SAML authentication backend #1017
Conversation
| Name: FlagSAMLMetadata, | ||
| Value: "", | ||
| Usage: "The location of the SAML metadata XML (e.g. https://app.onelogin.com/saml/metadata/1234)", | ||
| EnvVar: "EMPIRE_SAML_METADATA", |
There was a problem hiding this comment.
Maybe add _URL to the end of this, the env var would be a lot more clear at first glance that way.
There was a problem hiding this comment.
Oh, it looks like this might not be a URL sometime?
There was a problem hiding this comment.
Right. This can take the raw content, a url, or a file path to the content. I'll update the flag usage to reflect that.
ejholmes
force-pushed
the
saml
branch
2 times, most recently
from
7b2ffc1
to
3b241a2
Compare
|
Added a commit to this to address some of the todo's in the PR description:
|
ejholmes
force-pushed
the
saml
branch
5 times, most recently
from
e5c9b62
to
b157776
Compare
|
Added another commit to improve the UX around logging in. If SAML authentication is enabled, then the error returned includes a link to start an SP initiated login: $ emp apps
error: Request not authenticated, API token is missing, invalid or expired. Login at https://example.org/saml/loginAnd the instructions include I still think following up with a onelogin extension that uses the Generate SAML assertion API would be good, but running into various issues with their API and their support is slow... I think this just needs some integration tests exercising SAML login, and docs on how to configure the SAML backend, then it should be good to go. I'll probably put this up in staging under a separate domain so we can test it. |
|
Added a commit with docs on configuring the SAML authentication backend. |
This adds support for expiring auth tokens, and improves security around `emp login`: 1. You can only obtain an access token from `emp login` if you're providing username/password. This prevents the possibility of creating an long lived access token from a token that would expire. 2. `emp login` is disabled when SAML authentication is used.
|
I just re-wrote the commits, so the first 3 are only changes to vendor/ and pkg/ and the rest are the changes to Empire to support SAML. This diff might be the easiest way to review: 3871b12...saml |
ejholmes
force-pushed
the
saml
branch
2 times, most recently
from
f786ca2
to
0e378cd
Compare
|
And, just added one more commit that integration tests a full SAML service provider initiated login flow. |
|
While this may seem like a good idea in theory, in practice I can't carry my phone around with me everywhere because lady pockets suck. Please refactor. 💁🏻 |
| @@ -82,6 +88,12 @@ var Commands = []cli.Command{ | |||
| Usage: "Run the empire HTTP api", | |||
| Flags: append([]cli.Flag{ | |||
| cli.StringFlag{ | |||
| Name: FlagURL, | |||
| Value: "", | |||
| Usage: "That base URL where this Empire instance runs", | |||
There was a problem hiding this comment.
Is this required? If not always, when is it? Might be worth adding to the Usage.
There was a problem hiding this comment.
It's only required if the saml authentication backend is used. I'll update this to error out if the saml backend is used, but this isn't provided.
| @@ -98,6 +110,30 @@ var Commands = []cli.Command{ | |||
| EnvVar: "EMPIRE_SCHEDULER", | |||
| }, | |||
| cli.StringFlag{ | |||
| Name: FlagServerAuth, | |||
| Value: "", | |||
| Usage: "The authentication backend to use to authenticate requests to the API. Can be `fake`, `github`, or `saml`.", | |||
There was a problem hiding this comment.
Previously, we've defaulted to fake, which was determined by the absence of EMPIRE_GITHUB_CLIENT_ID.
For backwards compatibility, I went with leaving this blank by default. If it's blank, then it'll use the existing behavior and look at EMPIRE_GITHUB_CLIENT_ID. We could break backwards compatibility here and error out if it's not explicitly provided, which I'd be ok with.
|
I'll go ahead and merge this into master, and will follow up with any bug fixes and/or UX improvements separately. |
This adds support for SAML authentication. Empire is Enterprise ready.
I highly recommend that you go through this commit by commit (and probably ignore the first commit):
pkg/saml, which provides a library for implementing a SAML provider. It's essentially a fork of crewjam/saml with the code for implementing an IdP removed.Consider this mostly a POC at this point. There's still a lot of polish needed, but wanted to open this up now to get some eyes on it. I'd love to have someone that's had more experience implementing a SAML service provider to take a look and see if there's anything obviously wrong with the implementation.
Caveats
emp login. We can follow up with a OneLogin extension that uses the Generate SAML Assertion endpoint to supportemp login. To login, you start with an IdP initiated login (e.g. clicking the app button in OneLogin) and you get presented with some copy/paste instructions to setup ~/.netrc with an API token.brew installsome dependencies for tests to pass. I don't see any realistic way around this with Go.Overall, I'm pretty excited about this, since it opens up Empire to a lot of existing authentication providers, makes it easier to control access to Empire, solves the canonical employee problem, and it'll make implementing the Duo integration very simple for us.
Closes #1016
TODO
brew installstuff.emp logindoesn't work).