search

HewlettPackard / jupyterhub-samlauthenticator

jupyterhub-samlauthenticator
MIT License
37 stars 26 forks source link

SAMLRequest empty on SP-initiated request #66

Open Matteo- opened 2 years ago

Matteo- commented 2 years ago

Hi @distortedsignal I'm going to implement a SP-Initiated SAML workflow. The error I get is: empty SAMLRequest in the url. Do you confirm it Is feature non yet implemented in this version? Are there any other way to implement this SAML SP-initiated modality?

thank you

distortedsignal commented 2 years ago

I'm not totally clear on a) what you're doing or b) where you're seeing the error that you mentioned.

Could you give me a set of steps so that I can understand your use case better?

tomcatling commented 2 years ago

hi @Matteo- , see my fork for a minimal example of getting a SP-initiated auth flow working with the AWS SSO Portal. It seems fairly simple if you don't need to sign the request (which you don't with AWS SSO).

I've tested this with a local deployment of JupyterHub with the following config:

# A simple example configuration.
## Class for authenticating users.
c.JupyterHub.authenticator_class = 'samlauthenticator.SAMLAuthenticator'

# Where the SAML IdP's metadata is stored.
c.SAMLAuthenticator.metadata_filepath = '/etc/jupyterhub/metadata.xml'
c.SAMLAuthenticator.time_format_string = '%Y-%m-%dT%H:%M:%S.%fZ'
c.SAMLAuthenticator.audience = 'http://localhost:8000/hub' # must exactly match the value in AWS
c.SAMLAuthenticator.acs_endpoint_url = 'http://localhost:8000/hub/login'

and a live deployment of AWS SSO, and it works as it should. Grateful for any advice on making it a bit more elegant.

erik-kkr commented 1 year ago

I also ran into this, needing support for the SP-initiated flow. I was able to make it work with @tomcatling's fork, so it'd be really nice to see this upstreamed.

@distortedsignal is there anything holding up his PR?

distortedsignal commented 1 year ago

I also ran into this, needing support for the SP-initiated flow. I was able to make it work with @tomcatling's fork, so it'd be really nice to see this upstreamed.

@distortedsignal is there anything holding up his PR?

Well, it's a draft. To me, that says that the PR isn't ready for review. When it moves from draft into ready for review, I'll review it.

tomcatling commented 1 year ago

Sorry, I put that together when I was using the library for work and I've moved jobs since then, so it's pretty unlikely I'll get through the 'To do' list in the PR.

erik-kkr commented 1 year ago

Fair enough. Thanks both of you for the response. Maybe I can find the time to take over.