Customize SAML metadata and create username

#1

Hi,

some thoughts about the SAML interface:

If you want to authenticate RC as a service provider to an identity provider, there is currently no possibility to individualize the metadata of RC under /_saml/metadata/your_entityID, e.g. to request “RequestedAttribute” attributes from the IDP. This leads to the fact that the IDP must make the attributes available to the SP by hand. However, the usual principle is that the SP can request the attributes independently. Provided that the IDP supports this, which is usually the case, because the IDP admin does not want to match every attribute change in the metadata of the SP manually. Likewise, “mdui:UIInfo” cannot be individualized or Organization, ContactPerson etc. cannot be set and transmitted to the IDP. Finally, the metadata are limited to the certificate and the entityID and what is hardcoded in packages/meteor-accounts-saml/saml_utils.js.

As SP now different possibilities are available: Modification of the SAML interface packages/meteor-accounts-saml/, which leads however to the fact that RC must be build oneself with each update, in order to take over changes. A simpler variant is to exclude and overwrite the path “/_saml/metadata/your_entityID” in the configuration of the front end proxy web server (apache, nginx) and point to a static metadata file to make it available to the IDP for fetching. That’s just a workaround, but in my opinion the best possibility at the moment to provide the IDP with freely configurable metadata as SP.

It would be desirable, if in the configuration to the SAML interface of the RC the possibility exists to deposit a completely self-created metadata configuration, which one can configure freely. This could be for example a simple text field. The content of this text field is then output by the RC under " /_saml/metadata/your_entityID". If the text field is not configured, RC generates its minimal metadata version dynamically as before.

Besides the SAML interface for the generation of the user data pursues a wrong approach in my opinion. The RC username is created using

const username = RocketChat.generateUsernameSuggestion(newUser);

in “packages/meteor-accounts-saml/saml_server.js”. It would be correct to take the username from the uid transmitted by the IDP from the SSO landscape, so that usernames are identical, e.g. “newUser.username = loginResult.profile.nameID;” . At least there should be the option that the uid is taken from the IDP as username or to create the username according to the RC logic. In my opinion, the latter is superfluous for an SSO environment. As far as I know, this is not the case with the OAUTH procedures.

Ciao
Marcus

Login with SAML (SSO) without creating Users first