Create documentation for SSO integration through SAML

docs/components.rst

@@ -12,3 +12,4 @@ Components
    mssautoplot
    conf_auth_client_sp_idp
    conf_sso_test_msscolab
+   sso_via_saml_mscolab

docs/samples/config/mscolab/mscolab_settings.py.sample

@@ -93,3 +93,6 @@ USE_SAML2 = False
 # all users in that Group are set to the operations of that category
 # having the roles in the TexGroup
 GROUP_POSTFIX = "Group"
+
+# dir where mscolab single sign process files are stored
+MSCOLAB_SSO_DIR = os.path.join(DATA_DIR, 'datasso')

docs/samples/config/mscolab/mss_saml2_backend.yaml.samlple

@@ -0,0 +1,116 @@
+name: Saml2
+config:
+  entityid_endpoint: true
+  mirror_force_authn: no
+  memorize_idp: no
+  use_memorized_idp_when_force_authn: no
+  send_requester_id: no
+  enable_metadata_reload: no
+
+  # SP Configuration for localhost_test_idp
+  localhost_test_idp:
+    name: "MSS Colab Server - Testing IDP(localhost)"
+    description: "MSS Collaboration Server with Testing IDP(localhost)"
+    key_file: path/to/key_sp.key # Will be set from the mscolab server
+    cert_file: path/to/crt_sp.crt # Will be set from the mscolab server
+    verify_ssl_cert: true # Specifies if the SSL certificates should be verified.
+    organization: {display_name: Open-MSS, name: Mission Support System, url: 'https://open-mss.github.io/about/'}
+    contact_person:
+    - {contact_type: technical, email_address: [email protected], given_name: Technical}
+    - {contact_type: support, email_address: [email protected], given_name: Support}
+
+    metadata:
+      local: [path/to/idp.xml] # Will be set from the mscolab server
+
+    entityid: http://localhost:5000/proxy_saml2_backend.xml
+    accepted_time_diff: 60
+    service:
+      sp:
+        ui_info:
+          display_name:
+            - lang: en
+              text: "Open MSS"
+          description:
+            - lang: en
+              text: "Mission Support System"
+          information_url:
+            - lang: en
+              text: "https://open-mss.github.io/about/"
+          privacy_statement_url:
+            - lang: en
+              text: "https://open-mss.github.io/about/"
+          keywords:
+            - lang: en
+              text: ["MSS"]
+            - lang: en
+              text: ["OpenMSS"]
+          logo:
+            text: "https://open-mss.github.io/assets/logo.png"
+            width: "100"
+            height: "100"
+        authn_requests_signed: true
+        want_response_signed: true
+        want_assertion_signed: true
+        allow_unknown_attributes: true
+        allow_unsolicited: true
+        endpoints:
+          assertion_consumer_service:
+            - [http://localhost:8083/localhost_test_idp/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+          discovery_response:
+          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+        name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        name_id_format_allow_create: true
+
+
+  # # SP Configuration for IDP 2
+  # sp_config_idp_2:
+  #   name: "MSS Colab Server - Testing IDP(localhost)"
+  #   description: "MSS Collaboration Server with Testing IDP(localhost)"
+  #   key_file: mslib/mscolab/app/key_sp.key
+  #   cert_file: mslib/mscolab/app/crt_sp.crt
+  #   organization: {display_name: Open-MSS, name: Mission Support System, url: 'https://open-mss.github.io/about/'}
+  #   contact_person:
+  #   - {contact_type: technical, email_address: [email protected], given_name: Technical}
+  #   - {contact_type: support, email_address: [email protected], given_name: Support}
+
+  #   metadata:
+  #     local: [mslib/mscolab/app/idp.xml]
+
+  #   entityid: http://localhost:5000/proxy_saml2_backend.xml
+  #   accepted_time_diff: 60
+  #   service:
+  #     sp:
+  #       ui_info:
+  #         display_name:
+  #           - lang: en
+  #             text: "Open MSS"
+  #         description:
+  #           - lang: en
+  #             text: "Mission Support System"
+  #         information_url:
+  #           - lang: en
+  #             text: "https://open-mss.github.io/about/"
+  #         privacy_statement_url:
+  #           - lang: en
+  #             text: "https://open-mss.github.io/about/"
+  #         keywords:
+  #           - lang: en
+  #             text: ["MSS"]
+  #           - lang: en
+  #             text: ["OpenMSS"]
+  #         logo:
+  #           text: "https://open-mss.github.io/assets/logo.png"
+  #           width: "100"
+  #           height: "100"
+  #       authn_requests_signed: true
+  #       want_response_signed: true
+  #       want_assertion_signed: true
+  #       allow_unknown_attributes: true
+  #       allow_unsolicited: true
+  #       endpoints:
+  #         assertion_consumer_service:
+  #           - [http://localhost:8083/idp2/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+  #         discovery_response:
+  #         - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+  #       name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+  #       name_id_format_allow_create: true

