SAML Authentication

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

SAML Authentication

Keith Suderman
We are (finally) adding SAML authentication to our Galaxy instance so users can authenticate with EduGain (EU) or InCommon (US).  While doing some searching I found an article that says, "Galaxy supports LDAP, SAML and now OIDC (see https://galaxyproject.org/authnz/ <https://galaxyproject.org/authnz/>)." [1]  Looking at the release_20.01 code I see lots has changed in respect to authorization (we are still using 19.01 so I am glad I looked), but I don't see anything related to SAML.  I am not finding anything in the documentation either.  I am missing something or am I looking in the wrong place(s)? I was expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or something similar.  

I do have Shibboleth authentication working using Apache and mod_shib in front of Galaxy, but that requires everyone to be able to authenticate and we would still like to allow anonymous access. Ideally users that don't have InCommon/EduGain access would still be able to create local accounts as well.  

Before I start hacking around trying to create an authentication plugin for Galaxy I wanted to check to see if there was any other ongoing work in the same area.  There is an old issue on GitHub [2], but I can't find anything else related. I see the OIDC stuff uses social-auth, which does include a SAML backend. Social-auth just uses the python3-saml package and I already have a simple client that uses python3-saml for authentication so I am hoping a saml plugin will be "Relatively Easy" (TM).

Thanks,
Keith

1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039
2. https://github.com/galaxyproject/galaxy/issues/3146

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
| Threaded
Open this post in threaded view
|

Re: SAML Authentication

Youssef  GHORBAL
Hi Keith,

        Last time I checked (before OIDC support in Galaxy) it was not possible to easly hack around the user/auth flow in Galaxy to introduce SAML semantics.
        As you said, since OIDC integration I hope that addding SAML would be more doable ("easy" and "SAML" in the same sentence are not permitted)
        At Pasteur we reverted back to Galaxy builtin auth even for internal users.

        In any case, if you got something working I'd be more than happy to test it.

Youssef Ghorbal
Institut Pasteur
-----------------------

> On 7 Mar 2020, at 21:40, Keith Suderman <[hidden email]> wrote:
>
> We are (finally) adding SAML authentication to our Galaxy instance so users can authenticate with EduGain (EU) or InCommon (US).  While doing some searching I found an article that says, "Galaxy supports LDAP, SAML and now OIDC (see https://galaxyproject.org/authnz/ <https://galaxyproject.org/authnz/>)." [1]  Looking at the release_20.01 code I see lots has changed in respect to authorization (we are still using 19.01 so I am glad I looked), but I don't see anything related to SAML.  I am not finding anything in the documentation either.  I am missing something or am I looking in the wrong place(s)? I was expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or something similar.  
>
> I do have Shibboleth authentication working using Apache and mod_shib in front of Galaxy, but that requires everyone to be able to authenticate and we would still like to allow anonymous access. Ideally users that don't have InCommon/EduGain access would still be able to create local accounts as well.  
>
> Before I start hacking around trying to create an authentication plugin for Galaxy I wanted to check to see if there was any other ongoing work in the same area.  There is an old issue on GitHub [2], but I can't find anything else related. I see the OIDC stuff uses social-auth, which does include a SAML backend. Social-auth just uses the python3-saml package and I already have a simple client that uses python3-saml for authentication so I am hoping a saml plugin will be "Relatively Easy" (TM).
>
> Thanks,
> Keith
>
> 1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039
> 2. https://github.com/galaxyproject/galaxy/issues/3146
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>  %(web_page_url)s
>
> To search Galaxy mailing lists use the unified search at:
>  http://galaxyproject.org/search/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
| Threaded
Open this post in threaded view
|

Re: SAML Authentication

Keith Suderman
I have the SAML login implementation 99% complete.  However, after authenticating with an IdP and being redirected back to Galaxy the user is still not "logged in"...  The relevant code is on GitHub [1], but basically in the callback handler I do:

user = trans.get_or_create_remote_user(user_email)
trans.handle_user_login(user)

Everything "works" in that there are no stack traces or errors in the logs and the user is redirected correctly; they are just not logged in after going through the login process.  If I do this on a new Galaxy install the user is created so that part is working. What else do I have to do to get Galaxy to recognize the user is logged in?  I have been pouring over the code for the other authenticators and I don't see what I am missing.

