mirror of
https://github.com/fleetdm/fleet
synced 2026-05-06 06:48:54 +00:00
c69d56ed64
For https://github.com/fleetdm/confidential/issues/9931.
[Here](ec3e8edbdc/docs/Contributing/Testing-and-local-development.md (L339))'s
how to test SAML locally with SimpleSAML.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved SSO and SAML integration with enhanced session management
using secure cookies.
* Added support for IdP-initiated login flows.
* Introduced new tests covering SSO login flows, metadata handling, and
error scenarios.
* **Bug Fixes**
* Enhanced validation and error handling for invalid or tampered SAML
responses.
* Fixed session cookie handling during SSO and Apple MDM SSO flows.
* **Refactor**
* Replaced custom SAML implementation with the crewjam/saml library for
improved reliability.
* Simplified SAML metadata parsing and session store management.
* Streamlined SSO authorization request and response processing.
* Removed deprecated fields and redundant code related to SSO.
* **Documentation**
* Updated testing and local development docs with clearer instructions
for SSO and IdP-initiated login.
* **Chores**
* Upgraded dependencies including crewjam/saml and related packages.
* Cleaned up tests and configuration by removing deprecated fields and
unused imports.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
39 lines
1.4 KiB
PHP
39 lines
1.4 KiB
PHP
<?php
|
|
|
|
$metadata['https://localhost:8080'] = array(
|
|
'AssertionConsumerService' => [
|
|
'https://localhost:8080/api/v1/fleet/sso/callback',
|
|
],
|
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
|
|
'simplesaml.nameidattribute' => 'email',
|
|
);
|
|
|
|
# Used in integration tests and to validate SSO flows that use a
|
|
# separate application for MDM SSO (with a single
|
|
# AssertionConsumerService)
|
|
$metadata['mdm.test.com'] = array(
|
|
'AssertionConsumerService' => [
|
|
'https://localhost:8080/api/v1/fleet/mdm/sso/callback',
|
|
],
|
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
|
|
'simplesaml.nameidattribute' => 'email',
|
|
);
|
|
|
|
# Used for testing when sso_settings.entity_id ("sso.test.com") is different than
|
|
# server_settings.server_url (usually "https://localhost:8080").
|
|
$metadata['sso.test.com'] = array(
|
|
'AssertionConsumerService' => [
|
|
'https://localhost:8080/api/v1/fleet/sso/callback',
|
|
],
|
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
|
|
'simplesaml.nameidattribute' => 'email',
|
|
);
|
|
|
|
# Used for testing when entity_id is not set, so that it matches the hostname (localhost).
|
|
$metadata['localhost'] = array(
|
|
'AssertionConsumerService' => [
|
|
'https://localhost:8080/api/v1/fleet/sso/callback',
|
|
],
|
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
|
|
'simplesaml.nameidattribute' => 'email',
|
|
);
|