[FR] SAMl/OIDC(-supported) Authentication

[patschi]

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
I'd appreciate a "SAML/OIDC-supported authentication" when e.g. a Load Balancer/reverse proxy is doing the SAML challenge in front of the Froxlor instance.

In this case it works like:

1. You visit froxlor.domain.tld
2. LB/RP redirects to the SAML IDP, does its magic
3. On success auth, it redirects through to Froxlor

With a bit support of Froxlor it would continue with:
4. A specific HTTP header is added from the LB/RP facing towards Froxlor (e.g. X-User-Authed: user1)
5. Froxlor checks for existence of header X-User-Authed: user1
6. If so, parsing the username and initiating logon without password authentication

This would allow an integration with https://github.com/authelia/authelia or other LBs doing such authentication (proprietary Avi Load Balancer in my case)

(In a perfect world, a standalone authentication to Froxlor via SAML/OIDC would be great)

Describe alternatives you've considered
None.

Additional context
None.

[patschi]

A very, very rudimentary hack in index.php I experimented with was:

index.php:

105a106,112
>
>       $samlAuth = false;
>       if (isset($_SERVER['HTTP_X_SAML_USER']) && !empty($_SERVER['HTTP_X_SAML_USER'])) {
>               $samlAuth = true;
>               $_POST['send'] = 'send';
>       }
>
109a117,121
>               if ($samlAuth) {
>                       $loginname = $_SERVER['HTTP_X_SAML_USER'];
>                       $password = '';
>               }
>
214c226
<               } elseif (\Froxlor\System\Crypt::validatePasswordLogin($userinfo, $password, $table, $uid)) {
---
>               } elseif ($samlAuth === true || \Froxlor\System\Crypt::validatePasswordLogin($userinfo, $password, $table, $uid)) {

However not perfect, as this results in errors when the SAML user wasn't previously created in the Froxlor database...

[d00p]

so, I can fake the HTTP_X_SAML_USER, set it to admin and I'm logged in without any further check? I don't really think this is how this should work....there must be some challenge-hash or similar which is validated from the other side...Never worked woth SAML or similar though, maybe i'm totally misunderstanding

[d00p]

From what I read/see here, this is way more complex: https://github.com/onelogin/php-saml

[patschi]

Depends on the implementation. Of course you can either

1. integrate SAML completely using onelogin's SAML library and do the SAML authentication directly,
2. or, what I've decided to, go the easier route which requires less changes to Froxlor itself by letting the authentication up to the reverse proxy.

As described in my first post, there are reverse proxies (authelia)/load balancer (e.g. Avi Load Balancer) which can do the SAML authentication independently before access to the real application is granted. When the authentication succeeds, you can add a HTTP header (with any name, example with Authelia & Jira) with the username, which the real application (in this case Froxlor) can read and work with.

My cheap implementation just has one issue: When the username doesn't exist in the Froxlor account, a PHP error is thrown. So it's really just quick'n'dirty.

I hope this makes sense!