From 3d839c92d21ac4cf2e30ecb5391a97ea3251c5d4 Mon Sep 17 00:00:00 2001 From: vmarkop Date: Wed, 15 Dec 2021 14:45:06 +0200 Subject: [PATCH] Improved SAML Settings Help --- powerdnsadmin/models/setting.py | 2 +- powerdnsadmin/routes/admin.py | 64 ++++--- powerdnsadmin/routes/index.py | 1 + powerdnsadmin/services/saml.py | 2 +- .../admin_setting_authentication.html | 168 +++++++++++++----- 5 files changed, 162 insertions(+), 75 deletions(-) diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index f844e59..d1a1447 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -138,7 +138,7 @@ class Setting(db.Model): 'saml_group_to_account_mapping': None, 'saml_sp_entity_id': 'https://dns.uoa.gr', 'saml_sp_contact_name': 'admin', - 'saml_sp_contact_mail': 'pda@uoa.gr', + 'saml_sp_contact_mail': 'powerdnsadmin@organization.com', 'saml_cert_file': '/etc/pki/powerdns-admin/cert.crt', 'saml_cert_key': '/etc/pki/powerdns-admin/key.pem', 'saml_sign_authn_request': False, diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index a461671..ab5d3e2 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1640,50 +1640,52 @@ def setting_authentication(): True if request.form.get('saml_enabled') else False) Setting().set('saml_metadata_url', request.form.get('saml_metadata_url')) - Setting().set('saml_metadata_cache_lifetime', - request.form.get('saml_metadata_cache_lifetime' \ - if request.form.get('saml_metadata_cache_lifetime') \ - else Setting().defaults['saml_metadata_cache_lifetime'])) + if request.form.get('saml_metadata_cache_lifetime'): + Setting().set('saml_metadata_cache_lifetime', + request.form.get('saml_metadata_cache_lifetime')) + else: + Setting().set('saml_metadata_cache_lifetime', + Setting().defaults['saml_metadata_cache_lifetime']) Setting().set('saml_idp_sso_binding', request.form.get('saml_idp_sso_binding')) + Setting().set('saml_idp_slo_binding', + request.form.get('saml_idp_slo_binding')) Setting().set('saml_idp_entity_id', request.form.get('saml_idp_entity_id')) Setting().set('saml_nameid_format', request.form.get('saml_nameid_format')) + Setting().set('saml_sp_acs_binding', + request.form.get('saml_sp_acs_binding')) + Setting().set('saml_sp_sls_binding', + request.form.get('saml_sp_sls_binding')) Setting().set('saml_sp_requested_attributes', request.form.get('saml_sp_requested_attributes')) Setting().set('saml_attribute_email', - request.form.get('saml_attribute_email' \ - if request.form.get('saml_attribute_email') \ - else Setting().defaults['saml_attribute_email'])) + request.form.get('saml_attribute_email')) Setting().set('saml_attribute_givenname', - request.form.get('saml_attribute_givenname' \ - if request.form.get('saml_attribute_givenname') \ - else Setting().defaults['saml_attribute_givenname'])) + request.form.get('saml_attribute_givenname')) Setting().set('saml_attribute_surname', - request.form.get('saml_attribute_surname' \ - if request.form.get('saml_attribute_surname') \ - else Setting().defaults['saml_attribute_surname'])) + request.form.get('saml_attribute_surname')) Setting().set('saml_attribute_username', request.form.get('saml_attribute_username')) Setting().set('saml_attribute_admin', - request.form.get('saml_attribute_admin' \ - if request.form.get('saml_attribute_admin') \ - else Setting().defaults['saml_attribute_admin'])) + request.form.get('saml_attribute_admin')) Setting().set('saml_attribute_account', - request.form.get('saml_attribute_account' \ - if request.form.get('saml_attribute_account') \ - else Setting().defaults['saml_attribute_account'])) + request.form.get('saml_attribute_account')) Setting().set('saml_sp_entity_id', request.form.get('saml_sp_entity_id')) - Setting().set('saml_sp_contact_name', - request.form.get('saml_sp_contact_name' \ - if request.form.get('saml_sp_contact_name') \ - else Setting().defaults['saml_sp_contact_name'])) - Setting().set('saml_sp_contact_mail', - request.form.get('saml_sp_contact_mail' \ - if request.form.get('saml_sp_contact_mail') \ - else Setting().defaults['saml_sp_contact_mail'])) + if request.form.get('saml_sp_contact_name'): + Setting().set('saml_sp_contact_name', + request.form.get('saml_sp_contact_name')) + else: + Setting().set('saml_sp_contact_name', + Setting().defaults['saml_sp_contact_name']) + if request.form.get('saml_sp_contact_mail'): + Setting().set('saml_sp_contact_mail', + request.form.get('saml_sp_contact_mail')) + else: + Setting().set('saml_sp_contact_mail', + Setting().defaults['saml_sp_contact_mail']) Setting().set('saml_cert_file', request.form.get('saml_cert_file')) Setting().set('saml_cert_key', @@ -1722,11 +1724,9 @@ def setting_authentication(): Setting().set( 'saml_sign_metadata', True if request.form.get('saml_sign_metadata') else False) - if request.form.get('saml_metadata_cache_duration'): - Setting().set('saml_metadata_cache_duration', + Setting().set('saml_metadata_cache_duration', request.form.get('saml_metadata_cache_duration')) - if request.form.get('saml_metadata_valid_until'): - Setting().set('saml_metadata_valid_until', + Setting().set('saml_metadata_valid_until', request.form.get('saml_metadata_valid_until')) Setting().set( @@ -1757,8 +1757,6 @@ def setting_authentication(): 'msg': 'Saved successfully. Please reload PDA to take effect.' } - # # Attempt to reinitialize SAML. If attempt fails, setting will be automatically disabled. - # SAML() else: return abort(400) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 32534c8..1743a05 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -1157,6 +1157,7 @@ def uplift_to_admin(user): @index_bp.route('/saml/sls') +@login_required def saml_logout(): if not Setting().get('saml_enabled'): current_app.logger.error("SAML authentication is disabled.") diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py index 4ada154..9d3b615 100644 --- a/powerdnsadmin/services/saml.py +++ b/powerdnsadmin/services/saml.py @@ -12,7 +12,7 @@ from ..models.setting import Setting # For SP, the Assertion Consumer Service endpoint supports HTTP-POST binding, # while the Single Logout Service endpoint uses HTTP-Redirect. # Therefore, to protect users from using unsupported features, settings -# 'saml_idp_slo_binding', 'saml_sp_acs_binding' and 'saml_sp_sls_binding' +# 'saml_idp_sso_binding', 'saml_idp_slo_binding', 'saml_sp_acs_binding' and 'saml_sp_sls_binding' # are not exposed on the front end SAML interface. class SAML(object): def __init__(self): diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index ea581ee..133dad9 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -710,7 +710,12 @@
- + + +
+
+ +
@@ -740,6 +745,16 @@ +
+ + + +
+
+ + + +
SP ATTRIBUTES @@ -906,9 +921,6 @@
  • IDP Metadata URL
    • -
  • - IDP SSO BINDING -
  • SP Entity ID
    • @@ -918,6 +930,9 @@
  • SP Requested Attributes
    • +
  • + SP Username Attribute +
  • Cert File
    • @@ -943,30 +958,32 @@