Once I get the login sorted I can start preparing a proper PR.  

Cheers,
Keith

1.  https://github.com/lappsgrid-incubator/Galaxy/blob/bd220d6aefaf74316f1f859837aea9afeb536fba/lib/galaxy/webapps/galaxy/controllers/saml.py#L146

> On Mar 7, 2020, at 5:54 PM, Youssef GHORBAL <[hidden email]> wrote:
>
> Hi Keith,
>
> Last time I checked (before OIDC support in Galaxy) it was not possible to easly hack around the user/auth flow in Galaxy to introduce SAML semantics.
> As you said, since OIDC integration I hope that addding SAML would be more doable ("easy" and "SAML" in the same sentence are not permitted)
> At Pasteur we reverted back to Galaxy builtin auth even for internal users.
>
> In any case, if you got something working I'd be more than happy to test it.
>
> Youssef Ghorbal
> Institut Pasteur
> -----------------------
>> On 7 Mar 2020, at 21:40, Keith Suderman <[hidden email]> wrote:
>>
>> We are (finally) adding SAML authentication to our Galaxy instance so users can authenticate with EduGain (EU) or InCommon (US).  While doing some searching I found an article that says, "Galaxy supports LDAP, SAML and now OIDC (see https://galaxyproject.org/authnz/ <https://galaxyproject.org/authnz/>)." [1]  Looking at the release_20.01 code I see lots has changed in respect to authorization (we are still using 19.01 so I am glad I looked), but I don't see anything related to SAML.  I am not finding anything in the documentation either.  I am missing something or am I looking in the wrong place(s)? I was expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or something similar.  
>>
>> I do have Shibboleth authentication working using Apache and mod_shib in front of Galaxy, but that requires everyone to be able to authenticate and we would still like to allow anonymous access. Ideally users that don't have InCommon/EduGain access would still be able to create local accounts as well.  
>>
>> Before I start hacking around trying to create an authentication plugin for Galaxy I wanted to check to see if there was any other ongoing work in the same area.  There is an old issue on GitHub [2], but I can't find anything else related. I see the OIDC stuff uses social-auth, which does include a SAML backend. Social-auth just uses the python3-saml package and I already have a simple client that uses python3-saml for authentication so I am hoping a saml plugin will be "Relatively Easy" (TM).
>>
>> Thanks,
>> Keith
>>
>> 1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039
>> 2. https://github.com/galaxyproject/galaxy/issues/3146
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>> %(web_page_url)s
>>
>> To search Galaxy mailing lists use the unified search at:
>> http://galaxyproject.org/search/
>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
| Threaded
Open this post in threaded view
|

Re: SAML Authentication

Keith Suderman
I now have the login portion of the SAML authentication working. I still have to implement the logout flow, but I wanted to get some feedback from the developers before proceeding too much further.  I have opened a [WIP] pull-request on GitHub [1] and I have an example running at https://idp.lappsgrid.org that uses https://samltest.id as the IdP.  It is only a two core VM with limited memory and will likely go away soon, so don't try to use it to do real work ;)

My original intent was to use the Social-Auth SAML backend and try to integrate with the OIDC classes, but that would require more changes to Galaxy than I am comfortable making right now.  So for now I use python3-saml library (what Social-Auth uses under the hood) and a single controller class to handle the login flow.  

The questions I have right now are:

1. The current controller piggy backs on (hijacks?) the /authnz url-space and adds several /authnz/saml urls (login, logout, metadata, acs).  Should I use something else or are these ok?

2. I think I have mostly figured out how to add fields to the galaxy.yml file. The python3-saml library requires a configuration directory that contains two JSON files and a 'certs" directory with certificates and keys used to sign/authenticate SAML requests.  Should this go into the config directory?  That seem like the logical place to me.  However, I have tried to copy the code used to make the oidc_config_* relative to the config directory,  but when I access my saml_config_dir field at runtime the path is relative to the Galaxy directory and not the config directory.

3. I will need to maintain some information in a "session" of some sort to implement the logout correctly.  Should I just stick this in a cookie?  I don't think this is appropriate to go into the GalaxySession and I don't see any other "session-like" storage.

