Add an Identity Provider for SAML

[lonelycode]

TIB should be able to validate SAML authentication to provide access to things such as the Portal and the Dashboard

[nickReyn]

+1 from client - they really need this to be able to stop using Middleware

[asoorm]

+1 from client

[egathura]

looking forward to developments on this

[chchisholm]

+1 on this guys - SAML is very basic and most companies still use it. It seems to be a pretty big gap compared to other products like 3scale etc which all support SAML.

[buger]

Some useful feedback from one of our users

We have an existing, in-house identity provider (IdP) that we use for SAML SSO for multiple applications. Here are some thoughts about what we would like to see from Tyk for a SAML/SSO integration:

· SAML response from the IdP would include a few common attributes, like:
o Username/user ID.
o First and last name.
o List of groups user is a member of.
· Tyk would take a SAML response from our IdP and autocreate an SSO user if it does not exist, or update the user if it does. Manual user creation by an admin should not be required.
· An administrator should be able to configure mappings between groups in an SSO response and permissions in the application. For example, if a user is in group "web dev team" in SAML response, this would automatically map their Tyk user to have "api creator" user group in Tyk Dashboard.
· Audit detail for configuration changes in the application (e.g. creating a new API) would show the user that made the change.
· We should be able to allow/configure fallback login with a local (non-SSO) accounts, for administrators.
· We prefer POST based SAML (as opposed to REDIRECT).
· SAML based logout is a nice to have but not very important.
· SP-initiated login seems most practical here, though we do have apps with just IdP-initiated login or apps with both.

[devsergiy]

The most promising library to add SAML support:
https://github.com/crewjam/saml

• it is in the active state
• supports both redirect and post bindings
• have good documentation and samples

For testing purposes, we could use https://samltest.id/

There are not so many saml libs, most of them in abandoned state:
https://github.com/russellhaering/gosaml2 - last commit 1 year ago
https://github.com/edaniels/go-saml - fork of crewjam implementation, last commit 3 years ago
https://github.com/mattbaird/gosaml - last commit 4 years ago
https://github.com/RobotsAndPencils/go-saml - based on mattbaird implementation, last commit 3 years ago

[chchisholm]

