Auth Module openid-connect

Glowsome

Active Member
Jul 25, 2017
140
20
38
49
The Netherlands
www.comsolve.nl
Hi all,

As i am in need of an option for authentication for OpenID-connect / OAuth or SAML(2), and the implementation from Proxmox itself as supplier has been postponed since 2017 ( first req seen in that year)

i have decided to take on this project and start development of such.

Now don't get your cheers up too high, this means the following:

- i will need to brush up extensively in perl ( its been like ~20 years since i touched perl)
- i will need to setup a dev box with the development branch of PVE

My base of operation will be :

- an IdP based upon the product Microfocus AccessManager which supports multiple authentication-mechanisms including SAML2 / OAuth / OpenID-Connect.
- i will focus primarily on authentication, but will see what i can do in regards of authorisation lateron, possibly even with provisioning if i get to that point.
=> for the 2 latter stages it will mean your IdP's backend/directory is able to supply such information in a scope.
- just to disclose my backend for good manners, i am using an Microfocus/NetIQ eDirectory backend.
 
Last edited:

Glowsome

Active Member
Jul 25, 2017
140
20
38
49
The Netherlands
www.comsolve.nl
Ok, first up.

i have a box which (was production, but got replaced/decommissioned like a year ago, but was still lying around) and its a DL380Gen5, and since revival has been updated to latest ( as current) 6.3 PVE kernel ( an old box i had which was updates sucessfully ( Debian Buster))
- No vm's or LXC guests are on it, so i'm completely free to play around with it. :)

Following guildelines i started out with enabling the dev repo ( adapting as i am beyond the info as written on Build instructions
In essence it makes you add a repo :

echo "deb http://download.proxmox.com/debian buster pvetest" > /etc/apt/sources.list.d/pve-development.list wget -O- "http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg" | apt-key add -
In this i updated the key to reflect a 6.x key (originally it still reflects the 5.x key)

After that i (as said already had a normal pve 6.x env on the box) So running the specified apt update && dist-upgrade too a while for everything to install, still it all installed fine.

Now still following the Build instructions getting to item 12 it again triggered a huge install run, which after having waited out its run went without any issue.

i then as suggested installed the package 'devscripts' , which again took a ton of time to install together with all dependancies. ( i wanna be a lazy one so all helpers are highly appreciated :))

Next came a defined list of packages which i also apparently am in need of ( as described in the Build instructions).

While processing the list i had some misfires in regards of the listed packages, so i truncated the list to a/the package that didnt get a hit :
Code:
Package iproute is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  iproute2
... running the apt install up and without the iproute package was fine, so i installed everything prior to the iproute package in the list, and then ( as suggested) iproute2 package.

Then for the next set of needed/to be installed packages defined on the Build instructions i ran the packages defined after ipset ( so omitting it) :
Code:
E: Unable to locate package pve-libspice-server-dev

So again skipped this package to atleast get all the other packages in, as no alternatives were offered for me i just left it i as at current i dont know what i should install as alternative.
Scrubbing this again from the list of packages i installed the next set....and it finished without issues.

The one thing that bothered me was the message i had unused kernels and should autoremove them ( most likely some remnant of the old install)
Code:
The following packages were automatically installed and are no longer required:
  pve-kernel-5.0 pve-kernel-5.0.21-5-pve pve-kernel-5.3.13-1-pve pve-kernel-5.3.13-3-pve pve-kernel-5.3.18-1-pve
  pve-kernel-5.3.18-2-pve
Use 'apt autoremove' to remove them.
So i ran the suggested 'apt autoremove', and for good measures after having finishes i rebooted the box.

So except from the one package i cant seem to grab i now have a dev-env as instructed. ( i might solve the one package i couldnt find later, but as it concerns Splice ... not bothered, as its beyond my development scope.

So it seems i now have my DEV box in order for engaging / starting in the project.

for now as its (in my timezone) 3:15 AM its my time to say g'nite and continue 2morrow.

For readers :
As this is a forum, and not like a real-life thingy depending on my availability it might take some time to post progress - hey - i'm doing this as a hobby, i still need to make my income by working.




Time to get some ZZ's !
 
Last edited:

Glowsome

Active Member
Jul 25, 2017
140
20
38
49
The Netherlands
www.comsolve.nl
Small update ...

Did Some backend work , i have created groups in my eDirectory representing the PVE (builtin) roles, which for future purposes will be exposed as a dedicated scope for OAuth.

As AccessManager allows me to assign roles based on group membership this can be transported with a created scope to the authentication module.
 

victorhooi

Member
Apr 3, 2018
249
18
23
35
This is awesome/amazing!

Will definitely keep an eye on how this goes.

Just to confirm - does this mean we'll need to purchase a license for NetIQ Access Manager, in order to use your integration?
 

Glowsome

Active Member
Jul 25, 2017
140
20
38
49
The Netherlands
www.comsolve.nl
This is awesome/amazing!

Will definitely keep an eye on how this goes.

Just to confirm - does this mean we'll need to purchase a license for NetIQ Access Manager, in order to use your integration?
No, any Oauth-/OpenID-connect IdP will do, but i happen to have the mentioned product.

For example Okta would also work.

In essence any IdP which has a configuration endpoint ( where i will interact with to retrieve all other endpoints )is usable ( well thats my wish to implement it that way, as then with minimal configuration it would allow me to dynamically interact with the IdP.

See OpenID Connect Discovery link for explanation.

