Skip to content

Feat/saml auth#8201

Open
seanlongcc wants to merge 31 commits into
masterfrom
feat/saml-auth
Open

Feat/saml auth#8201
seanlongcc wants to merge 31 commits into
masterfrom
feat/saml-auth

Conversation

@seanlongcc

Copy link
Copy Markdown
Contributor

No description provided.

@wdower wdower temporarily deployed to heimdall2-feat-saml-aut-wvgvo7 June 4, 2026 16:21 Inactive
@mergify

mergify Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

This pull request has a conflict. Could you fix it @seanlongcc?

@seanlongcc seanlongcc temporarily deployed to heimdall2-feat-saml-aut-wvgvo7 June 4, 2026 16:25 Inactive
@seanlongcc seanlongcc temporarily deployed to heimdall2-feat-saml-aut-wvgvo7 June 4, 2026 16:53 Inactive
Comment thread apps/frontend/src/assets/okta.svg

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should probably dig a little bit more to find out where the logo was originally created just to confirm it is actually the SAML format logo as opposed to anything else

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

based off of discussion it seems like this is an unofficial logo so we probably shouldn't use it. instead we should come up with some generic logo or not provide a logo at all.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

saml is not oauth so remove it from the list

return enabledOauth;
}

frontendStartupSettings(): StartupSettingsDto {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually maybe the thing that makes the most sense is to adjust this dto to reflect auth strategies more broadly

Dto({
  ...all the other stuff,
  authStrategies: {
    localLoginEnabled: this.isLocalLoginAllowed(),
    ldap: this.get('LDAP_ENABLED')..., // maybe we should change the name to be consistent with the 'Enabled' suffix
    ...(make an object from the supportedOauth array where the keys are the array items and the values are if it is enabled or not),
    samlEnabled: this.isSamlAllowed() // implement this func
  },
})

so that it looks like this when processed:

Dto({
  ...all the other stuff,
  authStrategies: {
    localLoginEnabled: true,
    ldapEnabled: false,
    githubEnabled: true,
    gitlabEnabled: false,
    ...
    samlEnabled: true
  },
})

@@ -37,11 +37,14 @@
enabledOauthStrategies() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of returning an array of the valid functions, make it return a map where the key is the oath strategy name and the value is whether or not it's enabled

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're going to have to look for all the places that oauthstrategies was used and make sure that it can handle the new data format

Comment thread apps/backend/src/authn/saml.strategy.ts Outdated
}

@Injectable()
export class SAMLStrategy extends PassportStrategy(Strategy as any, 'saml') {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

try to remove 'as any' cause sometimes the strategy 'shape'/type matches the new passportstrategy type. other times, especially older / less maintained strategies need to use the 'as any' escape mechanism.

private readonly authnService: AuthnService,
private readonly configService: ConfigService,
) {
super({

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add support for all the other config options for SAML

especially make sure that any of the certs / proxies / etc options are defined

Comment thread apps/backend/src/authn/saml.strategy.ts Outdated
const email = samlClaimAttribute(profile, emailAttribute);
const firstName = samlClaimAttribute(profile, firstNameAttribute);
const lastName = samlClaimAttribute(profile, lastNameAttribute);
if (email && email.length > 0) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we also need to validate that first name and last name were provided properly, not just email

Comment thread apps/backend/src/authn/saml.strategy.ts Outdated
Comment on lines +75 to +77
const email = samlClaimAttribute(profile, emailAttribute);
const firstName = samlClaimAttribute(profile, firstNameAttribute);
const lastName = samlClaimAttribute(profile, lastNameAttribute);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if any of these are undefined we should throw an error at this point stating that the user did not configure the envvars properly

@gitguardian

gitguardian Bot commented Jul 6, 2026

Copy link
Copy Markdown

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 New Code Smells (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants