I now have the login portion of the SAML authentication working. I still have to implement
the logout flow, but I wanted to get some feedback from the developers before proceeding
too much further. I have opened a [WIP] pull-request on GitHub  and I have an example
running at https://idp.lappsgrid.org
that uses https://samltest.id
as the IdP. It is only
a two core VM with limited memory and will likely go away soon, so don't try to use it
to do real work ;)
My original intent was to use the Social-Auth SAML backend and try to integrate with the
OIDC classes, but that would require more changes to Galaxy than I am comfortable making
right now. So for now I use python3-saml library (what Social-Auth uses under the hood)
and a single controller class to handle the login flow.
The questions I have right now are:
1. The current controller piggy backs on (hijacks?) the /authnz url-space and adds several
/authnz/saml urls (login, logout, metadata, acs). Should I use something else or are
2. I think I have mostly figured out how to add fields to the galaxy.yml file. The
python3-saml library requires a configuration directory that contains two JSON files and a
'certs" directory with certificates and keys used to sign/authenticate SAML
requests. Should this go into the config directory? That seem like the logical place to
me. However, I have tried to copy the code used to make the oidc_config_* relative to the
config directory, but when I access my saml_config_dir field at runtime the path is
relative to the Galaxy directory and not the config directory.
3. I will need to maintain some information in a "session" of some sort to
implement the logout correctly. Should I just stick this in a cookie? I don't think
this is appropriate to go into the GalaxySession and I don't see any other
I'm sure to have more questions soon.
P.S. I will remember to squash my commits for the next PR ;)
On Mar 12, 2020, at 8:39 PM, Keith Suderman
I have the SAML login implementation 99% complete. However, after authenticating with an
IdP and being redirected back to Galaxy the user is still not "logged in"...
The relevant code is on GitHub , but basically in the callback handler I do:
user = trans.get_or_create_remote_user(user_email)
Everything "works" in that there are no stack traces or errors in the logs and
the user is redirected correctly; they are just not logged in after going through the
login process. If I do this on a new Galaxy install the user is created so that part is
working. What else do I have to do to get Galaxy to recognize the user is logged in? I
have been pouring over the code for the other authenticators and I don't see what I am
Once I get the login sorted I can start preparing a proper PR.
> On Mar 7, 2020, at 5:54 PM, Youssef GHORBAL <youssef.ghorbal(a)pasteur.fr
> Hi Keith,
> Last time I checked (before OIDC support in Galaxy) it was not possible to easly
hack around the user/auth flow in Galaxy to introduce SAML semantics.
> As you said, since OIDC integration I hope that addding SAML would be more doable
("easy" and "SAML" in the same sentence are not permitted)
> At Pasteur we reverted back to Galaxy builtin auth even for internal users.
> In any case, if you got something working I'd be more than happy to test it.
> Youssef Ghorbal
> Institut Pasteur
>> On 7 Mar 2020, at 21:40, Keith Suderman <suderman(a)cs.vassar.edu
>> We are (finally) adding SAML authentication to our Galaxy instance so users can
authenticate with EduGain (EU) or InCommon (US). While doing some searching I found an
article that says, "Galaxy supports LDAP, SAML and now OIDC (see
 Looking at the release_20.01
code I see lots has changed in respect to authorization (we are still using 19.01 so I am
glad I looked), but I don't see anything related to SAML. I am not finding anything
in the documentation either. I am missing something or am I looking in the wrong
place(s)? I was expecting (hoping) to see a saml.py in /lib/galaxy/auth/providers/ or
>> I do have Shibboleth authentication working using Apache and mod_shib in front of
Galaxy, but that requires everyone to be able to authenticate and we would still like to
allow anonymous access. Ideally users that don't have InCommon/EduGain access would
still be able to create local accounts as well.
>> Before I start hacking around trying to create an authentication plugin for
Galaxy I wanted to check to see if there was any other ongoing work in the same area.
There is an old issue on GitHub , but I can't find anything else related. I see the
OIDC stuff uses social-auth, which does include a SAML backend. Social-auth just uses the
python3-saml package and I already have a simple client that uses python3-saml for
authentication so I am hoping a saml plugin will be "Relatively Easy" (TM).
>> 1. https://academic.oup.com/bioinformatics/article/36/1/1/5514039
>> 2. https://github.com/galaxyproject/galaxy/issues/3146
>> Please keep all replies on the list by using "reply all"
>> in your mail client. To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>> To search Galaxy mailing lists use the unified search at: