SAML authentication

[raffis]

Describe the solution you'd like
It would be awesome to have a SAML authentication flow. Meaning kratos acts as a SAML service provider and be able to setup a trust to an external IdP (or multiple IdPs).

• Map SAML attributes to kratos identity
• Possibility to configure the IdP metadata
• Attach SSL certificates for the SP or even the ability to generate them and store it in kratos backing storage
• kratos needs to expose an endpoint which serves the SPs metadata

Note it may also be possible that kratos acts as an IdP but that would be another feature and I am not really sure if this fits for kratos.

Describe alternatives you've considered

Additional context
There is already a pretty good saml library: https://github.com/crewjam/saml

[aeneasr]

Triaged - setting priority to "later" because we have many more things to solve before SAML support :)

Contributions are however - as always - welcomed!

[tiny-dancer]

Hey @aeneasr, possible for an annual-ish update on this one?

[aeneasr]

Contributions are however - as always - welcomed!

Only this 😅

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan on resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneous you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[robertlagrant]

Just some more additional context: allowing Kratos to be a service provider in front of a SAML IdP would be extremely useful :)

[aeneasr]

Being a SAML Service Provider is out of scope for Ory Kratos, it will most likely be an additional service like Ory Hydra!

[robertlagrant]

Hopefully my terminology is correct. Just to double check: what I mean is being able to point Kratos at a SAML IdP in the way we can point Kratos at an OIDC provider.

[vinckr]

Hopefully my terminology is correct. Just to double check: what I mean is being able to point Kratos at a SAML IdP in the way we can point Kratos at an OIDC provider.

SAML Service Provider is what you point Kratos at in the above example. So Kratos would be more a "client" than a "provider/server". I think the feature you are looking for (and for this issue) is being worked on in this PR: #2653

[dm17]

Am I correct in thinking SAML is the only way to continue using an all-Ory-based auth system in front of Zulip?
zulip/zulip#19245

[vinckr]

Am I correct in thinking SAML is the only way to continue using an all-Ory-based auth system in front of Zulip? zulip/zulip#19245

Feel free to open a discussion (on Zulip X Ory) if you want to discuss this further.

By default, Zulip allows logging in via email/password as well as various social authentication providers like Google, GitHub, GitLab, and Apple.
LDAP and various custom SSO login methods are currently restricted to self-hosted Zulip organizations only. SAML authentication is supported by Zulip Cloud but requires contacting [email protected] to configure it.

Sounds to me as you have the options of email/password and some "Plug-and-play SSO (Google, GitHub, GitLab)".

SAML also seems to work with some extra steps - and can be used with Ory using e.g. jackson.
This is also available in Ory Network there we integrate and manage the SAML connections for you (using jackson). I think its also on the roadmap, but nothing concrete as of right now.

[kmherrmann]

I'm closing this issue as we have no plans to support SAML natively in Kratos.

We recommend using a bridge like https://boxyhq.com/docs/jackson/overview to connect SAML IdPs as needed.

[uncvrd]

I'm closing this issue as we have no plans to support SAML natively in Kratos.

We recommend using a bridge like https://boxyhq.com/docs/jackson/overview to connect SAML IdPs as needed.

Bummer, so closing this affects the open PR here as well?

#2653

Or is there still interest to provide it if there is some movement on this PR?

[uncvrd]

Would it be possible to have an Ory engineer show how they implemented SAML Jackson in Ory Network? I thought I'd give Jackson a shot since it was recommended as the alternative, and have been having many fundamental problems (specifically regarding the flowIds and how they work with callbacks in the jackson ecosystem). I'm stuck on a few areas honestly and confused how Ory Network managed to use this. Is it possible to get a small peek in to how Ory Network handles jackson with a browser login OIDC flow?

I've typed out steps that I think need to happen (with many gaps) but for the sake of saving people time reading everything, I just wanted to see if there is willingness to share implementation. I know I and the 44 others interested in SAML auth w/ Ory would really appreciate an "olive branch" for help here 🙏

Thank you!!

---

EDIT:

I guess the one thing I'll add to foster some conversation about one part im stuck on is the following...

To redirect to the correct IdP, you must call the following endpoint with jackson:

https://localhost:5225/api/oauth/authorize
  ?response_type=code&provider=saml
  &client_id=<clientID or tenant and product query params>
  &redirect_uri=<redirect URL>
  &state=<randomly generated state id>

This state parameter is passed to the ory self sign in callback, which in our case would be to one of the oidc callback paths like http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<jackson?>

From what it looks like (and I am a total novice in golang) is that this state parameter isn't something the user creates but occurs when the login flow is submitted. It seems like it is generated from the flowId and then some extra data, base64 encoded (split by a :), and stored in the continuity_containers database table...which happens here

So my question is, how can I create this "custom" state that embeds this flowId and data before calling this authorize endpoint since it seems like it's important to have a reference to this when running through the callback flow?

[tdipadova3rd]

@uncvrd were you able to get the Jackson integration working?

[uncvrd]

@tdipadova3rd i talked to the founder of Jackson, there will need to be a dev investment on their end to provide some sort of bespoke proxy between the Kratos oauth request and their platform to extract the tenants. I have not made any progress unfortunately