From 83d43d931cac98049c834b41053a7dd50a9b9e9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sat, 25 Nov 2023 01:45:08 +0100 Subject: [PATCH] Added a SAML_BEHIND_PROXY env, which must be set if Part-DB is behind a reverse proxy when using SAML The php-saml library use its own logic to determine the current path, and we need to set the use_proxy_vars so that it respects the proxy FORWARDED headers. This should fix issue #436 --- .docker/symfony.conf | 2 +- .env | 3 +++ config/packages/nbgrp_onelogin_saml.yaml | 1 + docs/configuration.md | 2 ++ docs/installation/saml_sso.md | 5 +++++ 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.docker/symfony.conf b/.docker/symfony.conf index 33287e32..92e1edb5 100644 --- a/.docker/symfony.conf +++ b/.docker/symfony.conf @@ -34,7 +34,7 @@ PassEnv ERROR_PAGE_ADMIN_EMAIL ERROR_PAGE_SHOW_HELP PassEnv DEMO_MODE NO_URL_REWRITE_AVAILABLE FIXER_API_KEY BANNER # In old version the SAML sp private key env, was wrongly named SAMLP_SP_PRIVATE_KEY, keep it for backward compatibility - PassEnv SAML_ENABLED SAML_ROLE_MAPPING SAML_UPDATE_GROUP_ON_LOGIN SAML_IDP_ENTITY_ID SAML_IDP_SINGLE_SIGN_ON_SERVICE SAML_IDP_SINGLE_LOGOUT_SERVICE SAML_IDP_X509_CERT SAML_SP_ENTITY_ID SAML_SP_X509_CERT SAML_SP_PRIVATE_KEY SAMLP_SP_PRIVATE_KEY + PassEnv SAML_ENABLED SAML_BEHIND_PROXY SAML_ROLE_MAPPING SAML_UPDATE_GROUP_ON_LOGIN SAML_IDP_ENTITY_ID SAML_IDP_SINGLE_SIGN_ON_SERVICE SAML_IDP_SINGLE_LOGOUT_SERVICE SAML_IDP_X509_CERT SAML_SP_ENTITY_ID SAML_SP_X509_CERT SAML_SP_PRIVATE_KEY SAMLP_SP_PRIVATE_KEY PassEnv TABLE_DEFAULT_PAGE_SIZE TABLE_PARTS_DEFAULT_COLUMNS PassEnv PROVIDER_DIGIKEY_CLIENT_ID PROVIDER_DIGIKEY_SECRET PROVIDER_DIGIKEY_CURRENCY PROVIDER_DIGIKEY_LANGUAGE PROVIDER_DIGIKEY_COUNTRY diff --git a/.env b/.env index 991640e4..115f5c5b 100644 --- a/.env +++ b/.env @@ -163,6 +163,9 @@ PROVIDER_MOUSER_SEARCH_WITH_SIGNUP_LANGUAGE='true' # Set this to 1 to enable SAML single sign on SAML_ENABLED=0 +# Set to 1, if your Part-DB installation is behind a reverse proxy and you want to use SAML +SAML_BEHIND_PROXY=0 + # A JSON encoded array of role mappings in the form { "saml_role": PARTDB_GROUP_ID, "*": PARTDB_GROUP_ID } # The first match is used, so the order is important! Put the group mapping with the most privileges first. # Please not to only use single quotes to enclose the JSON string diff --git a/config/packages/nbgrp_onelogin_saml.yaml b/config/packages/nbgrp_onelogin_saml.yaml index 66b133a2..84a1b8bc 100644 --- a/config/packages/nbgrp_onelogin_saml.yaml +++ b/config/packages/nbgrp_onelogin_saml.yaml @@ -5,6 +5,7 @@ parameters: saml.sp.privateKey: '%env(string:SAML_SP_PRIVATE_KEY)%' nbgrp_onelogin_saml: + use_proxy_vars: '%env(bool:SAML_BEHIND_PROXY)%' onelogin_settings: default: # Basic settings diff --git a/docs/configuration.md b/docs/configuration.md index 4b48ce15..baf4cd37 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -137,6 +137,8 @@ want to edit it on docker, you have to map the file to a volume. * `SAML_ENABLED`: When this is set to 1, SAML SSO is enabled and the SSO Login button is shown in the login form. You have to configure the SAML settings below, before you can use this feature. +* `SAML_BEHIND_PROXY`: Set this to 1, if Part-DB is behind a reverse proxy. See [here]({% link installation/reverse_proxy.md %}) + for more information. Otherwise leave it to 0 (default.) * `SAML_ROLE_MAPPING`: A [JSON](https://en.wikipedia.org/wiki/JSON) encoded map which specifies how Part-DB should convert the user roles given by SAML attribute `group` should be converted to a Part-DB group (specified by ID). You can use a wildcard `*` to map all otherwise unmapped roles to a certain group. diff --git a/docs/installation/saml_sso.md b/docs/installation/saml_sso.md index 791639ce..435656b9 100644 --- a/docs/installation/saml_sso.md +++ b/docs/installation/saml_sso.md @@ -230,3 +230,8 @@ Normally you don't have to change anything here. Please note that this file is not saved by the Part-DB backup tool, so you have to save it manually if you want to keep your changes. On docker containers you have to configure a volume mapping for it. +## SAML behind a reverse proxy + +If you are running Part-DB behind a reverse proxy, configure the `TRUSTED_PROXIES` environment and other reverse proxy +settings as described in the [reverse proxy guide]({% link installation/reverse-proxy.md %}). +If you want to use SAML you also need to set `SAML_BEHIND_PROXY` to `true` to enable the SAML proxy mode.