Skip to content

Cornell SSO login integration#607

Merged
Atikpui007 merged 8 commits into
dka34/changesfrom
dka34/sso
Nov 2, 2025
Merged

Cornell SSO login integration#607
Atikpui007 merged 8 commits into
dka34/changesfrom
dka34/sso

Conversation

@Atikpui007

@Atikpui007 Atikpui007 commented Nov 2, 2025

Copy link
Copy Markdown
Collaborator

Summary

This pull request implements Cornell SSO (Single Sign-On) authentication using SAML 2.0 protocol, allowing users to authenticate with their Cornell NetID. The implementation works side-by-side with the existing Google OAuth authentication method.

  • Implemented SAML 2.0 authentication with Cornell Shibboleth IdP
  • Added SSO login buttons for Students, Admins, and Drivers on landing page
  • Implemented server-side session management for SSO authentication flow
  • Added SSO callback handling in AuthManager component
  • Created backend SSO routes (/api/sso/login, /api/sso/callback, /api/sso/profile, /api/sso/logout)
  • Removed deprecated GoogleAuth.tsx component
  • Added SSO-specific styling with Cornell red theme
  • Created test script for SSO backend validation (server/test-sso.sh)

Test Plan

Manual Testing:

  1. Start the backend server with SSO configuration in .env
  2. Navigate to the landing page
  3. Click one of the three SSO buttons (Students/Admins/Drivers)
  4. Should redirect to Cornell Shibboleth IdP test environment
  5. Enter valid Cornell NetID credentials
  6. Should redirect back to application and complete authentication
  7. Should navigate to appropriate dashboard based on user type
  8. Verify that Google OAuth still works independently

Backend Testing:

  • Run ./server/test-sso.sh to validate SSO endpoints
  • Tests health check, metadata endpoint, login redirect, session protection, and session storage

Key Files Changed:

  • frontend/src/components/AuthManager/AuthManager.tsx - Added SSO login handlers and callback processing
  • frontend/src/App.tsx - Minor cleanup
  • frontend/src/components/AuthManager/authmanager.module.css - Added SSO button styling
  • frontend/src/components/AuthManager/GoogleAuth.tsx - Removed (no longer needed)
  • server/test-sso.sh - New test script for SSO validation

Notes

  • Zero Breaking Changes: Google OAuth continues to work unchanged. Users can choose between Google OAuth and Cornell SSO.
  • Session Management: SSO uses server-side sessions (file-based storage) with encrypted cookies, while Google OAuth remains stateless (JWT only).
  • User Lookup: SSO authentication looks up users by email (NetID + @cornell.edu) in the same database tables as Google OAuth.
  • RelayState: Uses SAML RelayState to preserve user type (Rider/Admin/Driver) through the IdP redirect flow.
  • Security: Implements SAML signature validation, encrypted session cookies, JWT token generation, and role-based authorization.
  • Environment Configuration: Requires SSO-related environment variables to be set (see CORNELL_SSO_IMPLEMENTATION.md for details).
  • Production Considerations: Currently configured for Cornell test IdP. Production deployment will require:
    • Registering Service Provider metadata with Cornell IT
    • Updating IdP URLs to production endpoints
    • Enabling SAML assertion signing validation

Breaking Changes

None. This implementation is fully backward compatible:

  • Google OAuth authentication remains unchanged
  • Database schema is unchanged
  • Existing API endpoints remain unchanged
  • JWT format is identical for both authentication methods

mjaydenkim and others added 5 commits November 2, 2025 11:41
@mjaydenkim @Atikpui007
Update cd-workflow.yml
e9c6857
@mjaydenkim @Atikpui007
Modify to get CD tests to run
7548eeb
@mjaydenkim @Atikpui007
Revert "Modify to get CD tests to run"
5918a5d 
This reverts commit 2356d42.
@Atikpui007
backend SSO integration
6a827ed
@Atikpui007
Complete Phase 2: Frontend SSO Integration with Cornell NetID
150560e 
Implements frontend SSO authentication matching existing Google OAuth pattern.
Adds Cornell NetID login buttons for Riders, Admins, and Drivers with role-based
authentication using SAML RelayState to preserve userType through IdP redirect.

Frontend Changes:
- Add SSO callback handler to detect auth=sso_success URL parameter
- Fetch profile + JWT from /api/sso/profile with session cookies
- Store JWT in encrypted cookies matching Google OAuth pattern
- Add authMethod tracking (sso vs google) for proper logout flow
- Add SSO login buttons with Cornell branding
- Add error display for SSO authentication failures

Backend Changes:
- Implement RelayState in /api/sso/login to encode userType + redirectUri
- Extract RelayState in /api/sso/callback to preserve role through SAML
- Store validated userType in session for /profile endpoint
- Update findUserByNetID to match Google OAuth table-based lookup pattern
- Remove defaulting logic - fail explicitly if userType missing
- Add CORS configuration with credentials support
- Configure absolute frontend redirects

Session Management:
- Add userType to SessionData interface for persistence
- Use session-based auth bridged to JWT tokens
- Support both SSO and Google OAuth logout flows
@Atikpui007 Atikpui007 requested a review from a team as a code owner November 2, 2025 20:31
@dti-github-bot

dti-github-bot commented Nov 2, 2025
edited
Loading

Copy link
Copy Markdown
Member

[diff-counting] Significant lines: 887.

@Atikpui007 Atikpui007 merged commit 4113636 into dka34/changes Nov 2, 2025
6 checks passed
@Atikpui007 Atikpui007 deleted the dka34/sso branch November 2, 2025 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Atikpui007 @dti-github-bot @mjaydenkim