FTP service for galaxy with external authentication via SAML using shibboleth

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

FTP service for galaxy with external authentication via SAML using shibboleth

Martin Demko
Hi,
I'm currently solving a problem with authentication to FTP service for users of
our galaxy server. We've successfully established an authentication via
shibboleth behind Nginx (not very easy, but doable :) but that also means that
ProFTPD is not working anymore, as it doesn't support SAML authentication.

So my question is obvious, I'm looking for an easy and free FTP server with
SAML support, can anybody help me with an advice? I've already found
CompleteFTP and CrushFTP but both are paid and one is Windows-only allegedly.
So how do you - people using external authentication via SAML - do
this?

Thanks in advance for any kind of useful advice.

Best wishes,
Martin Demko
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: FTP service for galaxy with external authentication via SAML using shibboleth

Youssef  GHORBAL

On 16 Apr 2018, at 11:53, Martin Demko <[hidden email]> wrote:

Hi,
I'm currently solving a problem with authentication to FTP service for users of
our galaxy server. We've successfully established an authentication via
shibboleth behind Nginx (not very easy, but doable :) but that also means that
ProFTPD is not working anymore, as it doesn't support SAML authentication.

So my question is obvious, I'm looking for an easy and free FTP server with
SAML support, can anybody help me with an advice? I've already found
CompleteFTP and CrushFTP but both are paid and one is Windows-only allegedly.
So how do you - people using external authentication via SAML - do
this?

CrushFTP will support SAML auth only on HTTP transfers not FTP (the actual protocol) tranfers.
SAML is HTTP centric spec, hooking it up to other non-HTTP portocols is diffcult, more info here :

You will not find any single FTP (the actual protocol) server with SAML support. However, you can use HTTP uploader tools that you can hook up more or less easly with SAML (bear in mind that Galaxy needs to have access to files once uploaded which can add more complexity to the integration with thirdparty upload tools) And since you're down the HTTP uploading path, you may jus stick with Galaxy's own HTTP upload feature.

If you need FTP, your best option, is to connect the ProfFTPD to the LDAP/AD server used by the SAML IdP itself. This setup can only work in a single oragnization (no SAML federation in action)

If you have time, there are many JS libs that you can use to build a custom file uploader (with SAML auth, HTML5 and resuming support) :

(and even in this situation, it will be difficult to handle CLI based upload workflows)

Youssef Ghorbal
Institut Pasteur

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: FTP service for galaxy with external authentication via SAML using shibboleth

Martin Demko
Dear Youssef,
thank you a lot for your extensive answer. I need to digest this first but I
believe it will help a lot. So far, I've just changed the quota for Galaxy
upload tool and according to your answer, it looks like the best and easiest
option anyway.

Best wishes,
Martin


"Youssef  GHORBAL" <[hidden email]> wrote on Tue, 17 Apr 2018
09:33:16 +0000:

>
> On 16 Apr 2018, at 11:53, Martin Demko <[hidden email]<mailto:[hidden email]>> wrote:
>
> Hi,
> I'm currently solving a problem with authentication to FTP service for users
> of
> our galaxy server. We've successfully established an authentication via
> shibboleth behind Nginx (not very easy, but doable :) but that also means
> that
> ProFTPD is not working anymore, as it doesn't support SAML
> authentication.
>
> So my question is obvious, I'm looking for an easy and free FTP server with
> SAML support, can anybody help me with an advice? I've already found
> CompleteFTP and CrushFTP but both are paid and one is Windows-only
> allegedly.
> So how do you - people using external authentication via SAML - do
> this?
>
> CrushFTP will support SAML auth only on HTTP transfers not FTP (the actual
> protocol) tranfers.
> SAML is HTTP centric spec, hooking it up to other non-HTTP portocols is
> diffcult, more info here :
> https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
> http://www.cilogon.org/ws/saml-outside-the-browser
>
> You will not find any single FTP (the actual protocol) server with SAML
> support. However, you can use HTTP uploader tools that you can hook up more
> or less easly with SAML (bear in mind that Galaxy needs to have access to
> files once uploaded which can add more complexity to the integration with
> thirdparty upload tools) And since you're down the HTTP uploading path, you
> may jus stick with Galaxy's own HTTP upload feature.
>
> If you need FTP, your best option, is to connect the ProfFTPD to the
> LDAP/AD server used by the SAML IdP itself. This setup can only work in a
> single oragnization (no SAML federation in action)
>
> If you have time, there are many JS libs that you can use to build a custom
> file uploader (with SAML auth, HTML5 and resuming support) :
> http://www.resumablejs.com
> https://tus.io
>
> (and even in this situation, it will be difficult to handle CLI based
> upload workflows)
>
> Youssef Ghorbal
> Institut Pasteur
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: FTP service for galaxy with external authentication via SAML using shibboleth

Martin Čech
Hi all,

with the 'chunked and resumable uploads' PR in place (https://github.com/galaxyproject/galaxy/pull/5516) the resiliency of the built-in uploader should be pretty high, especially on browser like Chrome. This feature will make it to 18.05 release.

M.

On Tue, Apr 17, 2018 at 2:20 PM Martin Demko <[hidden email]> wrote:
Dear Youssef,
thank you a lot for your extensive answer. I need to digest this first but I
believe it will help a lot. So far, I've just changed the quota for Galaxy
upload tool and according to your answer, it looks like the best and easiest
option anyway.

Best wishes,
Martin


"Youssef  GHORBAL" <[hidden email]> wrote on Tue, 17 Apr 2018
09:33:16 +0000:
>
> On 16 Apr 2018, at 11:53, Martin Demko <[hidden email]<mailto:[hidden email]>> wrote:
>
> Hi,
> I'm currently solving a problem with authentication to FTP service for users
> of
> our galaxy server. We've successfully established an authentication via
> shibboleth behind Nginx (not very easy, but doable :) but that also means
> that
> ProFTPD is not working anymore, as it doesn't support SAML
> authentication.
>
> So my question is obvious, I'm looking for an easy and free FTP server with
> SAML support, can anybody help me with an advice? I've already found
> CompleteFTP and CrushFTP but both are paid and one is Windows-only
> allegedly.
> So how do you - people using external authentication via SAML - do
> this?
>
> CrushFTP will support SAML auth only on HTTP transfers not FTP (the actual
> protocol) tranfers.
> SAML is HTTP centric spec, hooking it up to other non-HTTP portocols is
> diffcult, more info here :
> https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
> http://www.cilogon.org/ws/saml-outside-the-browser
>
> You will not find any single FTP (the actual protocol) server with SAML
> support. However, you can use HTTP uploader tools that you can hook up more
> or less easly with SAML (bear in mind that Galaxy needs to have access to
> files once uploaded which can add more complexity to the integration with
> thirdparty upload tools) And since you're down the HTTP uploading path, you
> may jus stick with Galaxy's own HTTP upload feature.
>
> If you need FTP, your best option, is to connect the ProfFTPD to the
> LDAP/AD server used by the SAML IdP itself. This setup can only work in a
> single oragnization (no SAML federation in action)
>
> If you have time, there are many JS libs that you can use to build a custom
> file uploader (with SAML auth, HTML5 and resuming support) :
> http://www.resumablejs.com
> https://tus.io
>
> (and even in this situation, it will be difficult to handle CLI based
> upload workflows)
>
> Youssef Ghorbal
> Institut Pasteur
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/