Added a SAML_BEHIND_PROXY env, which must be set if Part-DB is behind a reverse proxy when using SAML

The php-saml library use its own logic to determine the current path, and we need to set the use_proxy_vars so that it respects the proxy FORWARDED headers. This should fix issue #436
2025-06-21 01:25:55 +02:00 · 2023-11-25 01:45:08 +01:00 · 2023-11-25 01:45:08 +01:00 · 83d43d931c
commit 83d43d931c
parent 07535c26a6
5 changed files with 12 additions and 1 deletions
--- a/.docker/symfony.conf
+++ b/.docker/symfony.conf
@ -34,7 +34,7 @@
        PassEnv ERROR_PAGE_ADMIN_EMAIL ERROR_PAGE_SHOW_HELP
        PassEnv DEMO_MODE NO_URL_REWRITE_AVAILABLE FIXER_API_KEY BANNER
        # In old version the SAML sp private key env, was wrongly named SAMLP_SP_PRIVATE_KEY, keep it for backward compatibility
-        PassEnv SAML_ENABLED SAML_ROLE_MAPPING SAML_UPDATE_GROUP_ON_LOGIN SAML_IDP_ENTITY_ID SAML_IDP_SINGLE_SIGN_ON_SERVICE SAML_IDP_SINGLE_LOGOUT_SERVICE SAML_IDP_X509_CERT SAML_SP_ENTITY_ID SAML_SP_X509_CERT SAML_SP_PRIVATE_KEY SAMLP_SP_PRIVATE_KEY
+        PassEnv SAML_ENABLED SAML_BEHIND_PROXY SAML_ROLE_MAPPING SAML_UPDATE_GROUP_ON_LOGIN SAML_IDP_ENTITY_ID SAML_IDP_SINGLE_SIGN_ON_SERVICE SAML_IDP_SINGLE_LOGOUT_SERVICE SAML_IDP_X509_CERT SAML_SP_ENTITY_ID SAML_SP_X509_CERT SAML_SP_PRIVATE_KEY SAMLP_SP_PRIVATE_KEY
        PassEnv TABLE_DEFAULT_PAGE_SIZE TABLE_PARTS_DEFAULT_COLUMNS
        PassEnv PROVIDER_DIGIKEY_CLIENT_ID PROVIDER_DIGIKEY_SECRET PROVIDER_DIGIKEY_CURRENCY PROVIDER_DIGIKEY_LANGUAGE PROVIDER_DIGIKEY_COUNTRY
--- a/.env
+++ b/.env
@ -163,6 +163,9 @@ PROVIDER_MOUSER_SEARCH_WITH_SIGNUP_LANGUAGE='true'
 # Set this to 1 to enable SAML single sign on
 SAML_ENABLED=0
 # Set to 1, if your Part-DB installation is behind a reverse proxy and you want to use SAML
 SAML_BEHIND_PROXY=0
 # A JSON encoded array of role mappings in the form { "saml_role": PARTDB_GROUP_ID, "*": PARTDB_GROUP_ID }
 # The first match is used, so the order is important! Put the group mapping with the most privileges first.
 # Please not to only use single quotes to enclose the JSON string
--- a/config/packages/nbgrp_onelogin_saml.yaml
+++ b/config/packages/nbgrp_onelogin_saml.yaml
@ -5,6 +5,7 @@ parameters:
  saml.sp.privateKey: '%env(string:SAML_SP_PRIVATE_KEY)%'
 nbgrp_onelogin_saml:
  use_proxy_vars: '%env(bool:SAML_BEHIND_PROXY)%'
  onelogin_settings:
    default:
      # Basic settings
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -137,6 +137,8 @@ want to edit it on docker, you have to map the file to a volume.
 * `SAML_ENABLED`: When this is set to 1, SAML SSO is enabled and the SSO Login button is shown in the login form. You
  have to configure the SAML settings below, before you can use this feature.
 * `SAML_BEHIND_PROXY`: Set this to 1, if Part-DB is behind a reverse proxy. See [here]({% link installation/reverse_proxy.md %})
  for more information. Otherwise leave it to 0 (default.)
 * `SAML_ROLE_MAPPING`: A [JSON](https://en.wikipedia.org/wiki/JSON) encoded map which specifies how Part-DB should
  convert the user roles given by SAML attribute `group` should be converted to a Part-DB group (specified by ID). You
  can use a wildcard `*` to map all otherwise unmapped roles to a certain group.
--- a/docs/installation/saml_sso.md
+++ b/docs/installation/saml_sso.md
@ -230,3 +230,8 @@ Normally you don't have to change anything here.
 Please note that this file is not saved by the Part-DB backup tool, so you have to save it manually if you want to keep
 your changes. On docker containers you have to configure a volume mapping for it.
 ## SAML behind a reverse proxy
 If you are running Part-DB behind a reverse proxy, configure the `TRUSTED_PROXIES` environment and other reverse proxy
 settings as described in the [reverse proxy guide]({% link installation/reverse-proxy.md %}).
 If you want to use SAML you also need to set `SAML_BEHIND_PROXY` to `true` to enable the SAML proxy mode.