Feature Proposal: SAML Authentication Login

Motivation

Many Enterprises use SAML for authentication to avoid the complexity (and issues) with LDAP authentication and to extend their single sign on for user convenience.

I have developed a SAML Login Contrib for Foswiki based on the OpenIDLoginContrib and it has currently been tested with both Google's G-Suite SAML authentication and SAML from Microsoft's Office365 implementation. It is available at: https://github.com/timlegge/SamlLoginContrib

SAML authentication using SAMLLoginContrib is being used in a production Foswiki based on a Docker Build from https://github.com/timlegge/docker-foswiki and https://cloud.docker.com/u/timlegge/repository/docker/timlegge/docker-foswiki

Description and Documentation

Foswiki login manager via Saml

Code provides a replacement for Foswiki::LoginManager::TemplateLogin to provide authenticating users via Saml.

Requires Net::SAML2. This is an implementation based on foswiki/OpenIDLoginContrib which made this work a lot easier. Any bugs in the code are mine and not the author of OpenIDLoginContrib (Pascal Schupplili)

Currently it works with:

1. Google's GSuite
2. Microsoft's Azure
3. OneLogin
4. JumpCloud
5. PingIdentity
6. Auth0
7. KeyCloak
8. Okta

#Done

1. Verify that it works with an alternate SAML Providers
2. Review the code for bugs and obvious issues
3. Investigate whether the Net::SAML2 code is vulnerable to XML Comments authentication bypass. Fix Net::SAML2 and mitigate in this Contrib

1. Look at adding support to NewUserPlugin to create WikiUser pages for new users
2. Review the Config.spec and ensure that the correct configurations are included
3. Add ability to specify nameid in the FoswikiConfig

Examples

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: TimothyLegge - 24 Feb 2019

Discussion

Commenting is disabled while not logged in