FTP service for galaxy with external authentication via SAML using shibboleth
Hi, I'm currently solving a problem with authentication to FTP service for users of our galaxy server. We've successfully established an authentication via shibboleth behind Nginx (not very easy, but doable :) but that also means that ProFTPD is not working anymore, as it doesn't support SAML authentication. So my question is obvious, I'm looking for an easy and free FTP server with SAML support, can anybody help me with an advice? I've already found CompleteFTP and CrushFTP but both are paid and one is Windows-only allegedly. So how do you - people using external authentication via SAML - do this? Thanks in advance for any kind of useful advice. Best wishes, Martin Demko
On 16 Apr 2018, at 11:53, Martin Demko <325073@mail.muni.cz<mailto:325073@mail.muni.cz>> wrote: Hi, I'm currently solving a problem with authentication to FTP service for users of our galaxy server. We've successfully established an authentication via shibboleth behind Nginx (not very easy, but doable :) but that also means that ProFTPD is not working anymore, as it doesn't support SAML authentication. So my question is obvious, I'm looking for an easy and free FTP server with SAML support, can anybody help me with an advice? I've already found CompleteFTP and CrushFTP but both are paid and one is Windows-only allegedly. So how do you - people using external authentication via SAML - do this? CrushFTP will support SAML auth only on HTTP transfers not FTP (the actual protocol) tranfers. SAML is HTTP centric spec, hooking it up to other non-HTTP portocols is diffcult, more info here : https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP http://www.cilogon.org/ws/saml-outside-the-browser You will not find any single FTP (the actual protocol) server with SAML support. However, you can use HTTP uploader tools that you can hook up more or less easly with SAML (bear in mind that Galaxy needs to have access to files once uploaded which can add more complexity to the integration with thirdparty upload tools) And since you're down the HTTP uploading path, you may jus stick with Galaxy's own HTTP upload feature. If you need FTP, your best option, is to connect the ProfFTPD to the LDAP/AD server used by the SAML IdP itself. This setup can only work in a single oragnization (no SAML federation in action) If you have time, there are many JS libs that you can use to build a custom file uploader (with SAML auth, HTML5 and resuming support) : http://www.resumablejs.com https://tus.io (and even in this situation, it will be difficult to handle CLI based upload workflows) Youssef Ghorbal Institut Pasteur
Dear Youssef, thank you a lot for your extensive answer. I need to digest this first but I believe it will help a lot. So far, I've just changed the quota for Galaxy upload tool and according to your answer, it looks like the best and easiest option anyway. Best wishes, Martin "Youssef GHORBAL" <youssef.ghorbal@pasteur.fr> wrote on Tue, 17 Apr 2018 09:33:16 +0000:
On 16 Apr 2018, at 11:53, Martin Demko <325073@mail.muni.cz<mailto:325073@mail.muni.cz>> wrote:
Hi, I'm currently solving a problem with authentication to FTP service for users of our galaxy server. We've successfully established an authentication via shibboleth behind Nginx (not very easy, but doable :) but that also means that ProFTPD is not working anymore, as it doesn't support SAML authentication.
So my question is obvious, I'm looking for an easy and free FTP server with SAML support, can anybody help me with an advice? I've already found CompleteFTP and CrushFTP but both are paid and one is Windows-only allegedly. So how do you - people using external authentication via SAML - do this?
CrushFTP will support SAML auth only on HTTP transfers not FTP (the actual protocol) tranfers. SAML is HTTP centric spec, hooking it up to other non-HTTP portocols is diffcult, more info here : https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP http://www.cilogon.org/ws/saml-outside-the-browser
You will not find any single FTP (the actual protocol) server with SAML support. However, you can use HTTP uploader tools that you can hook up more or less easly with SAML (bear in mind that Galaxy needs to have access to files once uploaded which can add more complexity to the integration with thirdparty upload tools) And since you're down the HTTP uploading path, you may jus stick with Galaxy's own HTTP upload feature.
If you need FTP, your best option, is to connect the ProfFTPD to the LDAP/AD server used by the SAML IdP itself. This setup can only work in a single oragnization (no SAML federation in action)
If you have time, there are many JS libs that you can use to build a custom file uploader (with SAML auth, HTML5 and resuming support) : http://www.resumablejs.com https://tus.io
(and even in this situation, it will be difficult to handle CLI based upload workflows)
Youssef Ghorbal Institut Pasteur
Hi all, with the 'chunked and resumable uploads' PR in place ( https://github.com/galaxyproject/galaxy/pull/5516) the resiliency of the built-in uploader should be pretty high, especially on browser like Chrome. This feature will make it to 18.05 release. M. On Tue, Apr 17, 2018 at 2:20 PM Martin Demko <325073@mail.muni.cz> wrote:
Dear Youssef, thank you a lot for your extensive answer. I need to digest this first but I believe it will help a lot. So far, I've just changed the quota for Galaxy upload tool and according to your answer, it looks like the best and easiest option anyway.
Best wishes, Martin
"Youssef GHORBAL" <youssef.ghorbal@pasteur.fr> wrote on Tue, 17 Apr 2018 09:33:16 +0000:
On 16 Apr 2018, at 11:53, Martin Demko <325073@mail.muni.cz<mailto:
325073@mail.muni.cz>> wrote:
Hi, I'm currently solving a problem with authentication to FTP service for
users
of our galaxy server. We've successfully established an authentication via shibboleth behind Nginx (not very easy, but doable :) but that also means that ProFTPD is not working anymore, as it doesn't support SAML authentication.
So my question is obvious, I'm looking for an easy and free FTP server with SAML support, can anybody help me with an advice? I've already found CompleteFTP and CrushFTP but both are paid and one is Windows-only allegedly. So how do you - people using external authentication via SAML - do this?
CrushFTP will support SAML auth only on HTTP transfers not FTP (the actual protocol) tranfers. SAML is HTTP centric spec, hooking it up to other non-HTTP portocols is diffcult, more info here : https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP http://www.cilogon.org/ws/saml-outside-the-browser
You will not find any single FTP (the actual protocol) server with SAML support. However, you can use HTTP uploader tools that you can hook up more or less easly with SAML (bear in mind that Galaxy needs to have access to files once uploaded which can add more complexity to the integration with thirdparty upload tools) And since you're down the HTTP uploading path, you may jus stick with Galaxy's own HTTP upload feature.
If you need FTP, your best option, is to connect the ProfFTPD to the LDAP/AD server used by the SAML IdP itself. This setup can only work in a single oragnization (no SAML federation in action)
If you have time, there are many JS libs that you can use to build a custom file uploader (with SAML auth, HTML5 and resuming support) : http://www.resumablejs.com https://tus.io
(and even in this situation, it will be difficult to handle CLI based upload workflows)
Youssef Ghorbal Institut Pasteur
Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
participants (3)
-
Martin Demko -
Martin Čech -
Youssef GHORBAL