Thank you Sergey! From: Sergey Petrunin <notifications@github.com> Sent: Monday, December 2, 2019 8:37 AM To: TykTechnologies/tyk-identity-broker <tyk-identity-broker@noreply.github.com> Cc: Chisholm, Charles Lee <chchisholm@deloitte.ca>; Comment <comment@noreply.github.com> Subject: [EXT] Re: [TykTechnologies/tyk-identity-broker] Add an Identity Provider for SAML (#7) The most promising library to add SAML support: https://github.com/crewjam/saml<https://secure-web.cisco.com/1LyZN7Ha6lyZkKdta-seepBBAaUOK-2A-SVe2oHLujOcgmMAWDnJtltt6cohwhFQyDu-phWMP9GxbOC6jxIpwXaK6XNIKZKfrYSP7OpAy0fQ7Uhhc28-gTGdS7CSocJsQMh2q6o1YuYYpx2r7DH5-YLHKJ6gfBLx9hA0DdbQxfSenc73FV_CqVxB6iUk2RI-GpKvETkb2uoM9IiEhbtr0xxrn1N0P8ZXOUyG7-gZBYOFYjnIK8ygHG7DxAK2r8Amy6OYfi6FXQuoAaDvAKbmAEnze-eUYplic2vCSX_IMN7SPVqLJ7T7z-s884P3XemBpfxPVPwVS8LTKTCsTfk-jog/https%3A%2F%2Fgithub.com%2Fcrewjam%2Fsaml> * it is in the active state * supports both redirect and post bindings * have good documentation and samples For testing purposes, we could use https://samltest.id/<https://secure-web.cisco.com/1aiQow7xXNeWp4a2auG7rA-Z8ZqN4y4VTC8d6nEIVL64Iq_MDxsGqnZdUIHRx9IP-n567Rq5zaZoGegfmdU2zXlpB3UZyJJgoDfoW7XJB00Ok7JjIO1yT7W4LhNuSKdLFYNbeqwf7ZjLtawjJ-XxhK0BwNSgIY_qd8sw48Sl9GTju43NpM8DgLpXSmAQJrDH40M7wrgHRlhGlmLt9Eyi2uId6zu_LWhh4uak8UrLLf7BwTTIqM5lgC490qWtIAMC7sTl-25RlnzDL7uH0FmurX3i0oPSbr1Jc7SPjIqrtpTRa0zCwwcyBzA8-NUru6G7DaIzlFBry0XVi7wKCrpIQRL1c2Ff0DPp1rxXu3tS1Iiw/https%3A%2F%2Fsamltest.id%2F> There are not so many saml libs, most of them in abandoned state: https://github.com/russellhaering/gosaml2<https://secure-web.cisco.com/1QbyOuWI65H0KSSolryIEe80NIYvVLMxi_j9Bll7juCQzAe6jLZ9oCQiCaXxhJCkSy3MDnu2jLT26MWU1Pik4lbuQjFKLFi7Ivx0ZD9OHybiOFrja_BxWYnPJ-dRYn3PK0f5Et51P2_ZcbQp7uegxAjeQY5PkUtim1fCOjDihlEC6yZMsZit8gnNqKVyUVUzjGVKIIZnuBltYyHYpMTRm4Y52Dyd4_FEm0X8drsfwKGXQyxXxdtwPU6shaR1X2kyCva6yoMPwwWNz549gcm0ff-9u-oDFdfXXx6_2udtJwLaYYBPkjyW6w_EAkGZeyCKRP-JlG8kFBGMax8oQJSV50A/https%3A%2F%2Fgithub.com%2Frussellhaering%2Fgosaml2> - last commit 1 year ago https://github.com/edaniels/go-saml<https://secure-web.cisco.com/1ZiERVxcHGH4Ox7F4xa7rkYcC_EkOOsqkwo7LbvViBUSgPrhhK5FZlm4hSZwJOqd6419FNcifOEhsyYkaUR5Xjee-dtrQV1Uw0ubDSmG_3jV4vIuSVLXcUGxUypogohdN6R09g6HRihzqWht3HX85BvbzE5FR3WQCouBxDKEUhM8C_u3AwEb1j38Ne5Sl8WF6r1jF4TTgiPvE90HEucUq33Td7JfVKwj1XrKoQ6xAXHTURd1h5zkTb0eGl3ZChbNKoRBGZJK9-ZOB2Kp8ZWq8MQi_tEDokVpPEbuxTDlkJl3t9cJK_N_RcRNcfRXzsADjgPhWnQQuYJSNO0Vyk5CYIA/https%3A%2F%2Fgithub.com%2Fedaniels%2Fgo-saml> - fork of crewjam implementation, last commit 3 years ago https://github.com/mattbaird/gosaml<https://secure-web.cisco.com/1TaHbnd7CSuenM1ZKglq5Yy5EaZGJ0Jgv2vaUHIgD8z0WE615lJN4qdtFOOl4PdRc0vTDrAtMTaPIrNlRKOw40JPPCdC74UEx-wq7TlWxsvbCrmlfjMpDKtoU26SdEKvr9Mq7wb88uFwjVUnVenGtI9zrriJiveWhC_IcbIf_NEq5xMJQ-EGKZq2a5iE_-NNCJL6QwjnBqO-vjirw6FMT8UjSO6uIPY-OqJhpgocAxkOWf-1a3djxVAIc81RM6KFuSoJVPJDPbbTZ6Gr5IJnulY9ZHbalp5vI19PQF9IrofzCzdDR9y1IY2DjHxgxj8CvHSjBQAsWwT0ZNAdRSH_VDg/https%3A%2F%2Fgithub.com%2Fmattbaird%2Fgosaml> - last commit 4 years ago https://github.com/RobotsAndPencils/go-saml<https://secure-web.cisco.com/14ZFozq0AFauRMqSVq54MqPXy0NHLHipRQ8G5NxOS6bCHiXaRWlbSD7aQ1uoesp1gfnLOPuczm3WBcUVXaZZ3wp6cmYdx0JJGxeOBj6eeYjRAi6fGOUzlesisEGRj5hTWbv5d_ODau21UEgPdkg0eM2-ibxd69YuHDRMmTLMiFjRC-MCYtGs-ETygXv7I2l0uuFuSJX8SohvRoLb-zfFvjSTAepLZoqMMnbeC7MfAu_Omh8Y0ATHWJhYEO6bqHpTF2OJOuK-665-Rh3U_ICyKu9IhXw1dSCUBxsWoleA-GdfZAfAPdL_dOaXRm49-UF5OcfxdZpmtkTcXBolrvKwG3A/https%3A%2F%2Fgithub.com%2FRobotsAndPencils%2Fgo-saml> - based