search

hashicorp / waypoint

A tool to build, deploy, and release any application on any platform.
https://waypointproject.io
Other
4.76k stars 327 forks source link

SAML authentication support #3361

Open cweagans opened 2 years ago

cweagans commented 2 years ago

Is your feature request related to a problem? Please describe. I'm looking at using Waypoint for deploying things on Kubernetes in AWS. Currently, I use AWS SSO for pretty much everything, but it doesn't support OIDC (only SAML).

Describe the solution you'd like I'd like to be able to set up Waypoint to use SAML authentication instead of OIDC.

Describe alternatives you've considered I've tried to find some kind of SAML -> OIDC bridge...thingy? but that doesn't seem to exist. I'm really not sure how that would work anyway though.

Explain any additional use-cases

Additional context I looked at the existing OIDC stuff to see how I might go about implementing this and I think it would be valuable to do something like SAML to generalize the interface that Waypoint expects for authentication providers.

Also, I have experience with SAML authentication (https://drupal.org/project/samlauth). It's not particularly difficult -- if you can get me pointed in the right direction, I can probably build at least a rough version.

evanphx commented 2 years ago

Hi @cweagans,

Interesting that AWS only supports SAML right now. We don't currently have the bandwidth to look into implementing SAML support, but we'd be happy to look at a PR if you were so inclined.

We did find this: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html. Does that not work for you?

cweagans commented 2 years ago

Interesting that AWS only supports SAML right now. We don't currently have the bandwidth to look into implementing SAML support, but we'd be happy to look at a PR if you were so inclined.

Noted, thanks! I'll give this some thought.

In the mean time, I found dexidp.io, which supports SAML 2.0 as an authentication connector. In theory, that should do what I need. There is some active discussion over there about removing SAML support (seeing as how signed XML messages are difficult to get right and are frequently vulnerable to all kinds of new, fun breakages), so TBD I guess?

We did find this: docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html. Does that not work for you?

I saw this, but I'm not sure how that would work beyond creating the client. There's nothing in the AWS UI that mentions OIDC at all, so I'm not sure how you'd go about e.g. allowing some users but not others to access that particular application. It's possible that they're actively working on OIDC support though, so maybe it's not necessary to implement SAML right away.

rastakajakwanna commented 2 years ago

I use AWS SSO in our company too and while AWS SSO is SAMLv2 only, you may consider to use AWS Cognito with IdP SAML provider for your user pool pointing back to your AWS SSO directory. Then you can integrate Cognito with Waypoint OIDC and that's it - AWS SSO is source of truth for users while you authenticate Waypoint using OIDC with Cognito.

I considered it too, but at the end I've abandoned the idea due to complexity of that implementation and limitations on AWS SSO side (if you use just bare SSO without your own AD domain or integration with AzureID). For example, the biggest challenge of that integration is user groups mapping and then group privilege associations.

It is not impossible but it is more than challenging :) I will probably really try to implement it one day, and if so, I will comment here how to do it.