Skip to content

Commit 8df81ae

Browse files
petrukipetruki
authored
Added SAML as auth provider for SSO authentication (#569)
1 parent 2b98eb8 commit 8df81ae

File tree

21 files changed

+932
-26
lines changed

21 files changed

+932
-26
lines changed

.env-cmdrc-template

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,16 @@
2121
"GOOGLE_RECAPTCHA_SECRET": "[GOOGLE_RECAPTCHA_SECRET]",
2222
"GOOGLE_SKIP_AUTH": true,
2323

24+
"SAML_ENTRY_POINT": "https://<your-idp>/sso/saml",
25+
"SAML_ISSUER": "switcher-api",
26+
"SAML_CALLBACK_ENDPOINT_URL": "http://localhost:3000",
27+
"SAML_REDIRECT_ENDPOINT_URL": "http://localhost:4200",
28+
"SAML_CERT": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
29+
"SAML_PRIVATE_KEY": "",
30+
"SAML_IDENTIFIER_FORMAT": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
31+
"SAML_ACCEPTED_CLOCK_SKEW_MS": 10000,
32+
"SESSION_SECRET": "SESSION_SECRET",
33+
2434
"SWITCHER_API_LOGGER": true,
2535
"SWITCHER_API_LOGGER_LEVEL": "debug",
2636
"SWITCHER_API_ENABLE": false,
@@ -50,6 +60,12 @@
5060
"GOOGLE_RECAPTCHA_SECRET": "[GOOGLE_RECAPTCHA_SECRET]",
5161
"GOOGLE_SKIP_AUTH": false,
5262

63+
"SAML_ENTRY_POINT": "http://localhost:3000/sso/saml",
64+
"SAML_CALLBACK_ENDPOINT_URL": "http://localhost:3000",
65+
"SAML_REDIRECT_ENDPOINT_URL": "http://localhost:4200",
66+
"SAML_CERT": "SAML_CERT",
67+
"SESSION_SECRET": "SESSION_SECRET",
68+
5369
"SWITCHER_API_LOGGER": false,
5470
"SWITCHER_API_LOGGER_LEVEL": "debug",
5571
"SWITCHER_API_ENABLE": false,

.github/workflows/master.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,11 @@ jobs:
5151
RELAY_BYPASS_VERIFICATION: true
5252
PERMISSION_CACHE_ACTIVATED: true
5353
METRICS_MAX_PAGE: 50
54+
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
55+
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
56+
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
57+
SAML_CERT: SAML_CERT
58+
SESSION_SECRET: SESSION_SECRET
5459
SWITCHER_API_ENABLE: false
5560
SWITCHER_API_LOGGER: false
5661

.github/workflows/re-release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ jobs:
5353
RELAY_BYPASS_VERIFICATION: true
5454
PERMISSION_CACHE_ACTIVATED: true
5555
METRICS_MAX_PAGE: 50
56+
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
57+
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
58+
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
59+
SAML_CERT: SAML_CERT
60+
SESSION_SECRET: SESSION_SECRET
5661
SWITCHER_API_ENABLE: false
5762
SWITCHER_API_LOGGER: false
5863

.github/workflows/release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,11 @@ jobs:
4848
RELAY_BYPASS_VERIFICATION: true
4949
PERMISSION_CACHE_ACTIVATED: true
5050
METRICS_MAX_PAGE: 50
51+
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
52+
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
53+
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
54+
SAML_CERT: SAML_CERT
55+
SESSION_SECRET: SESSION_SECRET
5156
SWITCHER_API_ENABLE: false
5257
SWITCHER_API_LOGGER: false
5358

.github/workflows/sonar.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,11 @@ jobs:
6666
RELAY_BYPASS_VERIFICATION: true
6767
PERMISSION_CACHE_ACTIVATED: true
6868
METRICS_MAX_PAGE: 50
69+
SAML_ENTRY_POINT: http://localhost:3000/sso/saml
70+
SAML_CALLBACK_ENDPOINT_URL: http://localhost:3000
71+
SAML_REDIRECT_ENDPOINT_URL: http://localhost:4200
72+
SAML_CERT: SAML_CERT
73+
SESSION_SECRET: SESSION_SECRET
6974
SWITCHER_API_ENABLE: false
7075
SWITCHER_API_LOGGER: false
7176

README.md

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,9 +44,7 @@ Main features:
4444