    • - IDP Entity ID - EntityID of the IDP to use. Only needed if more than one IDP is in the SAML_METADATA_URL + IDP Entity ID - Specify the EntityID of the IDP to use.
      + Only needed if more the XML provided in the SAML_METADATA_URL contains more than 1 IDP Entity.
    • - IDP Metadata URL - URL to fetch IDP metadata from + IDP Metadata URL - Url where the XML of the Identity Provider Metadata is published.
    • - IDP Metadata Cache Lifetime - Cache Lifetime in minutes before fresh metadata are requested from the IDP Metadata URL + IDP Metadata Cache Lifetime - Cache Lifetime in minutes before fresh metadata are fetched from the IDP Metadata URL
    • - IDP SSO Binding - SAML SSO binding format required for the IDP to use + IDP SSO Binding - SAML SSO binding format required for the IDP to use
    • - NameID Format - NameID format to request + IDP SLO Binding - SAML SLO binding format required for the IDP to use
      • + NOTE::The Binding settings are currently disabled, as the underlying saml library currently supports only the Redirect binding for IDP endpoints.
    SP

    • - SP Entity ID - The entity ID of your Service Provider (SP). + SP Entity ID - Specify the EntityID of your Service Provider (SP).
    • - SP NameID Format - NameID format to request + SP NameID Format - NameID format to request. This specifies the content of the NameID and any associated processing rules.
    • SP Metadata Cache Duration - Set the cache duration of generated metadata.
      @@ -979,15 +996,23 @@
    • Sign SP Metadata - Choose whether metadata produced is signed.
      • +
    • + SP ACS Binding - SAML Assertion Consumer Service Binding Format for the SP to use on login. +
      • +
    • + SP SLS Binding - SAML Single Logout Service Binding Format for the SP to use on logout. +
      • + NOTE::The Binding settings are currently disabled, as in the underlying saml library, the ACS endpoint currently supports + only the HTTP-POST binding, while the SLS endpoint supports only HTTP-Redirect.
    SP ATTRIBUTES

