[pve-devel] RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2

Dietmar Maurer dietmar at proxmox.com
Wed Jun 2 10:59:59 CEST 2021

> > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> > to store that on the local file system?
> On the one hand, I enjoyed reusing your work.
> On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/

No, I consider this less secure. Especially if the write is triggered by unauthenticated request...

> Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.
> > Unfortunately, your code depends on code not packaged for Debian. Any idea
> > how to replace that (cpanm Net::SAML2)?
> Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?

This module has way to much dependencies (Moose). I do not want to use that.

> > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> > for that and reuse the code with Proxmox Backup Server.
> Do you have a specific project or library in mind?
> Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.

All those SAML libs are basically unmaintained, without any large user base.

> I'll tell you again,nothing is fixed, you are free to do what you want.

I also wonder why SAML? Would it be an option to use OpenId connect instead?

More information about the pve-devel mailing list