Automate SAML setup via a new action #1933
Description
At the moment the following (here relevant) SAML related fields are defined:
# Saml settings
# [...]
saml_metadata_idp:
type: text
restriction_mode: A
saml_metadata_sp:
type: text
restriction_mode: A
saml_private_key:
type: text
restriction_mode: A As far as I know these are set with a simple organization.update action issued by the client.
This is very error prone and should instead be mostly automated.
It requires the end user to manually generate and input a keypair and metadata for SP (OpenSlides), see OpenSlides/openslides-client#2944.
I think the backend should just provide an action to automatically generate the needed information, like organization.generate_saml_metadata.
This should then generate a x509 key pair and use it's public key and other relevant information from the database (such as URL) to construct saml_metadata_sp.
The organization.update action should then forbid changing saml_metadata_sp and saml_private_key manually.
For implementing this the backend probably should utilize the python3-saml module for which inspiration may be found at https://github.com/OpenSlides/OpenSlides/tree/stable/3.4.x/server/openslides/saml
However OpenSlides 3 did not generate the keypair within the code so this has to be researched.
I am pretty confident though, a good stable library for this exists.
The generated key pair should be equivalent to the output of
openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.keyAlso IdP's usually provide their metadata xml via an http route. So I think it would also be more user-friendly and intuitive to change the saml_metadata_idp to saml_metadata_idp_url, although this is not as important and may also be debatable.
This of course would also implicate that the URL must be queried at some point and I am not sure if the backend should be the one doing that. So maybe - if at all - this should be in the client which would then keep sending the xml to the backend.