[galaxy-dev] SAML Authentication

2020-03-07 Thread Keith Suderman 
We are (finally) adding SAML authentication to our Galaxy instance so users can 
authenticate with EduGain (EU) or InCommon (US).  While doing some searching I 
found an article that says, "Galaxy supports LDAP, SAML and now OIDC (see 
https://galaxyproject.org/authnz/ )." [1]  
Looking at the release_20.01 code I see lots has changed in respect to 
authorization (we are still using 19.01 so I am glad I looked), but I don't see 
anything related to SAML.  I am not finding anything in the documentation 
either.  I am missing something or am I looking in the wrong place(s)? I was 
expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or something 
similar.  

I do have Shibboleth authentication working using Apache and mod_shib in front 
of Galaxy, but that requires everyone to be able to authenticate and we would 
still like to allow anonymous access. Ideally users that don't have 
InCommon/EduGain access would still be able to create local accounts as well.  

Before I start hacking around trying to create an authentication plugin for 
Galaxy I wanted to check to see if there was any other ongoing work in the same 
area.  There is an old issue on GitHub [2], but I can't find anything else 
related. I see the OIDC stuff uses social-auth, which does include a SAML 
backend. Social-auth just uses the python3-saml package and I already have a 
simple client that uses python3-saml for authentication so I am hoping a saml 
plugin will be "Relatively Easy" (TM).

Thanks,
Keith

1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039
2. https://github.com/galaxyproject/galaxy/issues/3146

___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/

Re: [galaxy-dev] SAML Authentication ala OpenID

2017-03-04 Thread Keith Suderman 
Sadly, providing an authenticator in galaxy/auth/providers does not look like 
it will not work for SAML authentication since the authenticator is invoked 
after the user has already been prompted for a username and password.  Rather 
it looks like I will need to use the approach used for OpenID authentication 
and described at https://wiki.galaxyproject.org/Develop/Authentication

Does the Galaxy team have any plans to modularize third-party authenticators 
such as OpenID, SAML, OAuth2 etc?  If we do implement this it would be nice to 
do it in such a way that would help Galaxy move towards that goal.

- Keith

> On Feb 27, 2017, at 12:55 PM, Björn Grüning  wrote:
> 
> This all seems correct and I own you so many beers if you get this
> implemented! :)
> 
> Am 27.02.2017 um 18:34 schrieb Keith Suderman:
>> Is anyone using SAML for authentication?  There is a feature request for
>> SAML support on GitHub (
>> https://github.com/galaxyproject/galaxy/issues/3146), but it doesn't
>> look like any work has been done.
>> 
>> We need to add the ability for our users to authenticate with a SAML
>> identity provider (IdP), in particular with InCommon/EduRoam/EduCause et
>> al.  Looking at the documentation there appears to be "the old way"
>> (configuring Apache/Nginx to do the authentication) and "the new way"
>> where Galaxy handles the authentication.  Is it correct to assume that
>> to use the new way I should implement an external authenticator,
>> something like galaxy/auth/providers/saml.py and then some sort of magic
>> to get a config/auth_conf.xml working?  
>> 
>> I just want to make sure I am heading down the correct path before
>> investing too much time.
>> 
>> - Keith
>> 
>> Keith Suderman
>> Research Associate
>> Department of Computer Science
>> Vassar College, Poughkeepsie NY
>> suder...@cs.vassar.edu 
>> 
>> 
>> 
>> 
>> 
>> ___
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>  https://lists.galaxyproject.org/
>> 
>> To search Galaxy mailing lists use the unified search at:
>>  http://galaxyproject.org/search/mailinglists/
>> 

--
Keith Suderman
Research Associate
Department of Computer Science
Vassar College, Poughkeepsie NY
suder...@cs.vassar.edu




___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] SAML Authentication

2017-02-27 Thread Hendrickson, Curtis (Campus) 
Keith,

We use Shib/SAML here at UAB.  (https://galaxy.uabgrid.uab.edu - no, you can't 
get in :( )
We currently do it the "old way" in Apache with mod_shib.
We are planning an upgrade soon, sounds like the "old way" should still work 
until the new feature is implemented?
In our case, we also have to manipulate the user string to strip off the 
@uab.edu as part of this processing. It would be great if that were a 
configurable part of an external authenticator, so we need to twiddle code 
locally for that.

