Skip to content

Service Provider creation without entity descriptor in config file#35454

Merged
flyinghermit merged 12 commits intomasterfrom
sshah/fetch-sp-metada
Dec 12, 2023
Merged

Service Provider creation without entity descriptor in config file#35454
flyinghermit merged 12 commits intomasterfrom
sshah/fetch-sp-metada

Conversation

@flyinghermit
Copy link
Copy Markdown
Contributor

@flyinghermit flyinghermit commented Dec 7, 2023
edited by camscale
Loading

  • Tries to fetch entity descriptor (aka SP metadata) from remote entity ID endpoint. Requires entity ID to be configured.
  • If entity descriptor is not available from remote entity ID endpoint, a default entity descriptor with entity ID, ACS URL and unspecified NameID format will be created. Requires entity ID and ACS URL to be configured.
  • New proto field ACSURL (acs_url) is added to accept Assertion Consumer Service URL.

see #34661, https://github.com/gravitational/teleport.e/issues/2692

Manually tested with service providers.

Works only with tctl, Web UI will be updated with another PR.

To test this PR, create a new service provider with the following spec:

kind: saml_idp_service_provider
version: v1
metadata:
  name: sp
spec:
  entity_id: https://example.com/saml/metadata
  acs_url: https://example.com/saml/acs

It should generate entity descriptor with the following XML format:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2023-12-10T03:30:20.578Z" entityID="https://example.com/saml/metadata">
      <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2023-12-10T03:30:20.577825Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/acs" index="1"></AssertionConsumerService>
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://example.com/saml/acs" index="2"></AssertionConsumerService>
      </SPSSODescriptor>
</EntityDescriptor>

Changelog: Added guided SAML entity descriptor creation when entity descriptor XML is not yet available.

@flyinghermit
proto def
ea84d86
@flyinghermit
fetch or generate entity descriptor
ffaa6c9 
- fetch ed from remote entity ID endpoint
- if ed is not available, generate a default ed with entity ID and acs url
@flyinghermit
- move entity descriptor fetch and generate funcs to lib/services/local
f58807a 
- fetch and generate func tests
- add logger and http client to SAMLIdPServiceProviderService
@flyinghermit
Merge branch 'master' of github.com:gravitational/teleport into sshah…
377ca4b 
…/fetch-sp-metada
@flyinghermit
revert e ref
cee842d
@flyinghermit
run fix-imports, fixed typos
d8c8acf
@flyinghermit flyinghermit requested review from mdwn and r0mant December 8, 2023 05:24
@flyinghermit flyinghermit marked this pull request as ready for review December 8, 2023 05:24
bl-nero
bl-nero approved these changes Dec 8, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@bl-nero bl-nero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks good, but I was unable to properly test it (my local Teleport suddenly stopped receiving features from Sales Center and I can't force it to enable SAML).

Comment thread lib/services/local/saml_idp_service_provider.go Outdated
@flyinghermit
Copy link
Copy Markdown
Contributor Author

flyinghermit commented Dec 11, 2023

Friendly ping @r0mant @mdwn

mdwn
mdwn approved these changes Dec 11, 2023
View reviewed changes
Comment thread lib/services/local/saml_idp_service_provider.go Outdated
@flyinghermit
- return trace.ReadError for status not found
2a20721 
- move http client init to NewSAMLIdPServiceProviderService
- catch eof error in validateSAMLIdPServiceProvider for verbosity
r0mant
r0mant reviewed Dec 11, 2023
View reviewed changes
Comment thread lib/services/local/saml_idp_service_provider.go Outdated
r0mant
r0mant approved these changes Dec 12, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with a couple of suggestions

Comment thread lib/services/local/saml_idp_service_provider.go
Comment thread lib/services/local/saml_idp_service_provider.go Outdated
Comment thread lib/services/local/saml_idp_service_provider.go
defer resp.Body.Close()

if resp.StatusCode != http.StatusOK {
return trace.Wrap(trace.ReadError(resp.StatusCode, nil))
Copy link
Copy Markdown
Collaborator

@r0mant r0mant Dec 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we read response body and include it in the error and/or log it for easier troubleshooting?

Copy link
Copy Markdown
Contributor Author

@flyinghermit flyinghermit Dec 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. Unless the error is from reading invalid xml or metadata type, I doubt response body would add any meaningful information what is not already provided with StatusCode.

@flyinghermit flyinghermit added this pull request to the merge queue Dec 12, 2023
Merged via the queue into master with commit 502fa7a Dec 12, 2023
@flyinghermit flyinghermit deleted the sshah/fetch-sp-metada branch December 12, 2023 01:34
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Dec 12, 2023

@flyinghermit See the table below for backport results.

Branch Result
branch/v14 Failed

flyinghermit added a commit that referenced this pull request Dec 12, 2023
@flyinghermit
Backport #35454 to branch/v14
5508a1c
@flyinghermit flyinghermit mentioned this pull request Dec 12, 2023
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Dec 13, 2023
@flyinghermit
[v14] Service Provider creation without entity descriptor in config f…
915a2ae 
…ile (#35657)

* Backport #35454 to branch/v14

* run make fix-imports

* use trace.Badparameter struct and wrap it for better stack strace
@flyinghermit flyinghermit mentioned this pull request Dec 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@bl-nero bl-nero bl-nero approved these changes

@espadolini espadolini Awaiting requested review from espadolini

+1 more reviewer

@mdwn mdwn mdwn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@flyinghermit @r0mant @espadolini @mdwn @bl-nero