We still have many customers who require saml2 as preferred, respectively required, authentication method. There were some options for older Plone versions, but nothing really usable for Plone 6.
Further I always had issues configuring Plone as SP together with customers, since there was no automation and people (including me at that time) had issues debugging configuration problems on either site (SP and IDP).
Thus I wrote a new package, which implements most of the python3-saml module as PAS Plugin. Important: It only implements Plone as SP (Service Provider)
The plugin is based on a similar architecture/concept as pas.plugins.oidc. It basically means that all endpoints are directly on the plugin and regular plone users are created upon first successful login (or not).
This also enables you to have multiple saml plugins at the same time. You just need implement your own login/logout views.
By default, the plugin does not interfere with plone login/logout endpoints. You need change those urls on your own and/or enable the Challenge plugin.
I tested the plugin within a couple customer projects and will install it next week on the first production environment.
Hot it works
If you already have a IDP, it should be pretty easy to configure your plone site as SP.
There is a view which fetches the necessary configuration from federation metadata XML.
And the plugin also exposes the SP configuration as metadata.xml
I would really appreciate some feedback on how the package works for you and what needs to be improved. So if you have a test env with and IDP, give it a shot.
@pigeonflight thanks! So far with Azure and Keycloak. But IMHO it should support everything that python3-saml supports. I can try help connection other IDP providers. Or try others if they are available to me.
@maethu great work. If you see no problems with it, it would be helpful to move your project to Collective · GitHub. To increase its visibility and get more contributions from the community.
I think your addon has the potential to improve our SSO story especially since pure LDAP/AD is becoming less common as either ADFS, Shibboleth, or whatever plugin can connect to the wider universe of credential stores (Apple, Micro$ft, Amazon, etc).
IMHO, we should maybe sprint on AD and SSO as Volto further matures?
==
OK, here's my issue at the moment, I am testing this addon in our environment
and I've managed to successfully install and configure. Were authenticating to an Oracle OAM IDp maintained by our CIS. I've successfully imported the metadata and configured the attributes needed to redirect Plone's login to a session with the OAM portal. At the OAM login form providing valid SSO credentials initiates successful authentication and once passing subsequent MFA the proper payload (I've checked the SAML data) the attributes we want are being returned.
However, I'm getting a "BadRequest" error in Plone. I've obfuscated the URLs.
The response was received at https://blah.blah.edu/VirtualHostBase/https/blah.blah.edu:443/saml2test/VirtualHostRoot//acl_users/saml/acs instead of https://blah.blah.edu/acl_users/saml/acs
2024-02-16 19:14:11,622 ERROR [wcs.samlauth.views:87][waitress-1] ['invalid_response']
2024-02-16 19:14:11,622 ERROR [wcs.samlauth.views:88][waitress-1] The response was received at https://blah.blah.edu/VirtualHostBase/https/blah.blah.edu:443/saml2test/VirtualHostRoot//acl_users/saml/acs instead of https://blah.blah.edu/acl_users/saml/acs
2024-02-16 19:14:11,652 ERROR [Zope.SiteErrorLog:35][waitress-1] BadRequest: https://blah.blah.edu/acl_users/saml/acs
The error message befuddles me because virtualhostbase should be ok and handled by Nginx no? I do know that the attributes returned don't match those in the addon. I think I read in your documentation that currently the attributes for authenticating with Plone are hard coded correct? With pas.plugin.ldap we map the attributes in Plone to those in ldap. Can I do something like that in the code? I think I spotted what needs to be changed in plugin.py beginning at line 75?
Hopefully, this missive makes sense, I need to map two attributes I'm getting from the IDp to Plone for a successful login. Any ideas, pointers, suggestions, etc are greatly appreciated, and thanks for listening.
I'm happy to take a look at both. The issue with the virtualhostmonster and the attribute mapping feature. It might take a week or two, since I'm currently super bussy with other projects. I'll keep you posted!
I was able to reproduce the issue with nginx. On my K8s cluster with nginx as ingress, the problem is not there. I changed how I put together the request for the saml processing. Now, it will work with nginx (Assuming a config like here)
Are you able to change the attributes on your end? With keycloak and azure it's no problem to define/transform the attributes on the IDP end to match what wcs.samlauth needs. I can implement a mapper, but it will take some time
Again thanks for your quick assistance, I'm sorry I've been too busy to reply sooner.
It would be great to have a mapper to match attributes that aren't standard. I'm looking to use the University ID and login email which are different from what is hard coded.
As is, upon successful login, my user is being created from the ID generated from the SAML2 Assertion which looks like
# id-vrBpcyPwqvBRo5Kk60A3TQUksifwnttsmeXdJgPa
SAML 2.0 Assertion
ID id-CB36x8kO48GQpQZx2LG37Ttkd1--JFbUcaUPHxze
Version 2.0
IssueInstant 2024-02-29T18:24:15Z
Subject id-vrBpcyPwqvBRo5Kk60A3TQUksifwnttsmeXdJgPa
SAML 2.0 AttributeStatement
what I need to figure out is how to get the data from the SAML2 AttibuteStatement which contains the attributes we want to use. do you think I could monkey-patch the addon to just get things working as a POC?