peb-adr
commented
11 months ago Another thing I forgot to mention. Currently only the superadmin has the permission to change SAML related fields. This should also be changed such that an organization admin can configure SAML on his own.
At the moment the following (here relevant) SAML related fields are defined:
As far as I know these are set with a simple
organization.updateaction issued by the client. This is very error prone and should instead be mostly automated. It requires the end user to manually generate and input a keypair and metadata for SP (OpenSlides), see https://github.com/OpenSlides/openslides-client/issues/2944. I think the backend should just provide an action to automatically generate the needed information, likeorganization.generate_saml_metadata. This should then generate a x509 key pair and use it's public key and other relevant information from the database (such as URL) to constructsaml_metadata_sp. Theorganization.updateaction should then forbid changingsaml_metadata_spandsaml_private_keymanually.For implementing this the backend probably should utilize the
python3-samlmodule for which inspiration may be found at https://github.com/OpenSlides/OpenSlides/tree/stable/3.4.x/server/openslides/saml However OpenSlides 3 did not generate the keypair within the code so this has to be researched. I am pretty confident though, a good stable library for this exists. The generated key pair should be equivalent to the output ofAlso IdP's usually provide their metadata xml via an http route. So I think it would also be more user-friendly and intuitive to change the
saml_metadata_idptosaml_metadata_idp_url, although this is not as important and may also be debatable. This of course would also implicate that the URL must be queried at some point and I am not sure if the backend should be the one doing that. So maybe - if at all - this should be in the client which would then keep sending the xml to the backend.