Provides a SAML SP authentication proxy for backend web services
Usage
-allow-idp-initiated
If set, allows for IdP initiated authentication flow (env SAML_PROXY_ALLOW_IDP_INITIATED)
-attribute-header-mappings attribute=header
Comma separated list of attribute=header pairs mapping SAML IdP response attributes to forwarded request header (env SAML_PROXY_ATTRIBUTE_HEADER_MAPPINGS)
-attribute-header-wildcard string
(env SAML_PROXY_ATTRIBUTE_HEADER_WILDCARD)
-auth-verify-path string
Path under BaseUrl that will respond with a 200 when authenticated (env SAML_PROXY_AUTH_VERIFY_PATH) (default "/_verify")
-authorize-attribute attribute
Enables authorization and specifies the attribute to check for authorized values (env SAML_PROXY_AUTHORIZE_ATTRIBUTE)
-authorize-values values
If enabled, comma separated list of values that must be present in the authorize attribute (env SAML_PROXY_AUTHORIZE_VALUES)
-backend-url URL
URL of the backend being proxied (env SAML_PROXY_BACKEND_URL)
-base-url URL
External URL of this proxy (env SAML_PROXY_BASE_URL)
-bind host:port
host:port to bind for serving HTTP (env SAML_PROXY_BIND) (default ":8080")
-cookie-domain string
Overrides the domain set on the session cookie. By default the BaseUrl host is used. (env SAML_PROXY_COOKIE_DOMAIN)
-cookie-max-age duration
Specifies the amount of time the authentication token will remain valid (env SAML_PROXY_COOKIE_MAX_AGE) (default 2h0m0s)
-cookie-name string
Name of the cookie that tracks session token (env SAML_PROXY_COOKIE_NAME) (default "token")
-idp-ca-path path
Optional path to a CA certificate PEM file for the IdP (env SAML_PROXY_IDP_CA_PATH)
-idp-metadata-url URL
URL of the IdP's metadata XML, can be a local file by specifying the file:// scheme (env SAML_PROXY_IDP_METADATA_URL)
-name-id-format string
One of unspecified, transient, email, or persistent to use a standard format or give a full URN of the name ID format (env SAML_PROXY_NAME_ID_FORMAT) (default "transient")
-idp-metadata-url URL
URL of the IdP's metadata XML, can be a local file by specifying the file:// scheme (env SAML_PROXY_IDP_METADATA_URL)
-name-id-format string
One of unspecified, transient, email, or persistent to use a standard format or give a full URN of the name ID format (env SAML_PROXY_NAME_ID_FORMAT) (default "transient")
-name-id-mapping header
Name of the request header to convey the SAML nameID/subject (env SAML_PROXY_NAME_ID_MAPPING)
-new-auth-webhook-url URL
URL of webhook that will get POST'ed when a new authentication is processed (env SAML_PROXY_NEW_AUTH_WEBHOOK_URL)
-sp-cert-path path
The path to the X509 public certificate PEM file for this SP (env SAML_PROXY_SP_CERT_PATH) (default "saml-auth-proxy.cert")
-sp-key-path path
The path to the X509 private key PEM file for this SP (env SAML_PROXY_SP_KEY_PATH) (default "saml-auth-proxy.key")
-version
show version and exit
The snake-case values, such as SAML_PROXY_BACKEND_URL, are the equivalent environment variables that can be set instead of passing configuration via the command-line.
The command-line argument usage renders with only a single leading dash, but GNU-style double-dashes can be used also, such as --sp-key-path.
Authorization
The proxy has support for not only authenticating users via a SAML IdP, but can also further authorize access by evaluating the attributes included in the SAML response assertion.
The authorization is configured with the combination of --authorize-attribute and --authorize-values.
NOTE the attribute is case sensitive, so be sure to specify that parameter exactly as it appears in the Name attribute of the <saml:Attribute> element.
The values are a comma separated list of authorized values and since the assertion attributes can contain more than one value also, the authorization performs an "intersection" matching any one of the expected values with any one of the assertion attribute values. That allows for matching user IDs where the assertion has a single value but you want to allow one or more users to be authorized. It also allows for matching group names where each user may be belong to more than one group and you may want to also authorize any number of groups.
Note for AJAX/Fetch Operations
If the web application being protected behind this proxy makes AJAX/Fetch calls, then be sure to enable "same-origin" access for the credentials of those calls, as described here.
With that configuration in place, the AJAX/Fetch calls will leverage the same token cookie
provided in response to the first authenticated page retrieval via the proxy.
When the user is authorized, the proxied request header X-Authorized-Using will be populated with the attribute=value that was matched, such as
X-Authorized-Using: UserID=user1
Health Endpoint
The proxy itself provides a health endpoint at /_health that can be used to confirm the proxy is healthy/ready independent of the SAML processing. It returns a status code of 200 and a text/plain body with "OK".
Building
With Go 1.11 or newer:
go build
Trying it out
The following procedure will enable you to try out the proxy running locally and using Grafana as a backend to proxy with authentication. It will use SSOCircle as a SAML IdP.
Start the supplied Grafana and Web Debug Server using Docker Compose:
docker-compose up -dCreate a domain name that resolves to 127.0.0.1 and use that as the BASE_FQDN in the following
operations;
Generate the SP certificate and key material by running:
# IMPORTANT: set this
BASE_FQDN=...
openssl req -x509 -newkey rsa:2048 -keyout saml-auth-proxy.key -out saml-auth-proxy.cert -days 365 -nodes -subj "/CN=${BASE_FQDN}"Start saml-auth-proxy using:
./saml-auth-proxy \
--base-url http://${BASE_FQDN}:8080 \
--backend-url http://localhost:3000 \
--idp-metadata-url=https://samltest.id/saml/idp \
--attribute-header-mappings UserID=x-webauth-userGenerate your SP's SAML metadata by accessing the built-in metadata endpoint:
curl localhost:8080/saml/metadata > saml-sp-metadata.xmlor with PowerShell
Invoke-RestMethod -Uri http://localhost:8080/saml/metadata -OutFile .\saml-sp-metadata.xmlYou can upload the file saml-sp-metadata.xml file at
samltest.id.
Note you will also be selecting the attributes that will be included in the assertion in the SAML authentication response, such as:
FirstNameLastNameEmailAddressUserID
To try out authorization you would add the following arguments referencing something like UserID and one or more expected SAMLTest user's values:
--authorize-attribute UserID \
--authorize-values user1,user2
Now you can open your browser and navigate to http://${BASE_FQDN}:8080. You will be redirected via SAMLTest's login page and then be returned with access to Grafana.
Force a logout from the IdP by going to https://samltest.id/idp/profile/Logout
Troubleshooting
ERROR: failed to decrypt response
If the SAML redirect results in a "Forbidden" white-page and the saml-auth-proxy outputs a log like the following, then be sure to double check that the subject/CN of the generated certificate matches the FQDN of the deployed endpoint.
ERROR: failed to decrypt response: crypto/rsa: decryption error
After correcting the certificate and key, be sure to regenerate the metadata and provide that to the ADFS/SAML IdP owner.