on mattbaird implementation, last commit 3 years ago — You are receiving this because you commented. Reply to this email directly, view it on GitHub<https://secure-web.cisco.com/17VtBQhOQMrrSk0tsjoYWmcaCoxTAPxOWplPYfMaMTNB7MjZ7G5mYOHtILYsthSNz72iAPdNPQp-JezpR-idPNFbKY8kV7iRfjP9vL_ge--wm_xG8Y5uE7jaQOiaWI_hIGJyY_zYBcbYBGiZzfCsYNwDN_3_fjhActp61AVGOJHpcnRWAGhDDcLXFktY4eq_n2_AaXMOU-h6-WYMMTuyJdXohNJfVHCmghInYP2CszMVeXMxmf_ujWeNaEzzC1aPjTs2L8q0Bglkt6_CKkZ0_8-9eh4BdvZgf2yUvuU_0KB6PgctKvAfUrYu-XZsYYjRqWrU7DA75Xan9uhgYQjBhpw/https%3A%2F%2Fgithub.com%2FTykTechnologies%2Ftyk-identity-broker%2Fissues%2F7%3Femail_source%3Dnotifications%26email_token%3DAEML4M22OOSF5NWP676TNKLQWUFORA5CNFSM4DJWQFW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFTQJEA%23issuecomment-560399504>, or unsubscribe<https://secure-web.cisco.com/1zvaNQk272rpU9wTx_JATmcmZ2XIAUzBn4wlCYvX8XUdJ_Hsy6tR5Ijn68fgNc-FLKR09YIpnjGI7aJD2EJisR5mzJFVWDAJzHQ94Vyzbb1f8_Dgl5WkSU_Z-gSJ8MhdvUr7GD37jPaflsRxnM24GDyIIjhAbW3S8a8nK1xJeB7jjNuM4eB21y715uQYmIcE-BpatDhUkN8u8l2OCLj843g0l6Fq4OHxMRWyqIkED9KX3eyOhv_Hjt3gLgdPoFfRpuMiv8hbEj1uYDzBI7dR4JbkS_uxTmBYdNePjsXKyIhirSC593XK7vfJzYxBumnJ9k6i5zDMXh9xrbxBUQQNP7g/https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEML4M2ZNVRP2IFIA5HOJU3QWUFORANCNFSM4DJWQFWQ>. Confidentiality Warning: Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited (“DTTL”). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about<http://www.deloitte.com/about> to learn more. This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank You. If you do not wish to receive future commercial electronic messages from Deloitte, forward this email to unsubscribe@deloitte.ca<mailto:unsubscribe@deloitte.ca> Avertissement de confidentialité: Deloitte désigne un cabinet membre de Deloitte, une de ses entités liées ou Deloitte Touche Tohmatsu Limited (DTTL). Chaque cabinet membre de Deloitte constitue une entité juridique distincte et est membre de DTTL. DTTL n’offre aucun service aux clients. Pour en apprendre davantage, voir www.deloitte.com/ca/apropos<http://www.deloitte.com/ca/apropos>. Ce message, ainsi que toutes ses pièces jointes, est destiné exclusivement au(x) destinataire(s) prévu(s), est confidentiel et peut contenir des renseignements privilégiés. Si vous n’êtes pas le destinataire prévu de ce message, nous vous avisons par la présente que la modification, la retransmission, la conversion en format papier, la reproduction, la diffusion ou toute autre utilisation de ce message et de ses pièces jointes sont strictement interdites. Si vous n’êtes pas le destinataire prévu, veuillez en aviser immédiatement l’expéditeur en répondant à ce courriel et supprimez ce message et toutes ses pièces jointes de votre système. Merci. Si vous ne voulez pas recevoir d’autres messages électroniques commerciaux de Deloitte à l’avenir, veuillez envoyer ce courriel à l’adresse unsubscribe@deloitte.ca<mailto:unsubscribe@deloitte.ca>

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, please comment if you would like this issue to remain open. Thank you for your contributions.

[christtyk]

Definitely not stale

[bmonteiro]

I would say that saml2bearer would be good to have and the sso with the portal it is just nice to have.

https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23

Use case: user -> web app-> azure ad (or other) saml-> web app (auth flow code) -> saml2bearer -> Api call with bearer

@letzya