[Spike: 1d] Test new saml2auth extension

[adborden]

User Story

In order to avoid potentially unnecessary work to revamp the existing SAML2 auth extensions, the team wants to spend up to 1 day trying out an alternative extension to see if it works better.

Acceptance Criteria

• [ ] We have enough information to determine whether switching to the alternative extension is possible and desirable.

Details / tasks

This is the alternative extension we're considering: https://github.com/keitaroinc/ckanext-saml2auth

The work is to configure the extension to point to login.gov and see if we can get it working within a day.

[avdata99]

This extension is only python3 / CKAN 2.9

• Tests https://github.com/keitaroinc/ckanext-saml2auth/blob/main/.travis.yml
• Pysaml2 is also only python3 library (last python2 version is 4.9. Current version is 6.4)

The plan is to start a fresh new CKAN 2.9 with python3 to test @adborden?

[avdata99]

Started a PR for CKAN 2.9 and saml2auth: https://github.com/GSA/catalog.data.gov/pull/195

[avdata99]

Now it's ~working. I'm able to show the login.gov login screen, login with my user and the error 405 when back to CKAN

PR to upstream to allow define the issuer https://github.com/keitaroinc/ckanext-saml2auth/pull/4

ckan_1        | 2020-12-29 15:50:11,134 INFO  [ckan.config.middleware.flask_app]  /user/saml2login render time 0.018 seconds
ckan_1        | 2020-12-29 15:50:11,136 INFO  [werkzeug] 172.25.0.7 - - [29/Dec/2020 15:50:11] "GET /user/saml2login HTTP/1.0" 302 -

nginx_1       | 172.25.0.1 - - [29/Dec/2020:15:50:11 +0000] "GET /user/saml2login HTTP/1.1" 302 1439 "https://localhost:8443/dataset" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "-"

ckan_1        | 2020-12-29 15:50:14,665 ERROR [ckan.config.middleware.flask_app] 405 Method Not Allowed: The method is not allowed for the requested URL.
ckan_1        | Traceback (most recent call last):
ckan_1        |   File "/usr/lib/python3.8/site-packages/flask/app.py", line 1949, in full_dispatch_request
ckan_1        |     rv = self.dispatch_request()
ckan_1        |   File "/usr/lib/python3.8/site-packages/flask_debugtoolbar/__init__.py", line 111, in dispatch_request
ckan_1        |     app.raise_routing_exception(req)
ckan_1        |   File "/usr/lib/python3.8/site-packages/flask/app.py", line 1907, in raise_routing_exception
ckan_1        |     raise request.routing_exception
ckan_1        |   File "/usr/lib/python3.8/site-packages/flask/ctx.py", line 350, in match_request
ckan_1        |     result = self.url_adapter.match(return_rule=True)
ckan_1        |   File "/usr/lib/python3.8/site-packages/werkzeug/routing.py", line 1940, in match
ckan_1        |     raise MethodNotAllowed(valid_methods=list(have_match_for))
ckan_1        | werkzeug.exceptions.MethodNotAllowed: 405 Method Not Allowed: The method is not allowed for the requested URL.
ckan_1        | 2020-12-29 15:50:14,702 INFO  [ckan.config.middleware.flask_app]  / render time 0.038 seconds

ckan_1        | 2020-12-29 15:50:14,704 INFO  [werkzeug] 172.25.0.7 - - [29/Dec/2020 15:50:14] "POST / HTTP/1.0" 405 -
nginx_1       | 172.25.0.1 - - [29/Dec/2020:15:50:14 +0000] "POST / HTTP/1.1" 405 14646 "https://idp.int.identitysandbox.gov/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "-"

[adborden]

Follow up issues have been created.