Closed kyori19 closed 1 year ago
Very interesting scenario.
Do you know, if an anonymous user happens to directly access a non-anonymous dashboard will Grafana enforce sending them through the login flow?
Yes, of course. It will be handled by regular Grafana authorization flow and correctly protected.
In that case, I definitely like the overall strategy you took in your changes. It would be great if you could PR a variation that will be minimally configuration driven. Perhaps via a new option called like "initiate auth session paths" that would take "/login" for your scenario.
sorry for late response. then I will write PR after adding configuration flag. before doing implementation, let me ask you about naming of it.
how about naming that flag -initiate-session-path string
?
when -initiate-session-path
is not given (empty string), all paths will initiate SAML auth flow (will keep backward compatibility).
if -initiate-session-path /login
is given, all paths other than /login
will be bypassed and only when user accessed to /login
it will initiate SAML auth flow.
in this implementation, when we want to support multiple initiate paths, we can safely turn it into array of string.
That name sounds good. Thanks.
This is now included in https://github.com/itzg/saml-auth-proxy/releases/tag/1.12.0
Background
I want to log in to Grafana using SAML while allowing anonymous access to the public dashboard. Here is the example configuration of such situation.
Current Situation
Currently, saml-auth-proxy always initiates SAML auth flow. It forces all users to sign in though Grafana allows anonymous access.
That behaviour is caused by use of
RequireAccount
in proxy server.https://github.com/itzg/saml-auth-proxy/blob/6745b242d2df11540dbe1b8e528f9f6d5caaf322/server/server.go#L106
Proposal
saml-auth-proxy should support anonymous access to the backend app.
I made some prototype which works for my usecase. Changes can be found on the commit: https://github.com/kyori19/saml-auth-proxy/commit/6642f8ad0f2b9f32761a35fcc922a49f09faa441.
In my implementation, almost all requests from users will be proxied to the backend without initiating/requiring SAML auth. However, when the user accesses to the login path
/login
, saml-auth-proxy initiates SAML auth flow and user can log in to the service. The login path/login
will be accessed when the user clicks "Sign In" button on Grafana dashboard.Problem
As my implementation is just a prototype and heavily adopted on my usecase, it has some problems.