike.com : programming <><
