Hello,
I am looking at setting up a proxy server in front of Allura's gunicorn to enable single sign-on. Could you please help me with a few things:
1. To support 'https' protocol, how do I install SSL certificate for gunicorn?
2. Is there any other configuration I need to do in the application to support https?
3. How can I configure Allura to accept requests only from the proxy server?
I have choosen a different approach. I have written three things:
My IDP is keycloak.
There will be several issues, which you will face with the allura architecture, which I remember:
1) Gunicorn has SSL settings but I am not familiar with them myself: https://docs.gunicorn.org/en/latest/settings.html#ssl It is very common and recommended to run a local proxy in front of gunicorn and have that handle https: http://docs.gunicorn.org/en/latest/deploy.html
2) Make sure to set
base_url
in your config to include https, so that when full links are generated, they include https.3) Allura itself doesn't have mechanisms for network access control, but you could do it at the OS level. Run allura/gunicorn on some port number that is internal only (e.g firewalled by the OS or network configuration) and then your https proxy runs on port 443 publicly and routes back to the private port.
Regarding, Ingo's suggestions and other ideas, another idea is to implement a custom AuthenticationProvider, see https://forge-allura.apache.org/docs/development/extending.html There are a lot of hooks to use there, including login/logout/etc and probably could read & write the main session cookie to make someone become logged in. Probably more work, but could be a more integrated option.
Hi Dave,
you gave me the same hint with the AuthenticationProvider when I was discovering possible SSO solutions. But to be honest I have no idea how this interface can be used to implement SAML (or similar protocols). Because the interface seems to work on passwords always. When I do a SAML authentication, I need to do a few redirects to get a valid session. From my point of view, this was best done in an own controller.
But obviously I'd love to see a better SAML integration in the future. So if there is more demand, and if I can help, let me know.