Regards,
Curtis



From: galaxy-dev [mailto:galaxy-dev-boun...@lists.galaxyproject.org] On Behalf 
Of Keith Suderman
Sent: Monday, February 27, 2017 11:34 AM
To: Galaxy Dev List 
Subject: [galaxy-dev] SAML Authentication

Is anyone using SAML for authentication?  There is a feature request for SAML 
support on GitHub ( https://github.com/galaxyproject/galaxy/issues/3146), but 
it doesn't look like any work has been done.

We need to add the ability for our users to authenticate with a SAML identity 
provider (IdP), in particular with InCommon/EduRoam/EduCause et al.  Looking at 
the documentation there appears to be "the old way" (configuring Apache/Nginx 
to do the authentication) and "the new way" where Galaxy handles the 
authentication.  Is it correct to assume that to use the new way I should 
implement an external authenticator, something like 
galaxy/auth/providers/saml.py and then some sort of magic to get a 
config/auth_conf.xml working?

I just want to make sure I am heading down the correct path before investing 
too much time.

- Keith

Keith Suderman
Research Associate
Department of Computer Science
Vassar College, Poughkeepsie NY
suder...@cs.vassar.edu<mailto:suder...@cs.vassar.edu>



___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] SAML Authentication

2017-02-27 Thread Björn Grüning 
This all seems correct and I own you so many beers if you get this
implemented! :)

Am 27.02.2017 um 18:34 schrieb Keith Suderman:
> Is anyone using SAML for authentication?  There is a feature request for
> SAML support on GitHub (
> https://github.com/galaxyproject/galaxy/issues/3146), but it doesn't
> look like any work has been done.
> 
> We need to add the ability for our users to authenticate with a SAML
> identity provider (IdP), in particular with InCommon/EduRoam/EduCause et
> al.  Looking at the documentation there appears to be "the old way"
> (configuring Apache/Nginx to do the authentication) and "the new way"
> where Galaxy handles the authentication.  Is it correct to assume that
> to use the new way I should implement an external authenticator,
> something like galaxy/auth/providers/saml.py and then some sort of magic
> to get a config/auth_conf.xml working?  
> 
> I just want to make sure I am heading down the correct path before
> investing too much time.
> 
> - Keith
> 
> Keith Suderman
> Research Associate
> Department of Computer Science
> Vassar College, Poughkeepsie NY
> suder...@cs.vassar.edu 
> 
> 
> 
> 
> 
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
> 
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
> 
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

[galaxy-dev] SAML Authentication

2017-02-27 Thread Keith Suderman 
Is anyone using SAML for authentication?  There is a feature request for SAML 
support on GitHub ( https://github.com/galaxyproject/galaxy/issues/3146), but 
it doesn't look like any work has been done.

We need to add the ability for our users to authenticate with a SAML identity 
provider (IdP), in particular with InCommon/EduRoam/EduCause et al.  Looking at 
the documentation there appears to be "the old way" (configuring Apache/Nginx 
to do the authentication) and "the new way" where Galaxy handles the 
authentication.  Is it correct to assume that to use the new way I should 
implement an external authenticator, something like 
galaxy/auth/providers/saml.py and then some sort of magic to get a 
config/auth_conf.xml working?  

I just want to make sure I am heading down the correct path before investing 
too much time.

- Keith

Keith Suderman
Research Associate
Department of Computer Science
Vassar College, Poughkeepsie NY
suder...@cs.vassar.edu



___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/