omniauth-saml as provider in gitlab - omniauth

I'm trying to get omniauth-saml configured, but I'm not entirely sure what I need to put in app_id and app_secret for this configuration.
I'm using this gem: https://github.com/PracticallyGreen/omniauth-saml
If I leave those fields blank, of course I get:
Received wrong number of arguments. [nil, nil]
The documentation within the gitlab.yml file links to more documentation about gitlab and omniauth, but that document no longer exists (redirects to old README).
Any assistance would be appreciated, thanks!

https://github.com/gitlabhq/gitlab-public-wiki/wiki/Working-Custom-Omniauth-Provider-Configurations#working-cas-configuration
The working CAS configuration shows you how you skip using the standard configuration and just pass the options directly to the provider using devise.rb. That's how I would configure omniauth-saml as well.

I was able to get SAML working with Gitlab 6.2.4, but it is not the most elegant solution. I am using Okta as the IdP, but I believe the configuration is sufficiently generic and could be applied to any SAML IdP.
Added omniauth-saml to the Gemfile and ran bundle
bundle install --without development test postgres --path vendor/bundle --no-deployment
Created GITLAB/config/initializers/omniauth.rb
Devise.setup do |config|
config.omniauth :saml,
idp_cert_fingerprint: "your IdP certificate fingerprint",
idp_sso_target_url: "your IdP SAML end point"
end
Modified GITLAB/app/controllers/omniauth_callbacks_controller.rb (added this following the definition for ldap)
def saml
handle_omniauth
end
I had to manually add the callback for SAML as I was getting the same error as the original poster when I tried to properly define SAML as a provider in gitlab.yml. This is the only way I could get Gitlab to start and authenticate via SAML. This feels very hacky, so there is probably a more elegant way to implement this; however, I could not find an example anywhere.

https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations#working-saml-configuration
I managed to get it to work, so I documented the procedure on the GitLab wiki.
EDIT: It seems like SAML is now supported officially. No Single Logout yet, though… This seems to be an omniauth limitation.

Related

Using CKAN with the Cosign SSO system and LDAP

I'm using CKAN with Apache and an SSO system called Cosign. Cosign works as an authenticator in Apache and ends up setting REMOTE_USER before the python code fires up. What I'm trying to do is use LDAP user lookup based on that preset REMOTE_USER. Can I do that with the CKAN ldap plugin (http://extensions.ckan.org/extension/ldap/)? Any advice greatly appreciated - I'm a Python and CKAN novice.
The short answer is that ckanext-ldap doesn't do that. What it does is provide a custom login form (username and password) that authenticates the credentials via LDAP. It then creates a session for the corresponding CKAN user, creating a user account first if required. Having it do anything else would require customisation of the extension although there are a number of options documented in its readme that alter the behaviour in small ways.
Whether ckanext-ldap would be a suitable extension to build upon to achieve what you want depends on what you want to do, which isn't clear from your question.

Symfony 3.1: configuration of ldap component as service

I'm writing my first Symfony app and and I need authenticate users over LDAP/AD, but I run out of documentation...
I found many solutions for use LdapClient, but it tagged as deprecated. So, i check for use the new one Ldap class as recommended, but I not found documentation for use it. The documentation of Ldap component for the current version (3.1) suggest to use LdapClient yet! It isn't updated yet?
I don't know how to do: must we create an adapter for add a Ldap service? If so, how to proceed?
Any help will be appreciated, thanks!
Check out this cookbook article for configuring LDAP authentication using the builtin Symfony component:
http://symfony.com/doc/current/cookbook/security/ldap.html
I also have a bundle I maintain that includes LDAP authentication that works well with AD called LdapToolsBundle. It has documentation on the main page for the app/config/config.yml entries needed to configure your domain for use in the bundle, and also some details on configuring authentication in app/config/security.yml here.
The bundle above provides a LDAP service called ldap_tools.ldap_manager that can be used to query/create/modify different types AD objects.
take a look at my Blog:
https://alvinbunk.wordpress.com/2016/03/25/symfony-ad-integration/
This requires FOSUserBundle and FR3DLdapBundle, but I think if you go through all that documentation you should be able to get LDAP/AD integration with Symfony3 working.
EDIT #2
Below is a second easier solution:
https://alvinbunk.wordpress.com/2017/09/07/symfony-ldap-component-ad-authentication/

How to integrate Devise and SAML?

