This document describes how to set up SSO with SAML signature validation for production environments.
The SSO implementation in this project has two modes:
-
Development Mode (Windows): Pure Rust implementation without cryptographic signature validation. This allows development on Windows without complex native library setup.
-
Production Mode (Docker/Linux): Full SAML implementation with signature validation using native libraries.
The current implementation does NOT validate SAML signatures in development mode.
This means:
- SAML responses are parsed but signatures are not cryptographically verified
- An attacker could potentially forge SAML responses
- DO NOT use this in production without signature validation
For production environments, deploy using Docker with the following native libraries installed:
# Add to your Dockerfile
RUN apt-get update && apt-get install -y \
libxml2-dev \
libxslt1-dev \
libclang-dev \
libssl-dev \
pkg-config \
xmlsec1 \
&& rm -rf /var/lib/apt/lists/*FROM rust:1.75 as builder
WORKDIR /app
# Install native dependencies
RUN apt-get update && apt-get install -y \
libxml2-dev \
libxslt1-dev \
libclang-dev \
libssl-dev \
pkg-config \
xmlsec1 \
&& rm -rf /var/lib/apt/lists/*
# Copy manifests
COPY Cargo.toml Cargo.lock ./
# Copy source
COPY src ./src
# Build with SSO feature
RUN cargo build --release --features sso
# Runtime stage
FROM debian:bookworm-slim
# Install runtime dependencies
RUN apt-get update && apt-get install -y \
libxml2 \
libxslt1.1 \
libssl3 \
xmlsec1 \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/target/release/rust-true /usr/local/bin/
CMD ["rust-true"]To enable full signature validation, the following changes would be needed:
-
Add
samaelwith default features inCargo.toml:[dependencies] samael = { version = "0.0.19", optional = true } [features] sso = ["samael", "quick-xml"]
-
Update
src/services/sso.rsto use samael's verification functions:// Instead of just parsing, verify the signature let response = samael::verify_saml_response(&response_xml, &idp_cert)?;
-
Store IdP certificates in the database or configuration
- No signature validation in the current implementation
- No certificate verification
- No replay attack prevention (should check timestamps and track assertion IDs)
- No audience restriction validation
For production use:
- Deploy in Docker/Linux with native libraries installed
- Configure HTTPS for all SSO endpoints
- Use a trusted IdP (Okta, Azure AD, Google Workspace, etc.)
- Implement additional security layers:
- Network segmentation
- IP whitelisting for IdP callbacks
- Rate limiting on SSO endpoints
- Monitor SSO attempts for suspicious activity
- Regular security audits
To test SSO in production configuration:
- Build the Docker image with native libraries
- Configure an SSO provider (e.g., using SAML test tools)
- Test the full flow:
- Initiate login
- IdP authentication
- Assertion Consumer Service (ACS) callback
- User provisioning
- Token generation
For issues or questions about SSO setup, please open a GitHub issue.