New saml2 Plugin for Plone 6 based on python3-saml

maethu · February 29, 2024, 10:32pm

Classic as of right now.

riker11451 · March 7, 2024, 7:16pm

Mathias,

Thanks again for the help. We're able to authenticate with our central admin's SSO which uses Oracle Access Manager (OAM).

we patched _updateUserProperties

 userProps = {}
        if "email" in userinfo:
            userProps["email"] = make_string(userinfo["email"])

        if "givenName" in userinfo and "sn" in userinfo:
            userProps["fullname"] = "{} {}".format(
                make_string(userinfo["givenName"]), make_string(userinfo["sn"])
            )
        elif "name" in userinfo and "sn" in userinfo:
            userProps["fullname"] = "{} {}".format(
                make_string(userinfo["name"]), make_string(userinfo["sn"])
            )

        if "givenName" in userinfo :
            userProps["givenname"] = make_string(userinfo["givenName"])

        if "sn" in userinfo :
            userProps["sn"] = make_string(userinfo["sn"])

        if "EMPLID" in userinfo:
            userProps["emplid"] = make_string(userinfo["EMPLID"])

Also added a line at remember_identity to pickup the userID from basic attributes.

user_id = make_string(userinfo["email"]).lower().split('@')[0]

Works well and is performant.

I know that you said you're using classic at the moment, we've moved our front-end to Volto. I think I read/saw/see that your code follows roughly pas.plugins.oidc does that mean we could potentially use volto.authomatic? do you think this would be a heavy lift to get auth to work with Volto?

I am getting my POC/Dev Volto part together to test. Any comments/suggestions greatly appreciated.

In health,

Eric

maethu · March 13, 2024, 7:12am

@riker11451 I have no experience with Volto and will not work with it anytime soon. I mostly work on the backend side.

I will have a look at what's possible with saml2 and restapi.

riker11451 · March 25, 2024, 7:30pm

@maethu we've been able to confirm that your add-on works with Volto! I checked the box for Create API Session and things seemed to work. We will have to update our Volto views & templates to reflect for example the different login URLs etc. But on the face of it, things work well in Volto. We're grateful for your work, and hopefully, we're able to contribute back.

Eric

maethu · March 26, 2024, 6:56am

Aweseom, I'm happy it worked out well.
Regarding Volto. It would be great if you could provide a brief explanation of what you did to make it work. I can add it then to the documentation.

maethu · April 15, 2024, 12:32pm

@riker11451 Any hint about how it worked on the frontend to get the session to work?