Support external authentification of users through multiple SAML providers
What does this MR do and why?
This MR adds support for authenticating users through multiple SAML providers.
Currently, Omniauth supports multiple providers, including multiple SAML providers, in its configuration. Unfortunatly, the SAML flow does not support CSRF protection. In the code, CSRF protection in Omniauth is hence disabled for 'saml', 'kerberos' and 'cas3'. Having multiple SAML provider means that their names must be different and hence won't be 'saml'. So the SAML flow won't work, CSRF protection will kick-in during the SAML callback and an error will be raised.
This change addresses this issue by identifying all SAML providers in the configuration and disabling CSRF protection for all of them. The 'saml' endpoint still has CSRF protection disabled "by hand" since there is probably configuration in the wild where we have a single 'saml' provider for which the "strategy_class" is not set and hence this change won't work.
This MR addresses #14361 (closed) (at least).
Screenshots or screen recordings
Not much visual to share ...
How to set up and validate locally
Unfortunately to test this MR you need to have two SAML providers available.
In each case below, you have to modify the omniauth configuration (cf. documentation modified by this change) accordingly. In each case, you have to login with the regular email + password and with the various SAML providers. In each case, you have to add the SAML provider(s) to the list of identity allowed for your user.
The following tests have already been performed on my side:
- nominal case: two SAML providers in the configuration, both with the strategy class set
- non-regression test: no SAML provider
- non-regression test: one SAML provider, named 'saml' but no strategy class set
- non-regression test: one SAML provider, named 'saml' and with the strategy class set
MR acceptance checklist
-
I have evaluated the MR acceptance checklist for this MR.