search

CiscoDevNet / iPSK-Manager

Identity PSK (IPSK) Manager for Cisco ISE provides an example of how to manage the full Life Cycle of Wi-Fi Pre Shared Keys for supported Hardware/Software through Cisco ISE.
Apache License 2.0
31 stars 16 forks source link

Add SAML / Shibboleth Support #5

Closed slivesay30 closed 6 months ago

slivesay30 commented 4 years ago

It would be nice to have SAML / Shibboleth support for IPSK Manager. We have a company policy that requires apache and iis servers to use SSO authentication for users. This can be done via basic apache auth and using shibboleth plugin. Once authenticated user info can be looked up in AD via SLDAP or via the shibboleth headers.

We are trying to utilize a common SSO page and authentication process for corporate users to help decrease confusion for untrusted sites.

Please see shibboleth site: https://www.shibboleth.net/community/

dresken commented 1 year ago

+1 for SSO.

ciesinsn commented 7 months ago

So I am starting to work on SAML support and I think the easiest way to do that is to rely on the application not being the SP. Where either a module, such as the Apache Shibboleth module acts as the SP and sets environment variable(s) the app will use, or, something outside of a module is the SP and headers are set for the app to use. Obviously, headers add risk if your SP isn't set to strip incoming headers that it sets but thinking it provides flexibility to provide both as options.

My thought is for at least the first pass at this it would still require users to be defined in either the internal user db or a connected ldap server for group mapping. This I feel would require less modifications to the existing base code and be quicker to implement to get SAML support in at least some form in the app. I already have some base modifications in the admin portal complete and working in a crude way.

slivesay30 commented 7 months ago

I would think you can just use the saml attributes to map "AD" users in the request. This is normally how we use saml in other apps.

From: Nick Ciesinski @.> Sent: Tuesday, April 9, 2024 1:12 AM To: CiscoDevNet/iPSK-Manager @.> Cc: slivesay30 @.>; Author @.> Subject: Re: [CiscoDevNet/iPSK-Manager] Add SAML / Shibboleth Support (#5)

So I am starting to work on SAML support and I think the easiest way to do that is to rely on the application not being the SP. Where either a module, such as the Apache Shibboleth module acts as the SP and sets environment variable(s) the app will use, or, something outside of a module is the SP and headers are set for the app to use. Obviously, headers add risk if your SP isn't set to strip incoming headers that it sets but thinking it provides flexibility to provide both as options.

My thought is for at least the first pass at this it would still require users to be defined in either the internal user db or a connected ldap server for group mapping. This I feel would require less modifications to the existing base code and be quicker to implement to get SAML support in at least some form in the app. I already have some base modifications in the admin portal complete and working in a crude way.

— Reply to this email directly, view it on GitHubhttps://github.com/CiscoDevNet/iPSK-Manager/issues/5#issuecomment-2044160359, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQMGM5E2H3ONYPVMMZHFHYDY4N2DTAVCNFSM4PF73WC2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBUGQYTMMBTGU4Q. You are receiving this because you authored the thread.Message ID: @.***>

ciesinsn commented 7 months ago

@dresken @slivesay30 You can try a preview for SAML support for admin portal only (at this time) by pulling from the dev-saml-support branch. Would help if you can try it out and provide feedback.

There is a section in the appendix of README.md that has some notes about SAML support and what is needed, etc.

ciesinsn commented 7 months ago

You can actually test sponsor and captive portal SAML support as well. It was quicker to add support for those portals than I thought. Barring any issues you find I believe it's ready for pushing to the main branch other then improving the readme on how to configure Apache for mod_shib.