snipe-it icon indicating copy to clipboard operation
snipe-it copied to clipboard
verified publisher icon snipe

Dev Added optional Azure SSO, reCaptcha login auth

Open joshuasir opened this issue 1 year ago • 3 comments

Description

This pull request adds Azure SSO (Single Sign-On) login functionality and implements reCAPTCHA v2 hidden to enhance security in the Snipe-IT asset management system. These additions provide easier authentication for organizations using Azure Active Directory and add an extra layer of protection against automated attacks.

Azure SSO Login

The Azure SSO implementation allows users to log in to Snipe-IT using their Azure AD credentials. This feature streamlines the authentication process and improves security by leveraging Azure's identity management.

reCAPTCHA v2 Hidden

The addition of reCAPTCHA v2 hidden provides protection against bots and automated attacks without requiring user interaction. This invisible CAPTCHA is attached to reuglar log in button and only prompts users for verification if suspicious activity is detected.

image

Added #15628 (Please replace with the actual issue number if applicable)

Type of change

  • [x] New feature (non-breaking change which adds functionality)
  • [x] This change requires a documentation update

How Has This Been Tested?

  • [x] Test A: Azure SSO login flow tested with multiple Azure AD accounts
  • [x] Test B: reCAPTCHA v2 hidden tested on login and registration forms
  • [x] Test C: Integration tests for Azure SSO authentication
  • [x] Test D: Security tests to ensure reCAPTCHA v2 hidden is functioning correctly

Test Configuration:

  • PHP version: 8.1.6
  • MySQL version: 8.1.6
  • Webserver version: Apache 2.4.53
  • OS version: Windows 11

Checklist:

  • [x] I have read the Contributing documentation available here: https://snipe-it.readme.io/docs/contributing-overview
  • [x] I have formatted this PR according to the project guidelines: https://snipe-it.readme.io/docs/contributing-overview#pull-request-guidelines
  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] My changes generate no new warnings
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] New and existing unit tests pass locally with my changes

joshuasir avatar Oct 07 '24 15:10 joshuasir

PR Summary

  • Introduction of Azure Login System We've added a new feature that allows users to log into the application using their Azure account. This process is managed through methods that handle redirection to Azure for sign-in and its subsequent follow-up.

  • Updated Security Details To facilitate the new login feature, we've included Azure credentials in the application's configuration settings. We've also introduced storage for reCAPTCHA settings in a new separate configuration file.

  • Improvement on Security Measures We've adjusted our CSRF (Cross-Site Request Forgery) protection system to account for the new Azure sign-in process. Specifically, we've added an exception for the Azure follow-up route.

  • Improved Login Interface The login page now has an additional Azure login button for users who prefer this option. On top of that, we've integrated a Google reCAPTCHA validation mechanism, facilitating a double layer of security.

  • Language Localization Update To accommodate the Azure login feature, we've included a translated label for it in our language file.

  • Implementation of reCAPTCHA Validation As part of our efforts to enhance security, we've included a verification process for Google reCAPTCHA in our already established login process.

  • Assignment of Additional Routes Finally, we've set up routes required for the Azure login process and its follow-up within our application routing file.

what-the-diff[bot] avatar Oct 07 '24 16:10 what-the-diff[bot]

This is really nice work, truly. I'm going to show a bit of my ass here and ask whether this is actually needed. We have users that already have SSO with Office 365/Entra. Does Azure specifically require something different? Apologies for not already knowing this. We have tons of customers in the Azure/Entra ecosystem, so I'm just unclear as to what makes these extra steps necessary.

snipe avatar Oct 09 '24 14:10 snipe

This is really nice work, truly. I'm going to show a bit of my ass here and ask whether this is actually needed. We have users that already have SSO with Office 365/Entra. Does Azure specifically require something different? Apologies for not already knowing this. We have tons of customers in the Azure/Entra ecosystem, so I'm just unclear as to what makes these extra steps necessary.

you are right, i guess the difference is just that mine uses OAuth and, if i'm not mistaken the current existing azure SSO, uses SAML. User experience wise i don't think there is any different between OAuth or SAML, both just authenticate. If you think it's not necessary i'm willing to drop off the pull request, it's kinda my fault for not reading the documentation thoroughly and jump into development 🙂.

joshuasir avatar Oct 10 '24 04:10 joshuasir