core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon dotCMS

SAML Improvements

Open wezell opened this issue 3 years ago • 1 comments

This is a list to capture a number of improvements that can be made to our dotSAML implementation

  • #22156 redirect is not working for front end login. Maybe we need to add a redirect after login field to our saml secrets and use that if a redirect is not provided?

We figured this out - the issue was that we needed to hit the SAMLWebInterceptor in order to login. What needs to happen is to add include.path.values=* where * is a regex for the path where you want to force/redirect your saml logins and you add that access.filter.values=/api to exclude /api calls from redirecting to SAML. You can see a working example on our intranet

  • #21430 roles causing an NPE
  • Make sure that the "Service Provider Endpoint Hostname/Port" field is normalized - this can be done under the covers
    • The field should only expect hostname:port here, where port is optional.
    • The value should not have http:// or https:// in it as we will automatically prepend https
    • we should automatically add the whole dotSAML path to whatever is provided here /api/v1/dotsaml/login
  • Fix the MessageBodyProviderNotFoundException: MessageBodyReader not found for media type=application/text errors that eat/obfuscate any original SAML error. My guess is we can add the jersey-media-json-jackson to the dotSAML plugin or make sure it is exported?
  • Try to map common fields without configuration. We should have a list of aliases for each field that we expect back from the idp and try to use those before giving up
  • #22124 this does not work if the user has logged in using SAML
  • We need to try to log the user in on the /api/v1/dotsaml/login/* endpoint. That way, when they redirect, they will already be logged in.

wezell avatar Jul 07 '22 13:07 wezell

  • Report the errors to the browser when attempting login and receiving a 500, rather than just putting a generic '500' error screen
  • Add all of our config properties to a dropdown in the UI, rather than having users type them out
  • Add the ability to generate a server cert to the UI, so the users don't have to generate one separately and cut/paste
  • Make the Metadata URL not require authentication so users can point their IDP to it and consume changes automatically
  • Default the individual site forms to have 'Enabled' unchecked. Currently it shows as checked before configuring the site, which can lead to confusion
  • Provide a proper error message when logging in to the backend with a frontend account, currently does an infinite loop.

swicken-dotcms avatar Jul 07 '22 14:07 swicken-dotcms

Add the ability to include relay state

jdotcms avatar Aug 21 '23 21:08 jdotcms

Fixed, this was tested in some prod environments and this is working as expected

bryanboza avatar Oct 10 '23 00:10 bryanboza