galaxy icon indicating copy to clipboard operation
galaxy copied to clipboard

Published 20 hours ago verified publisher icon galaxyproject

[WIP] Add SAML authentication

Open ksuderman opened this issue 4 years ago • 4 comments

This is a WIP to add SAML authentication to Galaxy as suggested in galaxyproject/galaxy#3146

This PR enables users to authenticate via a SAML Identify Provider (IdP) and the login process has been tested with the IdPs at samltest.id and onelogin.com.

Discussion

Social-Auth vs python3-saml The python3-saml library is used directly but it may be desirable to use the Social Auth SAML Backend to be consistent with the OIDC authentication classes. However, the Social Auth backend is just a wrapper around the python3-saml library and doesn't provide any obvious benefits other than consistency with the other authentication classes. I would even say the Social Auth backend is more complicated to use than using the python3-saml library directly.

URLs The saml.py controller uses URLs in the /authnz/saml url-space. This should not be a problem unless someone plans to implement an OIDC provider named saml. Is there another base URL that should be used for SAML authentication?

TODO

  • [ ] Add tests
  • [x] Changes to support enable_saml and saml_config_dir fields in the galaxy.yml config.
  • [ ] Test and validate the above assertion is correct
  • [ ] Documentation:
    • [ ] Configuration: settings.json, generating certificates, etc.
    • [ ] Update doc/source/admin/authentication.md et al.
  • [ ] Logout process
    • [ ] Maintain state information
    • [ ] User initiated logout
    • [ ] IdP initiated logout

ksuderman avatar Mar 15 '20 23:03 ksuderman

It would be ideal to use Python Social Auth (PSA) for authentication (and authorization) when possible. It seems they have implemented a SAML backend.

VJalili avatar Mar 19 '20 16:03 VJalili

Hi Keith, I'm interested in SAML authentication with Galaxy. I see that your PR wasn't merge. Is it because you didn't have time to move from python3-saml library to Python Social Auth? Or did you find another way to achieve your goal? Thanks

eancelet avatar Jan 25 '21 10:01 eancelet

Amazing timing. I am just starting to update this PR again to bring it in line with the latest Galaxy code base and to fix the conflicts and failing tests.

The current Python Social Auth code in Galaxy assumes an OIDC backend so adding SAML to the mix would require at least changes to the galaxy.authnz module and AuthnzManager and PSAAuthnz classes. The changes aren't difficult, but are much more invasive than this simple PR. I will coordinate with the Galaxy team to determine the best way forward.

ksuderman avatar Jan 25 '21 18:01 ksuderman

Good news :)
I'll follow your work then. Thanks

eancelet avatar Jan 26 '21 14:01 eancelet