docs/samples/config/mscolab/setup_saml2_backend.py.sample

@@ -0,0 +1,68 @@
+import os
+import sys
+import warnings
+import yaml
+from saml2 import SAMLError
+from saml2.client import Saml2Client
+from saml2.config import SPConfig
+from urllib.parse import urlparse
+
+
+class setup_saml2_backend:
+    from mslib.mscolab.conf import mscolab_settings
+
+    CONFIGURED_IDPS = [
+        # configure your idps here
+        {
+            'idp_identity_name': 'localhost_test_idp',  #  make sure to use underscore for the blanks
+            'idp_data': {
+                'idp_name': 'Testing Identity Provider',  # this name is used on the Login page to connect to the Provider.
+            }
+        },
+
+    ]
+
+    if os.path.exists(f"{mscolab_settings.MSCOLAB_SSO_DIR}/mss_saml2_backend.yaml"):
+        with open(f"{mscolab_settings.MSCOLAB_SSO_DIR}/mss_saml2_backend.yaml", encoding="utf-8") as fobj:
+            yaml_data = yaml.safe_load(fobj)
+        # go through configured IDPs and set conf file paths for particular files
+        for configured_idp in CONFIGURED_IDPS:
+            # set CRTs and metadata paths for the localhost_test_idp
+            if 'localhost_test_idp' == configured_idp['idp_identity_name']:
+                yaml_data["config"]["localhost_test_idp"]["key_file"] = \
+                    f'{mscolab_settings.MSCOLAB_SSO_DIR}/key_mscolab.key'  # set path to your mscolab key file
+                yaml_data["config"]["localhost_test_idp"]["cert_file"] = \
+                    f'{mscolab_settings.MSCOLAB_SSO_DIR}/crt_mscolab.crt'  # set path to your mscolab certiticate file
+                yaml_data["config"]["localhost_test_idp"]["metadata"]["local"][0] = \
+                    f'{mscolab_settings.MSCOLAB_SSO_DIR}/idp.xml'  # set path to your idp metadata xml file
+
+                # configuration localhost_test_idp Saml2Client
+                try:
+                    if not os.path.exists(yaml_data["config"]["localhost_test_idp"]["metadata"]["local"][0]):
+                        yaml_data["config"]["localhost_test_idp"]["metadata"]["local"] = []
+                        warnings.warn("idp.xml file does not exists !\
+                                        Ignore this warning when you initializeing metadata.")
+
+                    localhost_test_idp = SPConfig().load(yaml_data["config"]["localhost_test_idp"])
+                    sp_localhost_test_idp = Saml2Client(localhost_test_idp)
+
+                    configured_idp['idp_data']['saml2client'] = sp_localhost_test_idp
+                    for url_pair in (yaml_data["config"]["localhost_test_idp"]
+                                     ["service"]["sp"]["endpoints"]["assertion_consumer_service"]):
+                        saml_url, binding = url_pair
+                        path = urlparse(saml_url).path
+                        configured_idp['idp_data']['assertion_consumer_endpoints'] = \
+                            configured_idp['idp_data'].get('assertion_consumer_endpoints', []) + [path]
+
+                except SAMLError:
+                    warnings.warn("Invalid Saml2Client Config with localhost_test_idp ! Please configure with\
+                                    valid CRTs metadata and try again.")
+                    sys.exit()
+
+                # if multiple IdPs exists, development should need to implement accordingly below
+                """
+                    if 'idp_2'== configured_idp['idp_identity_name']:
+                        # rest of code
+                        # set CRTs and metadata paths for the idp_2
+                        # configuration idp_2 Saml2Client
+                """