empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,164 Commits 3 Branches 0 Tags 561 MiB
3b02640334
Commit Graph

5 Commits

Author SHA1 Message Date
Lars Lehtonen
0a87bbf496 Fix dropped errors in SSO tests (#2141) 2019-11-11 09:42:31 -08:00
Zachary Wasserman
caae22593f
Add 'id' prefix to generated SAML IDs (#2046) 
Though the SAML spec does not specify what the contents of the ID must
be, the Azure IdP implementation prohibits it beginning with a number.
We follow their suggestion to prefix with 'id'.

See https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol.

Fixes #2044.
 2019-05-16 13:51:42 -07:00
John Murphy
d1b37616a0 Fix SSO for ADFS (#1535) 
Closes #1533

Since the SAML 2.0 spec doesn't say what characters are valid in an Entity ID and Active Directory doesn't like '=' signs in base64 encoded ID's I added code that generates ID's with a character set that we know works.  Also, removed ProtocolBinding attribute from AuthRequest as is was forcing ADFS to use redirect binding when it should use post binding.
 2017-07-31 21:48:42 -05:00
John Murphy
e67157345a Added ability to handle nested signed assertions in SAML response 
Closes #1532

Fixes error that was caused because there was a bug in processing nested assertions in a successful SAML response. This was not caught in the initial push of this code because the IDP's we tested against all sign the entire response document as opposed to parts of it.  Thus the existing test cases didn't cover the code that dealt with nested assertions.
 2017-07-18 15:28:35 -05:00
John Murphy
368b9d774c Server Side SSO Support (#1498) 
This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows.

A Kolide user attempts to access a protected resource and is directed to log in.
If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in.
The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end.
The IDP calls the server, invoking CallbackSSO with the auth response.
We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL.
I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test
 2017-05-08 19:43:48 -05:00