SAML Authentication Proxy - with Bearer Token header support.
Inspired by:
then taking it to another level (cleaner, simpler, with bearer token authn).
The service itself runs as an independent "proxy" applicaiton. When accessed, it does SAML authentication; if successful, it loads the "BACKEND_URL".
Can be used to use SAML authentication to protect web resources, for example, kubernetes dashboard.
Configuration is passed as environment variables.
External URL of this proxy itself.
URL of the backend to go to after SAML auth.
URL of the identity provider's metadata XML. Only URL supported, not local file (I don't like if/else).
The path to the X509 private key PEM file for this service provider.
Defaults to saml-auth-proxy.key
at the current directory.
The path to the X509 public certificate PEM file for this service provider.
Defaults to saml-auth-proxy.cert
.
Enables authorization and specifies the attribute to check for authorized values.
Example:
export AUTHORIZE_ATTRIBUTE=Groups
If not set, it will return authenticated.
Used with AUTHORIZE_ATTRIBUTE
, values that must exist in AUTHORIZE_ATTRIBUTE
in order to be considered as authorized.
A list, value being comma separated strings, Example:
export AUTHORIZE_VALUES=group1,group2,group3
Used with AUTHORIZE_VALUES
, a map, key being one of the AUTHORIZE_VALUES
, value is the Bearer token to set. Example:
export AUTHORIZE_VALUE_BEARER_TOKEN_MAPPING=group1:asdf,group2:jkl,group3:xyz
Comma separated list of attribute=header pairs mapping SAML response attributes to forwarded request header.
host:port
for this proxy server to listen on.
Defaults to :8080
.
If you are using proxy.
The snake-case values, such as SAML_PROXY_BACKEND_URL
, are the equivalent environment variables that can be set instead of passing configuration via the command-line.
The command-line argument usage renders with only a single leading dash, but GNU-style double-dashes can be used also, such as --sp-key-path
.
Go 1.14 required.
Go module enabled, so doesn't have to pull ths repo into go path.
Just run:
go build
There is a healthcheck endpoint at /_health
can be used for k8s liveness/readiness probe.
It returns HTTP 200.