search

morincer / teamcity-plugin-saml

The plug-in adds ability to authenticate users by SAML-based SSO providers (like Okta, Onelogin etc.)
MIT License
24 stars 16 forks source link

metadata file to configure with Keycloak #43

Closed yehiamc closed 4 years ago

yehiamc commented 4 years ago

Hey and thanks for this amazing plugin,

We have an issue when we tried to configure the plugin with Kecloak. We set all the required configuration from TeamCity side but in order to make it work we need to provide a metadata file to and set it up in Keycloak side. Do you have an idea where can I find this metadata file?

Thanks!

morincer commented 4 years ago

IdP metadata generation implementation is still pending (see #14). But why do you need metadata for Keycloak? IdP metadata is just a quick way to configure things there - in my sandbox I was able to make the plugin work with Keycloak (check #19 - it contains some details).

If you outline the integration scenario you're trying to implement - I can try to replicate it and help you with issues.

yehiamc commented 4 years ago

Hey @morincer and thanks for your quick replay,

I do follow by this issue (#19 ) and was able to configure it but then I'm getting this error: 403 Forbidden: Responding with 403 status code due to failed CSRF check: request's "Origin" header value "null" does not match Host/X-Forwarded-Host header values or server's CORS-trusted hosts, consider adding "Origin: http://jvm-tc.dev.wixpress.com" header.

I have found this solution, but from a security side, it too risky for me to turns off TeamCity CSRF protection.

Any idea?

Thanks!

morincer commented 4 years ago

Which Teamcity version do you use? If it's 2020+ then probably that's the same issue as #39 .

And you'll anyway have to configure CORS origin for Teamcity (for example, check https://github.com/morincer/teamcity-plugin-saml/blob/master/docs/OktaSetup.md#step-5-test) - IdP sends POST request to the Teamcity server so the origin host needs to be whitelisted.

yehiamc commented 4 years ago

TeamCity version is: 2018.1.1 (build 58406) We configured CORS origin already, but I found it too risky from a security perspective.

Thanks!

morincer commented 4 years ago

Sorry, but what kind of risk do you mean? Setting CORS origin for SAML interaction is not a question of preference - it's a must have. The SSO-provider's login page sends POST request to the Teamcity server - so the origin must be whitelisted.

yehiamc commented 4 years ago

You are right, my bad, I confused with the CSRF :-)

I will try to follow this one and will let you know.

Thanks

morincer commented 4 years ago

Hi @yehiamc , please give new version 1.2.1 a try - I added (a configurable) exception for the SAML callback endpoint into Teamcity CORS filter - so it shouldn't trigger the error anymore.

P.S. You'll need to restart the server to make it working.