I'm sure to have more questions soon.

Cheers,
Keith

1. https://github.com/galaxyproject/galaxy/pull/9524

P.S. I will remember to squash my commits for the next PR ;)


> On Mar 12, 2020, at 8:39 PM, Keith Suderman <[hidden email]> wrote:
>
> I have the SAML login implementation 99% complete.  However, after authenticating with an IdP and being redirected back to Galaxy the user is still not "logged in"...  The relevant code is on GitHub [1], but basically in the callback handler I do:
>
> user = trans.get_or_create_remote_user(user_email)
> trans.handle_user_login(user)
>
> Everything "works" in that there are no stack traces or errors in the logs and the user is redirected correctly; they are just not logged in after going through the login process.  If I do this on a new Galaxy install the user is created so that part is working. What else do I have to do to get Galaxy to recognize the user is logged in?  I have been pouring over the code for the other authenticators and I don't see what I am missing.
>
> Once I get the login sorted I can start preparing a proper PR.  
>
> Cheers,
> Keith
>
> 1.  https://github.com/lappsgrid-incubator/Galaxy/blob/bd220d6aefaf74316f1f859837aea9afeb536fba/lib/galaxy/webapps/galaxy/controllers/saml.py#L146 <https://github.com/lappsgrid-incubator/Galaxy/blob/bd220d6aefaf74316f1f859837aea9afeb536fba/lib/galaxy/webapps/galaxy/controllers/saml.py#L146>
>
>> On Mar 7, 2020, at 5:54 PM, Youssef GHORBAL <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> Hi Keith,
>>
>> Last time I checked (before OIDC support in Galaxy) it was not possible to easly hack around the user/auth flow in Galaxy to introduce SAML semantics.
>> As you said, since OIDC integration I hope that addding SAML would be more doable ("easy" and "SAML" in the same sentence are not permitted)
>> At Pasteur we reverted back to Galaxy builtin auth even for internal users.
>>
>> In any case, if you got something working I'd be more than happy to test it.
>>
>> Youssef Ghorbal
>> Institut Pasteur
>> -----------------------
>>> On 7 Mar 2020, at 21:40, Keith Suderman <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>> We are (finally) adding SAML authentication to our Galaxy instance so users can authenticate with EduGain (EU) or InCommon (US).  While doing some searching I found an article that says, "Galaxy supports LDAP, SAML and now OIDC (see https://galaxyproject.org/authnz/ <https://galaxyproject.org/authnz/> <https://galaxyproject.org/authnz/ <https://galaxyproject.org/authnz/>>)." [1]  Looking at the release_20.01 code I see lots has changed in respect to authorization (we are still using 19.01 so I am glad I looked), but I don't see anything related to SAML.  I am not finding anything in the documentation either.  I am missing something or am I looking in the wrong place(s)? I was expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or something similar.  
>>>
>>> I do have Shibboleth authentication working using Apache and mod_shib in front of Galaxy, but that requires everyone to be able to authenticate and we would still like to allow anonymous access. Ideally users that don't have InCommon/EduGain access would still be able to create local accounts as well.  
>>>
>>> Before I start hacking around trying to create an authentication plugin for Galaxy I wanted to check to see if there was any other ongoing work in the same area.  There is an old issue on GitHub [2], but I can't find anything else related. I see the OIDC stuff uses social-auth, which does include a SAML backend. Social-auth just uses the python3-saml package and I already have a simple client that uses python3-saml for authentication so I am hoping a saml plugin will be "Relatively Easy" (TM).
>>>
>>> Thanks,
>>> Keith
>>>
>>> 1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039 <https://academic.oup.com/bioinformatics/article/36/1/1/5514039>
>>> 2. https://github.com/galaxyproject/galaxy/issues/3146 <https://github.com/galaxyproject/galaxy/issues/3146>
>>>
>>> ___________________________________________________________
>>> Please keep all replies on the list by using "reply all"
>>> in your mail client.  To manage your subscriptions to this
>>> and other Galaxy lists, please use the interface at:
>>> %(web_page_url)s
>>>
>>> To search Galaxy mailing lists use the unified search at:
>>> http://galaxyproject.org/search/ <http://galaxyproject.org/search/>
>>
>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/