SAML implementation?

scottf2 · August 20, 2020, 4:06pm

Hi all,
I noticed that SAML has been added as an option in the list of authentication providers in the current master branch (though not in the latest release tag). I’m wondering if anyone has implemented/tested this yet, and if they’d be willing to share any advice/issues that might have come up. We have a local development implementation and are working on getting a production server set up and our institution (UC Davis) uses SAML (Shibboleth) for single sign on authn so we’d like to integrate with that.

Thanks,
Scott

liyang · November 16, 2021, 9:29pm

Hi @scottf2 , we are trying to do just what you were trying here more than a year ago… so did you make any progress on this? Your update is greatly appreciated!

Thanks,
liyang

liyang · November 16, 2021, 9:32pm

Hi @anthonysena, hope I have found the right person… could you please shed some light on this one - is SAML supported now? if so, which release version we should be using? could you please kindly point us to some example/documentation?

Thank you in advance!

Konstantin_Yaroshove · November 17, 2021, 6:39pm

We did some tests for SAML authentication with OKTA and Google Workspace and it worked well.
You can find the list of parameters in the pom.xml

github.com

OHDSI/WebAPI/blob/master/pom.xml#L154

    
      
          
          
<security.googleIap.cloudProjectId></security.googleIap.cloudProjectId>
          <security.googleIap.backendServiceId></security.googleIap.backendServiceId>
          <security.google.accessToken.enabled>false</security.google.accessToken.enabled>
          
          
<security.cors.enabled>true</security.cors.enabled>
          <security.maxLoginAttempts>3</security.maxLoginAttempts>
          <security.duration.initial>10</security.duration.initial>
          <security.duration.increment>10</security.duration.increment>
          
          
<security.saml.enabled>false</security.saml.enabled>
          <security.saml.entityId></security.saml.entityId>
          <security.saml.idpMetadataLocation></security.saml.idpMetadataLocation>
          <security.saml.keyManager.keyStoreFile></security.saml.keyManager.keyStoreFile>
          <security.saml.keyManager.storePassword></security.saml.keyManager.storePassword>
          <security.saml.keyManager.defaultKey></security.saml.keyManager.defaultKey>
          <security.saml.keyManager.passwords.arachnenetwork></security.saml.keyManager.passwords.arachnenetwork>
          <security.saml.metadataLocation></security.saml.metadataLocation>
          <security.saml.callbackUrl></security.saml.callbackUrl>
          <security.saml.sloUrl></security.saml.sloUrl>
          <security.saml.maximumAuthenticationLifetime>60</security.saml.maximumAuthenticationLifetime>

It’s a good point to extend documentation with these options. And you can find examples for IdP/Sp metafiles here: https://github.com/OHDSI/WebAPI/tree/master/src/main/resources/saml/dev

liyang · November 18, 2021, 2:22pm

Thank you @Konstantin_Yaroshove very much for the response! we are looking at this document, and here is the main part,

The following parameters are used:

security.saml.idpMetadataLocation=classpath:saml/dev/idp-metadata.xml - path to metadata used by identity provider
security.saml.metadataLocation=saml/dev/sp-metadata.xml - service provider metadata path
security.saml.keyManager.keyStoreFile=classpath:saml/samlKeystore.jks - path to keystore
security.saml.keyManager.storePassword=nalle123 - keystore password
security.saml.keyManager.passwords.arachnenetwork=nalle123 - private key password
security.saml.keyManager.defaultKey=apollo - keystore alias
security.saml.sloUrl=https://localhost:8443/cas/logout - identity provider logout URL
security.saml.callbackUrl=http://localhost:8080/WebAPI/user/saml/callback - URL called from identity provider after login

could you please show some example of the settings using the above line? for example, we should we be using for the classpath?

Thanks!