Add SAML authentication

[yol]

This is a basic reimplementation of #185 on current master. (related FR: #1253)

Now I know that it is not going to be merged probably, but I wanted to make this available to other interested parties so it can at least be pulled into individual installations.

[coveralls]

Coverage decreased (-0.04%) to 91.658% when pulling 49eefd8 on yol:saml-auth into 5aa1868 on bigbluebutton:master.

[foobarable]

Thanks alot, we will most likely patch this into out setup.

[coudot]

Hello, we tested this with LemonLDAP::NG as SAML IDP and it works well. It would be great to include this in the official BBB code.

[maxbes]

I'm very interested in seeing this feature land in Greenlight.

One minor hurdle I encountered is while opening the user profile after a successful login, I get a 500 error, possibly due to language options being uninitialized

FATAL: [6b762aac-3125-4833-a84c-85875584f282]    
FATAL: [6b762aac-3125-4833-a84c-85875584f282] ActionView::Template::Error (undefined method `[]' for nil:NilClass): 
FATAL: [6b762aac-3125-4833-a84c-85875584f282]     36:     <%= f.text_field :provider, class: "form-control", readonly: "" %>
[6b762aac-3125-4833-a84c-85875584f282]     37:     <br>
[6b762aac-3125-4833-a84c-85875584f282]     38:     <%= f.label t("settings.account.language"), class: "form-label" %>
[6b762aac-3125-4833-a84c-85875584f282]     39: 
[6b762aac-3125-4833-a84c-85875584f282]     40:     <% current_user_role = current_user.highest_priority_role %>
[6b762aac-3125-4833-a84c-85875584f282]     41:     <br>
[6b762aac-3125-4833-a84c-85875584f282]     42:     <br> 
FATAL: [6b762aac-3125-4833-a84c-85875584f282]    
FATAL: [6b762aac-3125-4833-a84c-85875584f282] app/helpers/users_helper.rb:50:in `block in language_options'
[6b762aac-3125-4833-a84c-85875584f282] app/helpers/users_helper.rb:48:in `each'
[6b762aac-3125-4833-a84c-85875584f282] app/helpers/users_helper.rb:48:in `language_options'
[6b762aac-3125-4833-a84c-85875584f282] app/views/users/components/_account.html.erb:39:in `block in _app_views_users_components__account_html_erb___3728485878160030678_47397693265980'
[6b762aac-3125-4833-a84c-85875584f282] app/views/users/components/_account.html.erb:39:in `block in _app_views_users_components__account_html_erb___3728485878160030678_47397693265980'
[6b762aac-3125-4833-a84c-85875584f282] app/views/users/components/_account.html.erb:16:in `_app_views_users_components__setting_view_html_erb__1963868551716016331_47397693241560'
[6b762aac-3125-4833-a84c-85875584f282] app/views/users/edit.html.erb:32:in `_app_views_users_edit_html_erb__1379829543445150010_47397693054660' 

Thanks a lot for sharing your branch

[slater0013]

Hi,
Interested as well :)
Hope we can see this feature soon !

[foobarable]

It won't be merged since they don't want to support it. We merged this and run it in production

[sbernhard]

This is a open source project and there were multiple attempts to add SAML2 / OpenID Connect authentications support.

Instead of adding SAML2 / OIDC, which are industry standards for doing a Single Sign On, greenlight supports Google? Twitter? Office365? authenticaton support?

SAML2 / OIDC is supportd by many different Single Sign On components like Keycloak and its downstream product Redhat SSO. A lot of awesome tools are supporting it, too. It would be gerat to add OIDC or SAML.

[thijskh]

We are running this in production with good results. Can you please consider to merge it? It's not very invasive and as argued above because it uses open standards it can be beneficial to many different use cases.

[n0emis]

We patched this into our production setup a few months ago and it works fine for us.

[lchanouha]

+1 :)

[farhatahmad]

Now that we've merged support for OpenID Connect, there are no plans to support SAML directly. We suggest using OIDC providers and using SAML through the provider

[sparse91]

Don't work with the latest version of Greenlight. Gems need to be updated.

[ichdasich]

@sparse91 what do you meant? The custom saml patches or the openID integration?

[sparse91]

@ichdasich This SAML patch.

[ichdasich]

You have to keep REXML at 3.2.4 (note: 3.2.5 was a security update! Assess whether it applies to your infra!) and then rebuild GL with that.

See:

omniauth/omniauth-saml#199
SAML-Toolkits/ruby-saml#577

I would recommend figuring out how to migrate to the buildin openid connector, though. ;-)