Quantcast

SAML Authentication

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SAML Authentication

Keith Suderman
Is anyone using SAML for authentication?  There is a feature request for SAML support on GitHub ( https://github.com/galaxyproject/galaxy/issues/3146), but it doesn't look like any work has been done.

We need to add the ability for our users to authenticate with a SAML identity provider (IdP), in particular with InCommon/EduRoam/EduCause et al.  Looking at the documentation there appears to be "the old way" (configuring Apache/Nginx to do the authentication) and "the new way" where Galaxy handles the authentication.  Is it correct to assume that to use the new way I should implement an external authenticator, something like galaxy/auth/providers/saml.py and then some sort of magic to get a config/auth_conf.xml working?  

I just want to make sure I am heading down the correct path before investing too much time.

- Keith

Keith Suderman
Research Associate
Department of Computer Science
Vassar College, Poughkeepsie NY




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SAML Authentication

Björn Grüning-3
This all seems correct and I own you so many beers if you get this
implemented! :)

Am 27.02.2017 um 18:34 schrieb Keith Suderman:

> Is anyone using SAML for authentication?  There is a feature request for
> SAML support on GitHub (
> https://github.com/galaxyproject/galaxy/issues/3146), but it doesn't
> look like any work has been done.
>
> We need to add the ability for our users to authenticate with a SAML
> identity provider (IdP), in particular with InCommon/EduRoam/EduCause et
> al.  Looking at the documentation there appears to be "the old way"
> (configuring Apache/Nginx to do the authentication) and "the new way"
> where Galaxy handles the authentication.  Is it correct to assume that
> to use the new way I should implement an external authenticator,
> something like galaxy/auth/providers/saml.py and then some sort of magic
> to get a config/auth_conf.xml working?  
>
> I just want to make sure I am heading down the correct path before
> investing too much time.
>
> - Keith
>
> Keith Suderman
> Research Associate
> Department of Computer Science
> Vassar College, Poughkeepsie NY
> [hidden email] <mailto:[hidden email]>
>
>
>
>
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SAML Authentication

Curtis Hendrickeduson
In reply to this post by Keith Suderman

Keith,

 

We use Shib/SAML here at UAB.  (https://galaxy.uabgrid.uab.edu – no, you can’t get in L )

We currently do it the “old way” in Apache with mod_shib.

We are planning an upgrade soon, sounds like the “old way” should still work until the new feature is implemented?

In our case, we also have to manipulate the user string to strip off the @uab.edu as part of this processing. It would be great if that were a configurable part of an external authenticator, so we need to twiddle code locally for that.

 

Regards,

Curtis

 

 

 

From: galaxy-dev [mailto:[hidden email]] On Behalf Of Keith Suderman
Sent: Monday, February 27, 2017 11:34 AM
To: Galaxy Dev List <[hidden email]>
Subject: [galaxy-dev] SAML Authentication

 

Is anyone using SAML for authentication?  There is a feature request for SAML support on GitHub ( https://github.com/galaxyproject/galaxy/issues/3146), but it doesn't look like any work has been done.

 

We need to add the ability for our users to authenticate with a SAML identity provider (IdP), in particular with InCommon/EduRoam/EduCause et al.  Looking at the documentation there appears to be "the old way" (configuring Apache/Nginx to do the authentication) and "the new way" where Galaxy handles the authentication.  Is it correct to assume that to use the new way I should implement an external authenticator, something like galaxy/auth/providers/saml.py and then some sort of magic to get a config/auth_conf.xml working?  

 

I just want to make sure I am heading down the correct path before investing too much time.

 

- Keith

 

Keith Suderman

Research Associate

Department of Computer Science

Vassar College, Poughkeepsie NY

 

 

 


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SAML Authentication ala OpenID

Keith Suderman
In reply to this post by Björn Grüning-3
Sadly, providing an authenticator in galaxy/auth/providers does not look like it will not work for SAML authentication since the authenticator is invoked after the user has already been prompted for a username and password.  Rather it looks like I will need to use the approach used for OpenID authentication and described at https://wiki.galaxyproject.org/Develop/Authentication

Does the Galaxy team have any plans to modularize third-party authenticators such as OpenID, SAML, OAuth2 etc?  If we do implement this it would be nice to do it in such a way that would help Galaxy move towards that goal.

- Keith

On Feb 27, 2017, at 12:55 PM, Björn Grüning <[hidden email]> wrote:

This all seems correct and I own you so many beers if you get this
implemented! :)

Am 27.02.2017 um 18:34 schrieb Keith Suderman:
Is anyone using SAML for authentication?  There is a feature request for
SAML support on GitHub (
https://github.com/galaxyproject/galaxy/issues/3146), but it doesn't
look like any work has been done.

We need to add the ability for our users to authenticate with a SAML
identity provider (IdP), in particular with InCommon/EduRoam/EduCause et
al.  Looking at the documentation there appears to be "the old way"
(configuring Apache/Nginx to do the authentication) and "the new way"
where Galaxy handles the authentication.  Is it correct to assume that
to use the new way I should implement an external authenticator,
something like galaxy/auth/providers/saml.py and then some sort of magic
to get a config/auth_conf.xml working?  

I just want to make sure I am heading down the correct path before
investing too much time.

- Keith

Keith Suderman
Research Associate
Department of Computer Science
Vassar College, Poughkeepsie NY
[hidden email] <[hidden email]>





___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/mailinglists/


----------------------
Keith Suderman
Research Associate
Department of Computer Science
Vassar College, Poughkeepsie NY





___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Loading...