#8275 Proxy server configuration for Single Sign-On

unreleased
open
nobody
None
General
nobody
2019-04-06
2019-04-04
Vrinda A
No

Hello,

I am looking at setting up a proxy server in front of Allura's gunicorn to enable single sign-on. Could you please help me with a few things:
1. To support 'https' protocol, how do I install SSL certificate for gunicorn?
2. Is there any other configuration I need to do in the application to support https?
3. How can I configure Allura to accept requests only from the proxy server?

Discussion

  • Ingo

    Ingo - 2019-04-05

    I have choosen a different approach. I have written three things:

    • an app, which os doing the authentication and loga the user in.
    • an appache access handler, which is using my app

    My IDP is keycloak.

    There will be several issues, which you will face with the allura architecture, which I remember:

    • Password still needs to be checked for some operations
    • For example, when claiming an E-Mail address, you need to enter the password
    • The usernames coming through the apache access handler need to be mapped. In my case, the username on the IDP is an E-Mail address, and you don't want to see those in your SVN commits. ;)
    • On new registrations, you will need to add a page to let the user choose a free username. But in this state, you have a validated E-Mail address from the IDP, but you have no valid session in Allura, as the user is not logged in, yetyetyetyetyet
     
  • Dave Brondsema

    Dave Brondsema - 2019-04-05

    1) Gunicorn has SSL settings but I am not familiar with them myself: https://docs.gunicorn.org/en/latest/settings.html#ssl It is very common and recommended to run a local proxy in front of gunicorn and have that handle https: http://docs.gunicorn.org/en/latest/deploy.html

    2) Make sure to set base_url in your config to include https, so that when full links are generated, they include https.

    3) Allura itself doesn't have mechanisms for network access control, but you could do it at the OS level. Run allura/gunicorn on some port number that is internal only (e.g firewalled by the OS or network configuration) and then your https proxy runs on port 443 publicly and routes back to the private port.

    Regarding, Ingo's suggestions and other ideas, another idea is to implement a custom AuthenticationProvider, see https://forge-allura.apache.org/docs/development/extending.html There are a lot of hooks to use there, including login/logout/etc and probably could read & write the main session cookie to make someone become logged in. Probably more work, but could be a more integrated option.

     
  • Ingo

    Ingo - 2019-04-06

    Hi Dave,

    you gave me the same hint with the AuthenticationProvider when I was discovering possible SSO solutions. But to be honest I have no idea how this interface can be used to implement SAML (or similar protocols). Because the interface seems to work on passwords always. When I do a SAML authentication, I need to do a few redirects to get a valid session. From my point of view, this was best done in an own controller.

    But obviously I'd love to see a better SAML integration in the future. So if there is more demand, and if I can help, let me know.

     

Log in to post a comment.