[pve-devel] RE : RE : [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2
wb
webmaster at jbsky.fr
Wed Jun 2 12:16:14 CEST 2021
> I also wonder why SAML? Would it be an option to use OpenId connect instead?
As I was able to use SAML, I know the functional part and therefore, if I used SAML, it is only by ease.
Switch to OpenID, why not. The time I set up a functional POC.
On the other hand, I would like to know your constraints.
Do you still want to use Rust? If yes, I am curious to know how to bind perl to Rust? Do you have an example?
I noticed from our exchange :
During an API call, if the user is not authenticated, do not pass in private and privileged the writing on /tmp/.
Waiting for your feedback,
Sincerely,
Julien Blais
De : Dietmar Maurer
Envoyé le :mercredi 2 juin 2021 11:00
À : wb; Proxmox VE development discussion
Objet :Re: RE : [pve-devel] [PATCH] [PATCH pve-access-control] SSO feature:login with SAMLv2
> > I wonder why you want to store temporary data in /etc/pve/tmp/saml. Wouldn't it we good enough
> > to store that on the local file system?
> On the one hand, I enjoyed reusing your work.
> On the other hand, I think it is more secure to put this kind of data in /etc/pve/tmp/saml than in /tmp/saml/
No, I consider this less secure. Especially if the write is triggered by unauthenticated request...
> Then, yes, it is possible to store it on /tmp/saml for example, it is variable data. Nothing is fixed, you are free to do what you want.
>
> > Unfortunately, your code depends on code not packaged for Debian. Any idea
> > how to replace that (cpanm Net::SAML2)?
>
> Since I'm not a perl specialist, I took what seemed to me the most standard in this language. Have you considered cloning this repos available on GitHub(https://github.com/perl-net-saml2/perl-Net-SAML2)?
This module has way to much dependencies (Moose). I do not want to use that.
> > Or better, is there a 'rust' implementaion for SAML2? If so, we could make perl bindings
> > for that and reuse the code with Proxmox Backup Server.
>
> Do you have a specific project or library in mind?
>
> Unfortunately, I don't have any knowledge about rust and I'll have a hard time accompanying you on this topic. However, it seems that there are projects on github in opensource, for example https://github.com/njaremko/samael.
All those SAML libs are basically unmaintained, without any large user base.
> I'll tell you again,nothing is fixed, you are free to do what you want.
I also wonder why SAML? Would it be an option to use OpenId connect instead?
More information about the pve-devel
mailing list