Exciting to hear you have a proof of concept working! If you get it to a point where you are able to share it, that would be a nice contribution to the project.
I am not very familiar with SAML, but I understand now what you are saying about how it supplements instead of replaces the normal authentication. I think the App is the best option right now - you could install it at the neighborhood so it is at /p/saml or something like that. And then set `max_instances = 0` in the App so no other project can install it too. I've done that for a few things that just need to exist in one place. Obviously not great though. The only other extension option available right now (https://forge-allura.apache.org/docs/development/extending.html) is middleware, but I think that would be make it too separate and not as nice of an integration. I think the ideal solution would be to add a new extension point for arbitrary controllers. In allura.controllers.root.RootController it could have a _lookup function to handle any unknown URL paths and then check in the new extensions for a matching controller. Something like that could be useful for many things. -Dave On 1/7/18 9:33 AM, Ingo Hornberger wrote: > Hi Dave, > > thanks for your reply. I waited a bit longer with mine, as I wanted to have > the chance to dig deeper into SAML and have some first hands-on. > Actually I did a proof of concept now, and am still not sure how the best > integration looks like. > > Currently I see the SAML authentication as an "add on" to your normal user > authentication providers. Because, actually I don't care if the additional > user data is stored in LDAP, Mongo or wherever. I'm just creating an open > session for a user, if my trusted IDP tells me to. > > So my current proof of concept is an app controller, which is taking care > about the communication with the IDP and logs the user in, when he is > authorized. > > Doing this in an App is not the ideal solution obvisously. Having an own > mount point for SAML would be by far better (e.g. http://myside.com/saml or > http://myside.com/auth/saml). But I found no way to achieve that with > Allura other than patching the root controller. > > What I would need is a mount point for a controller and a view, which > doesn't depend on a project or Application. > > What do you think would be the best practice for that? > > BR, > Ingo > > > 2018-01-04 2:34 GMT+01:00 <dev-digest-h...@allura.apache.org>: > >> From: Dave Brondsema <d...@brondsema.net> >> To: dev@allura.apache.org >> Cc: >> Bcc: >> Date: Thu, 28 Dec 2017 12:53:12 -0500 >> Subject: Re: SAML >> Hi Ingo, >> >> The short answer unfortunately is that Allura uses some of the basics of >> Turbogears but does its own thing for most stuff, including >> authentication. The >> authentication system is pluggable in Allura, so it should be possible to >> write >> a SAML plugin, but the turbogears extension wouldn't work. >> >> These docs explain the methods that would have to be implemented: >> https://forge-allura.apache.org/docs/api/lib/plugin.html# >> allura.lib.plugin.AuthenticationProvider >> >> And >> https://forge-allura.apache.org/p/allura/git/ci/master/ >> tree/Allura/allura/lib/plugin.py >> has the base AuthenticationProvider and the LocalAuthenticationProvider and >> LdapAuthenticationProvider code, which could be useful references. >> >> -Dave >> >> On 12/25/17 1:26 PM, Ingo Hornberger wrote: >>> Hey guys! >>> I just did some research how allura could be extended with SSO >>> functionality. I encountered that OpenID was once supported but >>> discontinued. >>> >>> Then I found out that turbogears itself supports SAML with a pluggable >>> extension: >>> >>> https://pypi.python.org/pypi/tgapp-samlauth/0.0.2 >>> >>> This sounded promising from an outside point of view. But I am new to TG, >>> so I wanted to ask you guys for some hints to find the best and most >>> pragmatical approach to get SAML or a similar protocol to work. It should >>> just cooperate with keycloack. So a few configurations are possible, >> while >>> SAML would be prefered. >>> >>> Could such an extension work in allura, or did you change too much in the >>> authentification system? >>> >>> Thanks in advance! >>> >>> Ingo >>> >> >> >> >> -- >> Dave Brondsema : d...@brondsema.net >> http://www.brondsema.net : personal >> http://www.splike.com : programming >> <>< >> >> >> > -- Dave Brondsema : d...@brondsema.net http://www.brondsema.net : personal http://www.splike.com : programming <><