4545
### Auth Providers
4646

47-
Switcher API supports multiple auth providers such as email/password-based authentication or GitHub, Bitbucket OAuth.
48-
49-
Follow the steps below to set up your OAuth App in GitHub and Bitbucket.
47+
Switcher API supports multiple auth providers such as email/password-based authentication, SAML 2.0 for Single Sign-On (SSO), or GitHub/Bitbucket OAuth.
5048

5149
#### GitHub OAuth App setup
5250

@@ -79,6 +77,29 @@ Follow the steps below to set up your OAuth App in GitHub and Bitbucket.
7977
- BIT_OAUTH_CLIENT_SECRET=your_client_secret
8078
8. Update Switcher Management BITBUCKET_CLIENTID environment variable with your_client_id
8179

80+
#### SSO with SAML 2.0 setup
81+
82+
1. Obtain the following information from your Identity Provider (IdP):
83+
- Entry Point URL
84+
- X.509 Certificate
85+
- (Optional) Private Key
86+
87+
2. Update your .env-cmdrc file or ConfigMap/Secret in Kubernetes with the following variables:
88+
- SAML_ENTRY_POINT=your_idp_entry_point_url
89+
- SAML_ISSUER=your_issuer
90+
- SAML_CALLBACK_ENDPOINT_URL=service_provider_callback_endpoint_url
91+
- SAML_REDIRECT_ENDPOINT_URL=web_app_redirect_endpoint_url
92+
- SAML_CERT=your_x509_certificate_base64_encoded
93+
- SAML_PRIVATE_KEY=your_private_key_base64_encoded (if applicable)
94+
- SAML_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
95+
- SAML_ACCEPTED_CLOCK_SKEW_MS=5000
96+
- SESSION_SECRET=SESSION_SECRET
97+
98+
3. Enable SAML authentication in Switcher Management by setting the environment variable SAML_ENABLE=true
99+
100+
* `service_provider` refers to Switcher API
101+
* `web_app` refers to Switcher Management
102+
82103
### Running Switcher API from Docker Composer manifest file
83104

84105
This option leverages Switcher API and Switcher Management with minimum settings required.

config/.env.dev

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,17 @@ METRICS_MAX_PAGE=50
1717
GOOGLE_SKIP_AUTH=true
1818
SWITCHER_API_LOGGER=true
1919

20+
### SAML Configuration
21+
SAML_ENTRY_POINT=
22+
SAML_ISSUER=switcher-api
23+
SAML_CALLBACK_ENDPOINT_URL=http://localhost:3000
24+
SAML_REDIRECT_ENDPOINT_URL=http://localhost:4200
25+
SAML_CERT=
26+
SAML_PRIVATE_KEY=
27+
SAML_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
28+
SAML_ACCEPTED_CLOCK_SKEW_MS=5000
29+
SESSION_SECRET=SESSION_SECRET
30+
2031
### Switcher Management
2132
SSL_ENABLED=false
2233
SWITCHERAPI_URL=http://localhost:3000

docker-compose.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,16 @@ services:
5959
- BITBUCKET_OAUTH_SECRET=${BITBUCKET_OAUTH_SECRET}
6060
- GOOGLE_RECAPTCHA_SECRET=${GOOGLE_RECAPTCHA_SECRET}
6161
- GOOGLE_SKIP_AUTH=${GOOGLE_SKIP_AUTH}
62+
63+
- SAML_ENTRY_POINT=${SAML_ENTRY_POINT}
64+
- SAML_ISSUER=${SAML_ISSUER}
65+
- SAML_CALLBACK_ENDPOINT_URL=${SAML_CALLBACK_ENDPOINT_URL}
66+
- SAML_REDIRECT_ENDPOINT_URL=${SAML_REDIRECT_ENDPOINT_URL}
67+
- SAML_CERT=${SAML_CERT}
68+
- SAML_PRIVATE_KEY=${SAML_PRIVATE_KEY}
69+
- SAML_IDENTIFIER_FORMAT=${SAML_IDENTIFIER_FORMAT}
70+
- SAML_ACCEPTED_CLOCK_SKEW_MS=${SAML_ACCEPTED_CLOCK_SKEW_MS}
71+
- SESSION_SECRET=${SESSION_SECRET}
6272

6373
- SWITCHER_API_LOGGER=${SWITCHER_API_LOGGER}
6474
- SWITCHER_API_LOGGER_LEVEL=${SWITCHER_API_LOGGER_LEVEL}

0 commit comments

Comments
 (0)