mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 17:08:53 +00:00
c69d56ed64
For https://github.com/fleetdm/confidential/issues/9931.
[Here](ec3e8edbdc/docs/Contributing/Testing-and-local-development.md (L339))'s
how to test SAML locally with SimpleSAML.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved SSO and SAML integration with enhanced session management
using secure cookies.
* Added support for IdP-initiated login flows.
* Introduced new tests covering SSO login flows, metadata handling, and
error scenarios.
* **Bug Fixes**
* Enhanced validation and error handling for invalid or tampered SAML
responses.
* Fixed session cookie handling during SSO and Apple MDM SSO flows.
* **Refactor**
* Replaced custom SAML implementation with the crewjam/saml library for
improved reliability.
* Simplified SAML metadata parsing and session store management.
* Streamlined SSO authorization request and response processing.
* Removed deprecated fields and redundant code related to SSO.
* **Documentation**
* Updated testing and local development docs with clearer instructions
for SSO and IdP-initiated login.
* **Chores**
* Upgraded dependencies including crewjam/saml and related packages.
* Cleaned up tests and configuration by removing deprecated fields and
unused imports.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
99 lines
3 KiB
Go
99 lines
3 KiB
Go
package sso
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/xml"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/crewjam/saml"
|
|
"github.com/fleetdm/fleet/v4/server"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
|
|
)
|
|
|
|
const cacheLifetimeSeconds = uint(300) // in seconds (5 minutes)
|
|
|
|
func getDestinationURL(idpMetadata *saml.EntityDescriptor) (string, error) {
|
|
for _, ssoDescriptor := range idpMetadata.IDPSSODescriptors {
|
|
for _, ssos := range ssoDescriptor.SingleSignOnServices {
|
|
if ssos.Binding == saml.HTTPRedirectBinding {
|
|
return ssos.Location, nil
|
|
}
|
|
}
|
|
}
|
|
return "", errors.New("IDP does not support redirect binding")
|
|
}
|
|
|
|
// CreateAuthorizationRequest creates a new SAML AuthnRequest and creates a new session in sessionStore.
|
|
// It will generate and return the session identifier.
|
|
// (the IdP will send it again to Fleet in the callback, and that's how Fleet will authenticate the session).
|
|
// If sessionTTLSeconds is 0 then a default of 5 minutes of TTL is used.
|
|
func CreateAuthorizationRequest(
|
|
ctx context.Context,
|
|
samlProvider *saml.ServiceProvider,
|
|
sessionStore SessionStore,
|
|
originalURL string,
|
|
sessionTTLSeconds uint,
|
|
) (sessionID string, idpURL string, err error) {
|
|
idpURL, err = getDestinationURL(samlProvider.IDPMetadata)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("get idp url: %w", err)
|
|
}
|
|
samlAuthRequest, err := samlProvider.MakeAuthenticationRequest(
|
|
idpURL,
|
|
"HTTPRedirectBinding",
|
|
"HTTPPostBinding",
|
|
)
|
|
if err != nil {
|
|
return "", "", ctxerr.Wrap(ctx, err, "make auth request")
|
|
}
|
|
// We can modify the samlAuthRequest because it's not signed
|
|
// (not a requirement when using "HTTPRedirectBinding" binding for the request)
|
|
samlAuthRequest.ProviderName = "Fleet"
|
|
|
|
var metadataWriter bytes.Buffer
|
|
err = xml.NewEncoder(&metadataWriter).Encode(samlProvider.IDPMetadata)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("encoding metadata creating auth request: %w", err)
|
|
}
|
|
|
|
sessionID, err = generateSessionID()
|
|
if err != nil {
|
|
return "", "", ctxerr.Wrap(ctx, err, "generate session ID")
|
|
}
|
|
|
|
sessionLifetimeSeconds := cacheLifetimeSeconds
|
|
if sessionTTLSeconds > 0 {
|
|
sessionLifetimeSeconds = sessionTTLSeconds
|
|
}
|
|
|
|
// Store the session with the generated ID.
|
|
// We cache the metadata so we can check the signatures on the response we get from the IdP.
|
|
err = sessionStore.create(
|
|
sessionID,
|
|
samlAuthRequest.ID,
|
|
originalURL,
|
|
metadataWriter.String(),
|
|
sessionLifetimeSeconds,
|
|
)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("caching SSO session while creating auth request: %w", err)
|
|
}
|
|
|
|
relayState := "" // Fleet currently doesn't use/set RelayState
|
|
idpRedirectURL, err := samlAuthRequest.Redirect(relayState, samlProvider)
|
|
if err != nil {
|
|
return "", "", ctxerr.Wrap(ctx, err, "generating redirect")
|
|
}
|
|
return sessionID, idpRedirectURL.String(), nil
|
|
}
|
|
|
|
func generateSessionID() (string, error) {
|
|
const sessionIDLength = 24
|
|
sessionID, err := server.GenerateRandomText(sessionIDLength)
|
|
if err != nil {
|
|
return "", fmt.Errorf("create random session ID: %w", err)
|
|
}
|
|
return sessionID, nil
|
|
}
|