I have the SAML login implementation 99% complete. However, after authenticating with an IdP and being redirected back to Galaxy the user is still not "logged in"... The relevant code is on GitHub [1], but basically in the callback handler I do: user = trans.get_or_create_remote_user(user_email) trans.handle_user_login(user) Everything "works" in that there are no stack traces or errors in the logs and the user is redirected correctly; they are just not logged in after going through the login process. If I do this on a new Galaxy install the user is created so that part is working. What else do I have to do to get Galaxy to recognize the user is logged in? I have been pouring over the code for the other authenticators and I don't see what I am missing. Once I get the login sorted I can start preparing a proper PR. Cheers, Keith 1. https://github.com/lappsgrid-incubator/Galaxy/blob/bd220d6aefaf74316f1f85983...
On Mar 7, 2020, at 5:54 PM, Youssef GHORBAL <youssef.ghorbal@pasteur.fr> wrote:
Hi Keith,
Last time I checked (before OIDC support in Galaxy) it was not possible to easly hack around the user/auth flow in Galaxy to introduce SAML semantics. As you said, since OIDC integration I hope that addding SAML would be more doable ("easy" and "SAML" in the same sentence are not permitted) At Pasteur we reverted back to Galaxy builtin auth even for internal users.
In any case, if you got something working I'd be more than happy to test it.
Youssef Ghorbal Institut Pasteur -----------------------
On 7 Mar 2020, at 21:40, Keith Suderman <suderman@cs.vassar.edu> wrote:
We are (finally) adding SAML authentication to our Galaxy instance so users can authenticate with EduGain (EU) or InCommon (US). While doing some searching I found an article that says, "Galaxy supports LDAP, SAML and now OIDC (see https://galaxyproject.org/authnz/ <https://galaxyproject.org/authnz/>)." [1] Looking at the release_20.01 code I see lots has changed in respect to authorization (we are still using 19.01 so I am glad I looked), but I don't see anything related to SAML. I am not finding anything in the documentation either. I am missing something or am I looking in the wrong place(s)? I was expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or something similar.
I do have Shibboleth authentication working using Apache and mod_shib in front of Galaxy, but that requires everyone to be able to authenticate and we would still like to allow anonymous access. Ideally users that don't have InCommon/EduGain access would still be able to create local accounts as well.
Before I start hacking around trying to create an authentication plugin for Galaxy I wanted to check to see if there was any other ongoing work in the same area. There is an old issue on GitHub [2], but I can't find anything else related. I see the OIDC stuff uses social-auth, which does include a SAML backend. Social-auth just uses the python3-saml package and I already have a simple client that uses python3-saml for authentication so I am hoping a saml plugin will be "Relatively Easy" (TM).
Thanks, Keith
1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039 2. https://github.com/galaxyproject/galaxy/issues/3146
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: %(web_page_url)s
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/