ProjeQtOr free project management software - SAML Attribute Handling - ProjeQtOr
 

SAML Attribute Handling

More
06 Aoû 2019 18:28 #1 by angeltek
I've just successfully got Projeqtor to authenticate against the SAML IdP built into Google G.Suite. I can login to Projeqtor using the organisation's Gmail accounts and a new local Projeqtor user is created if it didn't already exist. All good, except Projeqtor's handling of SAML attributes is a bit too limited for Google. So I am proposing a couple of enhancements for you to consider:

1) Full Name
Projeqtor's "SAML attribute for user full name" setting will only accept a single attribute. Unfortunately G.Suite does not have a single attribute equivalent - it supplies names as separate attributes for First Name and Last Name. It is possible to create a single custom attributes on G.Suite to store the full name, but this adds extra admin complexity and it's not accessible to the user themselves. A better solution would be for Projeqtor to optionally construct its full name from two separate attributes... eg if the single full name attribute setting is empty, then using the First Name and Last Name attribute settings.

2) Login Name
Similarly for Projeqtor's "SAML attribute for user login name", although not so important as I have opted to use the G.Suite email address attribute for this. Ideally I would have liked to have login names in the format "<FirstName>.<LastName>" or maybe "<first-character-of-FirstName><LastName>" ... you get the idea.

3) Security of SAML Signing Files
sp.crt and in particular sp.key should not be accessible to the public via the web server - the readme in folder sso/cert even says "Be sure that this folder never is published". So there really should be a Projeqtor setting to change this to a folder outside the server's docroot. If the underlying libraries don't support this then please consider putting a default "deny all" .htaccess file in there (which I have done, seemingly without breaking anything).


Finally, a big thank you for creating & evolving such a great software tool =)

Please Connexion or Create an account to join the conversation.

More
07 Aoû 2019 09:06 #2 by babynus
Replied by babynus on topic SAML Attribute Handling
Hi,

1) Full Name
Request recorded as Ticket #4147

2) Login Name
Also included to Ticket #4147
"<FirstName>.<LastName>" will be possible but "<first-character-of-FirstName><LastName>" will not as it may be difficult to implement first-character-of- in definition a a parameter.

3) Security of SAML Signing Files
there really should be a Projeqtor setting to change this to a folder outside the server's docroot : to be studied. Ticket #4148 recorded.
consider putting a default "deny all" .htaccess file in there : done (will be included in next patch)

Babynus
Administrator of ProjeQtOr web site

Please Connexion or Create an account to join the conversation.

More
07 Aoû 2019 14:43 #3 by angeltek
Replied by angeltek on topic SAML Attribute Handling
Great, thanks for the swift attention.

Please Connexion or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.028 seconds