Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML: Allow manually uploading the metadata as XML #9254

Closed
Dschoordsch opened this issue Nov 30, 2023 · 3 comments · Fixed by #9750
Closed

SAML: Allow manually uploading the metadata as XML #9254

Dschoordsch opened this issue Nov 30, 2023 · 3 comments · Fixed by #9750
Labels
bug p2 Needs to be addressed on a reasonable timescale

Comments

@Dschoordsch
Copy link
Contributor

Some IDPs (e.g. Google) don't provide a URL to the SAML metadata, but instead the user can only download it. We should allow to upload the XML file manually.

Acceptance criteria

  • allow uploading the metadata XML as alternative to the metadata URL
  • upload and verify the file, validate it's not too big and a valid XML and store it on S3
  • do the login verification check with a link to S3
@mattkrick
Copy link
Member

Constraints:

  • We need to include the metadata or a reference to metadata in the SSO Relay State. This allows us to attempt to use the new metadata when logging in
  • The SSO URL, including the relay state, must be < 2048 chars because that's the limit for Microsoft Entra. That means we cannot include the entire metadata because it's possible the metadata + rest of URL is > 2048 chars
  • metadata can expire fetch SAML metadata from URL if expiring #9237, so a URL that permalinks to an updated metadata XML is advantageous
  • Google doesn't provide a URL so we'll have to ask users to host, accept a metadata XML & host it ourselves (via URL or in a DB table)

@mwermuth mwermuth added bug p2 Needs to be addressed on a reasonable timescale Squad - Excite & Expand and removed Squad - Self Raising labels Dec 5, 2023
@mattkrick
Copy link
Member

ran into this again, it's annoying having to special case both google & microsoft.

here's how i'd like to build it:

  • the UI prompts for metadata URL
  • there's a hint that says "No URL? Click here to paste metadata"
  • the metadata URL form field changes to a metadata field
  • they paste the metadata which takes in the metadata, uploads it to the storage & returns a URL. similar to how you paste images in github issues
  • this could be a separate call, or combined into parseSAMLMetadata I opt for the former since it's cleaner, albeit results in 2 round trips

@jordanh
Copy link
Contributor

jordanh commented Mar 15, 2024

Prioritized

@mattkrick mattkrick mentioned this issue May 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug p2 Needs to be addressed on a reasonable timescale
Projects
Bugs/Support
Status: Done
Product
Status: Done
🧁Product Squad Self Raise
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: saml upload ParabolInc/parabol
4 participants
@jordanh @mwermuth @mattkrick @Dschoordsch