Skip to content

Latest commit

 

History

History
140 lines (101 loc) · 3.58 KB

File metadata and controls

140 lines (101 loc) · 3.58 KB

SSO Production Setup

This document describes how to set up SSO with SAML signature validation for production environments.

Overview

The SSO implementation in this project has two modes:

  1. Development Mode (Windows): Pure Rust implementation without cryptographic signature validation. This allows development on Windows without complex native library setup.

  2. Production Mode (Docker/Linux): Full SAML implementation with signature validation using native libraries.

⚠️ Security Warning

The current implementation does NOT validate SAML signatures in development mode.

This means:

  • SAML responses are parsed but signatures are not cryptographically verified
  • An attacker could potentially forge SAML responses
  • DO NOT use this in production without signature validation

Production Deployment with Docker

For production environments, deploy using Docker with the following native libraries installed:

Required Libraries

# Add to your Dockerfile
RUN apt-get update && apt-get install -y \
    libxml2-dev \
    libxslt1-dev \
    libclang-dev \
    libssl-dev \
    pkg-config \
    xmlsec1 \
    && rm -rf /var/lib/apt/lists/*

Complete Dockerfile Example

FROM rust:1.75 as builder

WORKDIR /app

# Install native dependencies
RUN apt-get update && apt-get install -y \
    libxml2-dev \
    libxslt1-dev \
    libclang-dev \
    libssl-dev \
    pkg-config \
    xmlsec1 \
    && rm -rf /var/lib/apt/lists/*

# Copy manifests
COPY Cargo.toml Cargo.lock ./

# Copy source
COPY src ./src

# Build with SSO feature
RUN cargo build --release --features sso

# Runtime stage
FROM debian:bookworm-slim

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    libxml2 \
    libxslt1.1 \
    libssl3 \
    xmlsec1 \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /app/target/release/rust-true /usr/local/bin/

CMD ["rust-true"]

Enabling Signature Validation (Future)

To enable full signature validation, the following changes would be needed:

  1. Add samael with default features in Cargo.toml:

    [dependencies]
    samael = { version = "0.0.19", optional = true }
    
    [features]
    sso = ["samael", "quick-xml"]
  2. Update src/services/sso.rs to use samael's verification functions:

    // Instead of just parsing, verify the signature
    let response = samael::verify_saml_response(&response_xml, &idp_cert)?;
  3. Store IdP certificates in the database or configuration

Current Limitations

  • No signature validation in the current implementation
  • No certificate verification
  • No replay attack prevention (should check timestamps and track assertion IDs)
  • No audience restriction validation

Recommendations

For production use:

  1. Deploy in Docker/Linux with native libraries installed
  2. Configure HTTPS for all SSO endpoints
  3. Use a trusted IdP (Okta, Azure AD, Google Workspace, etc.)
  4. Implement additional security layers:
    • Network segmentation
    • IP whitelisting for IdP callbacks
    • Rate limiting on SSO endpoints
  5. Monitor SSO attempts for suspicious activity
  6. Regular security audits

Testing

To test SSO in production configuration:

  1. Build the Docker image with native libraries
  2. Configure an SSO provider (e.g., using SAML test tools)
  3. Test the full flow:
    • Initiate login
    • IdP authentication
    • Assertion Consumer Service (ACS) callback
    • User provisioning
    • Token generation

Support

For issues or questions about SSO setup, please open a GitHub issue.