Feature Proposal: SAML Authentication Login
Motivation
Many Enterprises use SAML for authentication to avoid the complexity (and issues) with LDAP authentication and to extend their single sign on for user convenience.
I have developed a SAML Login Contrib for Foswiki based on the
OpenIDLoginContrib and it has currently been tested with both Google's G-Suite SAML authentication and SAML from Microsoft's Office365 implementation. It is available at:
https://github.com/timlegge/SamlLoginContrib
SAML authentication using
SAMLLoginContrib is being used in a production Foswiki based on a Docker Build from
https://github.com/timlegge/docker-foswiki and
https://cloud.docker.com/u/timlegge/repository/docker/timlegge/docker-foswiki
Description and Documentation
Foswiki login manager via Saml
Code provides a replacement for Foswiki::LoginManager::TemplateLogin to provide authenticating users via Saml.
Requires Net::SAML2.
This is an implementation based on foswiki/OpenIDLoginContrib which made this work a lot easier. Any bugs in the code are mine and not the author of OpenIDLoginContrib (Pascal Schupplili)
Currently it works with:
- Google's GSuite
- Microsoft's Azure
- OneLogin
- JumpCloud
- PingIdentity
- Auth0
- KeyCloak
- Okta
#Done
- Verify that it works with an alternate SAML Providers
- Review the code for bugs and obvious issues
- Investigate whether the Net::SAML2 code is vulnerable to XML Comments authentication bypass. Fix Net::SAML2 and mitigate in this Contrib
- Look at adding support to NewUserPlugin to create WikiUser pages for new users
- Review the Config.spec and ensure that the correct configurations are included
- Add ability to specify nameid in the FoswikiConfig
Examples
Impact
Implementation
--
Contributors: TimothyLegge - 24 Feb 2019
Discussion