    • - Requested Attributes - Following parameter defines RequestedAttributes section in SAML metadata - since certain iDPs require explicit attribute request. If not provided section - will not be available in metadata. + Requested Attributes - The following parameter defines RequestedAttributes section in SAML metadata + since certain IDPs require explicitly requesting attributes.
      + If not provided, the Attribute Consuming Service Section will not be available in metadata.
      Possible attributes:
      name (mandatory), nameFormat, isRequired, friendlyName @@ -1009,6 +1034,9 @@ <md:RequestedAttribute Name="mail" FriendlyName="test-field"/>
      </md:AttributeConsumingService>
      • +
    + The following attribute values must be derived from Requested Attributes, and must be in the form of a valid URN (e.g. urn:oid:2.5.4.4): +
    • Email - Attribute to use for Email address.
      • @@ -1021,6 +1049,9 @@
    • Username - Attribute to use for username.
      • +
    + These may be generic strings containing your information: +
    • SP Entity Name - Contact information about your SP, to be included in the generated metadata.
      • @@ -1034,40 +1065,40 @@
      • The Cert File - Cert Key pair configures the path - to certificate file and it's respective private key file. + to certificate file and it's respective private key file.
        It is used for signing metadata, encrypting tokens and all other - signing/encryption tasks during communication between iDP and SP.
        - NOTE: If these two parameters aren't explicitly provided, a self-signed certificate-key pair - will be generated in "PowerDNS-Admin" root directory.
        - CAUTION: For production use, usage of self-signed certificates is highly discouraged. - Use certificates from trusted CA instead. + signing/encryption tasks during communication between IDP and SP.
        + NOTE: If these two parameters aren't explicitly provided, + a self-signed certificate-key pair will be generated.
        + CAUTION: For production use, usage of self-signed certificates + is highly discouraged. Use certificates from trusted CA instead.
      • - Sign Authentication Request - Configures if the SP should sign outgoing authentication requests. + Sign Authentication Request - Configures if the SP should sign outgoing authentication requests.
      • - Sign Logout Request & Response - Configures if the SP should sign outgoing Logout requests & Logout responses. + Sign Logout Request & Response - Configures if the SP should sign outgoing Logout requests & Logout responses.
      • - Want Assertions Encrypted - Choose whether the SP expects assertions received from the IDP to be encrypted. + Want Assertions Encrypted - Choose whether the SP expects incoming assertions received from the IDP to be encrypted.
      • - Want Assertions Signed - Choose whether the SP expects incoming assertions to be signed. + Want Assertions Signed - Choose whether the SP expects incoming assertions to be signed.
      • - NameID Encrypted - Indicates that the nameID of the logoutRequest sent by this SP will be encrypted. + NameID Encrypted - Indicates that the outgoing nameID of the logoutRequest sent by this SP will be encrypted.
      • - Want NameID Encrypted - Indicates a requirement for the NameID received by this SP to be encrypted. + Want NameID Encrypted - Indicates a requirement for the incoming NameID received by this SP to be encrypted.
      • - Want Message Signed - Choose whether the SP expects incoming messages to be signed. + Want Message Signed - Choose whether the SP expects incoming messages to be signed.
      • - Digest Algorithm - Encryption algorithm to encode outgoing and decode incoming metadata. + Digest Algorithm - Encryption algorithm for the DigestValue, which is part of the validation process to ensure the integrity of the XML message.
      • - Signature Algorithm - Encryption algorithm to encode/decode signatures. + Signature Algorithm - Encryption algorithm for the message Signature.
    @@ -1075,7 +1106,7 @@

    • - SAML Logout - Choose whether user is logged out of SAML session and possibly redirect them elsewhere. + SAML Logout - Choose whether user is logged out of the SAML session using SLO.
      • If enabled, use SAML standard logout mechanism retreived from IDP metadata. @@ -1092,7 +1123,8 @@
    AUTOPROVISION
    -
    Provision PDA user privileges based on SAML Attributes. +

    + Assert user Admin status and associated Accounts with SAML Attributes.
    • Admin - Attribute to get admin status from.
      @@ -1106,13 +1138,17 @@ what's in the login assertion.
      Accounts that don't exist will be created and the user added to them.
      • +
    + Provision PDA Role/Domains/Accounts based on urn SAML Attributes.
    +
    • Roles Autoprovisioning - If toggled on, the PDA Role and the associations of users found in the local db, will be instantly updated from the SAML SP db every time they log in.
      NOTE:This feature and the assertion of "Admin / Account" attributes are mutually exclusive.
      If used, the values for Admin/Account given above will be ignored.
    • - Roles provisioning field - The urn value of the attribute in the SAML Token where PDA will look for a new Role and/or new associations to domains/accounts. + Roles provisioning field - The urn value of the attribute in the SAML Token where PDA will look for a new Role and/or new associations to domains/accounts.
      + e.g. urn:oid:x.x.x.x.x
      The allowed syntax for records inside this attribute in your SAML Token is:
        if PDA-Role∈[Administrator, Operator]:
          @@ -1130,7 +1166,8 @@
      • - Urn prefix - The prefix used before the static keyword "powerdns-admin" for your entitlements in the SAML token. Must comply with RFC no.8141. + Urn prefix - The prefix used before the static keyword "powerdns-admin" for your entitlements in the SAML token. + Must comply with RFC no.8141.
        e.g.urn:mace:<your_organization>
      • Purge Roles If Empty - If toggled on, SAML logins that have no valid "powerdns-admin" records to their autoprovisioning field, @@ -1158,6 +1195,13 @@ {%- endassets %}