fix(saml): restore SAML, deactivate urls, enable idp-initiate (#8175)

2026-01-25 02:08:11 +00:00 · 2025-07-07 16:42:11 +02:00
parent b38207507a
commit cd97e57521
15 changed files with 1534 additions and 1084 deletions
--- a/docs/tutorials/prowler-app-sso.md
+++ b/docs/tutorials/prowler-app-sso.md
@@ -1,6 +1,6 @@
 # Configuring SAML Single Sign-On (SSO) in Prowler

-This guide explains how to enable and test SAML SSO integration in Prowler. It includes environment setup, certificate configuration, API endpoints, and how to configure Okta as your Identity Provider (IdP).
+This guide explains how to enable and test SAML SSO integration in Prowler. It includes environment setup, API endpoints, and how to configure Okta as your Identity Provider (IdP).

 ---

@@ -20,26 +20,6 @@ Update this variable to specify which domains Django should accept incoming requ
 DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1,prowler-api,mycompany.prowler
 ```

-# SAML Certificates
-
-To enable SAML support, you must provide a public certificate and private key to allow Prowler to sign SAML requests and validate responses.
-
-### Why is this necessary?
-
-SAML relies on digital signatures to verify trust between the Identity Provider (IdP) and the Service Provider (SP). Prowler acts as the SP and must use a certificate to sign outbound authentication requests.
-
-### Add to your .env file:
-
-```env
-SAML_PUBLIC_CERT="-----BEGIN CERTIFICATE-----
-...your certificate here...
-----END CERTIFICATE-----"
-
-SAML_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
-...your private key here...
-----END PRIVATE KEY-----"
-```
-
 # SAML Configuration API

 You can manage SAML settings via the API. Prowler provides full CRUD support for tenant-specific SAML configuration.
@@ -60,7 +40,7 @@ You can manage SAML settings via the API. Prowler provides full CRUD support for

 ### Description

-This endpoint receives an email and checks if there is an active SAML configuration for the associated domain (i.e., the part after the @). If a configuration exists and the required certificates are present, it responds with an HTTP 302 redirect to the appropriate saml_login endpoint for the organization.
+This endpoint receives an email and checks if there is an active SAML configuration for the associated domain (i.e., the part after the @). If a configuration exists it responds with an HTTP 302 redirect to the appropriate saml_login endpoint for the organization.

 - POST /api/v1/accounts/saml/initiate/

@@ -78,7 +58,7 @@ This endpoint receives an email and checks if there is an active SAML configurat

 	•	302 FOUND: Redirects to the SAML login URL associated with the organization.

-	•	403 FORBIDDEN: The domain is not authorized or SAML certificates are missing from the configuration.
+	•	403 FORBIDDEN: The domain is not authorized.

 ### Validation logic

@@ -86,8 +66,6 @@ This endpoint receives an email and checks if there is an active SAML configurat

 	•	Retrieves the related SAMLConfiguration object via tenant_id.

-	•	Verifies that SAML_PUBLIC_CERT and SAML_PRIVATE_KEY environment variables are set.
-

 # SAML Integration: Testing Guide

@@ -95,26 +73,7 @@ This document outlines the process for testing the SAML integration functionalit

 ---

-## 1. Generate Self-Signed Certificate and Private Key
-
-First, generate a self-signed certificate and corresponding private key using OpenSSL:
-
-```bash
-openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-  -keyout saml_private_key.pem \
-  -out saml_public_cert.pem \
-  -subj "/C=US/ST=Test/L=Test/O=Test/OU=Test/CN=localhost"
-```
-
-## 2. Add Certificate Values to .env
-
-Paste the generated values into your .env file:
-```
-SAML_PUBLIC_CERT=<paste certificate content here>
-SAML_PRIVATE_KEY=<paste private key content here>
-```
-
-## 3. Start Ngrok and Update ALLOWED_HOSTS
+## 1. Start Ngrok and Update ALLOWED_HOSTS

 Start ngrok on port 8080:
 ```
@@ -127,7 +86,7 @@ Then, copy the generated ngrok URL and include it in the ALLOWED_HOSTS setting.
 ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["*"])
 ```

-## 4. Configure the Identity Provider (IdP)
+## 2. Configure the Identity Provider (IdP)

 Start your environment and configure your IdP. You will need to download the IdP's metadata XML file.

@@ -137,7 +96,7 @@ Your Assertion Consumer Service (ACS) URL must follow this format:
 https://<PROXY_URL>/api/v1/accounts/saml/<CONFIGURED_DOMAIN>/acs/
 ```

-## 5. IdP Attribute Mapping
+## 3. IdP Attribute Mapping

 The following fields are expected from the IdP:

@@ -151,7 +110,7 @@ The following fields are expected from the IdP:

 These values are dynamic. If the values change in the IdP, they will be updated on the next login.

-## 6. SAML Configuration API (POST)
+## 4. SAML Configuration API (POST)

 SAML configuration is managed via a CRUD API. Use the following POST request to create a new configuration:

@@ -171,7 +130,7 @@ curl --location 'http://localhost:8080/api/v1/saml-config' \
 }'
 ```

-## 7. SAML SSO Callback Configuration
+## 5. SAML SSO Callback Configuration

 ### Environment Variable Configuration

@@ -201,7 +160,7 @@ AUTH_URL="<WEB_UI_URL>"
 - Both environment variables are required for proper SAML SSO functionality
 - Verify that the `NEXT_PUBLIC_API_BASE_URL` environment variable is properly configured to reference the correct API server base URL corresponding to your target deployment environment. This ensures proper routing of SAML callback requests to the appropriate backend services.

-## 8. Start SAML Login Flow
+## 6. Start SAML Login Flow

 Once everything is configured, start the SAML login process by visiting the following URL:

@@ -211,6 +170,6 @@ https://<PROXY_IP>/api/v1/accounts/saml/<CONFIGURED_DOMAIN>/login/?email=<USER_E

 At the end you will get a valid access and refresh token

-## 9. Notes on the initiate Endpoint
+## 7. Notes on the initiate Endpoint

 The initiate endpoint is not strictly required. It was created to allow extra checks or behavior modifications (like enumeration mitigation). It also simplifies UI integration with SAML, but again, it's optional.