What is the best way to get SAML working with the widely used https://github.com/plataformatec/devise?
https://github.com/apokalipto/devise_saml_authenticatable doesn't do signed/encrypted auth requests and that's a deal breaker for us, and the usual sources haven't helped.
Devise's Omniauth integration, for example, requires an app ID and secret that Onelogin's SAML connector doesn't provide.
So, the answer that worked for me is to use the gemlfile and omniauth.rb settings as outlined in https://github.com/PracticallyGreen/omniauth-saml#usage and then to follow devise's omniauth tutorial at https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview, replacing facebook with SAML. Note that you mightn't need the UID field mentioned in the tutorial, depending on how your IdP stores their users (and you wouldn't get a permanent UID if you use the transient nameid format). Use whatever uniquely identifies your user at the IdP, which is quite possibly an email address.
The devise.rb stuff added by ioblomov doesn't seem to add anything and in fact causes an issue if you do it as well as doing an omniauth.rb file. This creates a situation where the IdP does two callbacks, one using the omniauth.rb settings and another using the devise.rb settings. Given that the devise.rb settings are not complete (they don't have a consumer url for example), I can't see how even having it on its own could ever work. It is not clear to me what "devise integration" even means in the context of omniauth-saml. Once you get an auth response back (which you will just from using the omniauth.rb settings), then all you have to do is use the devise method sign_in_and_redirect in your callback controller and then you have all the usual devise stuff available to you for that user. I will submit a PR to omniauth-saml but I wouldn't be holding my breath as the project appears to be sporadically maintained at the moment.
I had to deal with recently to hook a rails app up to a university network using Shibboleth for SSO. I ended up using devise, omniauth and running on Apache with mod-shib2. I am not sure if you are using Shibboleth specifically but it is built on top of SAML. The lightweight rack-saml implementation did not work for me.
Turns out the Devise config's parameters were wrong. I documented the correct settings in a fork/PR:
https://github.com/omniauth/omniauth-saml#devise-integration

How to integrate CAS authentification in SonarQube

we want to integrate CAS authentication into Sonar 3.7 LTS. We want to start working with the deprecated CAS plugin, which of course doesn't work. We already compared it with the LDAP plugin from here whose Authenticator interestingly implements the deprecated interface LoginPasswordAuthenticator. One of the main differences is that the CAS Authenticator plugin implements Authenticator. So we altered the CAS Plugin that it implements LoginPasswordAuthenticator instead.
Now comes the clue:
In both cases, the authenticator implementing Authenticator or LoginPasswordAuthenticator, the username passed to it is null. The authentication against the CAS server works like a charm, the plugin knows the username, but Sonar asks the plugin, if it knows the user with the name null. The effect is that when we click on login we get redirected to CAS, fill in the login form and get redirected back to Sonar, still not authenticated to Sonar itself.
We also considered using container authentication but are not sure if that works with Sonar.
Now the question(s):
Has someone got the CAS plugin working with Sonar 3.7? If yes, how and can you provide the sources/solution/plugin?
Is there another way besides the suggested ones above?
One additional note: We want to use Sonar in our existing Tomcat 7, so using Sonar 4 is a way we do not really want to go because the Sonar team decided to stop war support. If anything else fails though, using it is a pain-in-the-ass-but-acceptable solution.
Thanks for your help.
Try this fork: https://github.com/jerzykrlk/sonar-cas.
I restored the behaviour of the original plugin - it should work with Sonar 3.7. It is unofficial at the moment, and will require a manual build. But maybe it will become an official plugin at some point, again.
Thanks to #psqita we got the CAS plugin for Sonar up and running with Saml 1.1. Business requirements said that no anonymous access shall be allowed. Sadly, setting forceAuthentication to true sent us into an endless loop of painful redirecting between CAS and Sonar. So we figured out that Sonar alters its behavior drastically in a way that it ignores all authentication plugins.
Our solution: As of business requirement we could not allow anonymous access. So we implemented another Filter that redirects conditionally to CAS. Authentication and stuff is still done by the plugin. Sadly, we still do not know why there was this endless loop in the first place but now it doesn't happen anymore. Well that's IT I think...
Thank you for your support and happy holidays.

Redmine REST API - users

I am writing an application using data from Redmine. I use its REST API to get data.
It works fine with projects or issues, but when I try to access users' data I just can't because it asks for credentials in the browser, and it responds with HTTP error code 401 to my HTTP request from my program.
How do I find a solution to this problem?
Environment:
Redmine version 2.1.2.stable
Ruby version 1.8.7 (i386-mingw32)
Ruby on Rails version 3.2.8
Environment production
Database adapter MySQL
I've figured out. It is described very detailed on the Redmine wiki.
There are a couple of options to authenticate yourself.
The easiest is to include a plus field in your query, named key. You must include your user's REST API key there in each query.
Like:
localhost/redmine/users.xml?key=eaksdnynkdnasdfnaskdsar
It is very interesting because in earlier versions (2.1.0) it asks for the authentication for each XML file. But in my version, 2.1.3, it doesn't ask, only if I request users data.