Add support for SAML authentication. #9470
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
References
Description
This adds support for SAML authentication.
Instructions for Reviewers
List of changes in this PR:
/server/saml2
./server/api/authn/saml
.See #9438 for details about the SAML relying party service and authentication endpoint.
This needs to be tested in conjunction with the UI changes in DSpace/dspace-angular#2937.
To test this, you'll need a SAML IdP. I've been developing against a personal auth0 instance, which you're welcome to use.
This is the minimal configuration that you'll need to add to your local.cfg to use my auth0 instance as the IdP:
Also enable SAML authentication, and set it to use the above relying party:
Important
If you use this auth0 IdP, and your DSpace is running locally at http://localhost:8080: Following a successful login at the IdP, the IdP will return HTML containing a form that will automatically be posted by the user's browser back to DSpace. This is how DSpace receives the identity assertion from the IdP. Since the auth0 IdP is at an https URL, and the form is being posted to an http URL, the browser will set the Origin header to
null
in order to avoid leaking information from a secure URL to an insecure one. To deal with this, you'll need to addnull
to the DSpace CORS allowed origins — for this testing scenario only:(In production use, this effectively means that in order to use SAML authentication, DSpace must be installed at an https URL, and the URL of the IdP would need to be added to
rest.cors.allowed-origins
.)To use a different IdP, see the configuration example for details about the available configuration options for a relying party. Consult with the administrator of your IdP to determine how to make the connection. Typically, the process is something like:
asserting-party.metadata-uri
to the IdP's metadata URL.attributes
property, to map those attribute names toorg.dspace.saml.EMAIL
,org.dspace.saml.GIVEN_NAME
, andorg.dspace.saml.SURNAME
, as in the above example./server/saml2/service-provider-metadata/{id}
) to the administrator of the IdP, so they can use it to configure their side. Alternatively, retrieve the metadata, and provide it to the administrator of the IdP through another channel.Testing
To test SAML login as an existing DSpace user:
To test SAML login as a new, auto-registered DSpace user:
If using the auth0 service: You can't self-register a new auth0 user for this test, because they don't let you set a first and last name when registering, and a first and last name are required to auto-register a DSpace user. Contact me for the login information for an auth0 user that has the first and last name set.
If using your own IdP, identify a user on the IdP that does not have an existing DSpace account, and that does have the email, first name, and last name set.
Log in to DSpace using SAML. When the log in screen from the IdP appears, use the credentials of the user from step 1.
You should be redirected back to DSpace, and the End User Agreement should appear.
Accept the End User Agreement.
You should be logged in as a newly created DSpace user, with the email address, first name, and last name from the IdP.
Checklist
This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!
Sorry, this is about as small as I can make it, and have it be functional.
pom.xml
), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.I'm not sure if this is necessary for these changes.