To clarify how i look upon it , and will be trying to make the authentication work:

  1. retrieve info from configuration endpoint for PVE purposes ( like refreshtoken etc.)
  2. redirect to IdP for authentication to get authorisation code ( after having authenticated)
  3. let IdP redirect back with relevant info.
  4. Exchange authorisation code with token endpoint to get id token/ refresh token
  5. Query userinfo endpoint to retrieve attributes defined in scope(s) requested
  6. use retrieved info in PVE - at first authentication, then (lateron) authorisation
  7. Also a concern is when in this configuration one would press 'logout' it should not only logout in PVE, but also on the IdP ( SingleLogout experience), so need a redirect after logout of PVE.
So alot of work to be done.....
 
Last edited:

Glowsome

Active Member
Jul 25, 2017
140
20
38
49
The Netherlands
www.comsolve.nl
Just a bit of an update.

I started out with adding visibility of the authentication method in Data center -> Permissions -> Authentication.
The (to be further implemented) method now has an entry under the 'Add'-button.
Clicking the method will spawn a form that allows entries according to the required parameters i have set.

So from that point it is made 'visible', but it also holds a 'tfa' field, which ( for this method should not be needed - as i am redirecting authentication outside of PVE, adhering to authentication methods (or in AccessManager terms Authentication contracts).


What i am struggling with now is 2 things :
1- The underlying schema does not want to accept what i have set up... and i cant seem to grasp where i can extend the schema at the moment, so
2- How to get rid of the 'tfa'-field, as its not gonna be used anyways, as i am diverting authentication to my IdP.

i posted to the devel mailing list to hopefully clarify this.

.. remember.. this also is a learning curve for me.. so i hope they will be graceful in providing me with info.
 
Last edited:

victorhooi

Member
Apr 3, 2018
249
18
23
35
Hi Michael,

Were you able to get the answers you needed from the pve-devel list? =)

How is the project coming along?

Regards,
Victor
 

Glowsome

Active Member
Jul 25, 2017
140
20
38
49
The Netherlands
www.comsolve.nl
Hi Michael,

Were you able to get the answers you needed from the pve-devel list? =)

How is the project coming along?

Regards,
Victor
Hi Yes, i got my answers very helpfull list-contributors, but still running into issues which require me to do more research .. will take some time to fiddle it all together, and over the holidays ( with no time off) its all on a low burner.

Most likely my issues are because implementing this feature is spread out over multiple git repos and my unfamiliarity to the layout of PM itself.
 
Last edited:

rule88

New Member
Feb 5, 2021
2
1
1
35
Hi @Glowsome,

how is progress going? I needed I might be able to help testing. We currently have keycloak as IdP and are looking for a proxmox OpenID-connect / OAuth or SAML(2) solution as well.

Happy to hear how I can assist, unfortunately Perl is not one of my capabilities, feel free do DM me.
 

victorhooi

Member
Apr 3, 2018
249
18
23
35
@Glowsome How are things going? What sort of issues did you hit? Anything we or anybody else could help with maybe? =)

Really appreciate you kick-starting this awesome effort.
 

Blais

Active Member
Mar 28, 2017
32
2
28
Hello,

Were you able to make any progress on your initiative?

I was able to test a keyclock(docker) + pfsense(vm from iso) solution with samlv2 => OK.

Sincerely

Jbsky
 
Last edited:

Blais

Active Member
Mar 28, 2017
32
2
28

To initiate a SSO proxmox post install environment :​


Environment :​

  • vscode
  • git init on /usr/share

To install perl-net-saml2 :​


apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus

Install perl package:
cpanm Net::SAML2

make link :
ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2 ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2


To restart properly after applying a change:​

Code:
systemctl stop pvedaemon && systemctl stop pveproxy
systemctl start pvedaemon && systemctl start pveproxy
 
Last edited:

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,062
992
163
34
Vienna
hi, great that you take your time for this. did you already see the dev documentation? https://pve.proxmox.com/wiki/Developer_Documentation
it would probably a good idea to ask dev related questions on the pve-devel mailing list (and to possibly send in the patches)
 

Blais

Active Member
Mar 28, 2017
32
2
28
Hello dcsapak,

Of course I will send a patch if I can get something to work with Saml.

But in the meantime, the hardest part is still to come.

I'm at the redirection stage with some tweaking.

1619986782165.png
Nothing really usable for the moment.
1619986753064.png
Still attached my sources.


Sincerely,

Jbsky
 

Attachments

  • patch.txt
    26.3 KB · Views: 5

Blais

Active Member
Mar 28, 2017
32
2
28
Hello,


Configuration so that it works with my sources:​


Assuming you already have a working keycloak/pfsense environment in SSO, to configure the domain part, add the following to your /etc/pve/domains.cfg file.

Code:
root@node2:/usr/share# cat /etc/pve/domains.cfg

saml: DOM
        Identity_Provider_Entity_ID https://key.jbsky.lan/auth/realms/master
        Service_Provider_Entity_ID pve
        Identity_Provider_Url_Metadata https://key.jbsky.lan/auth/realms/master/protocol/saml/descriptor
        Identity_Provider_x509_CA_Certificate /etc/ssl/certs/cacert_jbsky.pem
        Service_Provider_Private_Key /saml/key
        Service_Provider_Sign-on_URL api2/saml/access/sso
        default 0


/saml/key is the private key part to retrieve in the client configured in keycloak.1621978164022.png
Transform it in the rsa private key format.

-----BEGIN RSA PRIVATE KEY-----
MIIE[...]==
-----END RSA PRIVATE KEY-----

Keycloak part​


Matching identifiers properly (SP and IdP)


1621978950428.png


Sincerely,

Jbsky
 
Last edited:

Blais

Active Member
Mar 28, 2017
32
2
28
SAMLv2 is functional with the cpanm Net::SAML2 package, last available source :

src : https://github.com/jbsky/proxmox-saml2-auth/commit/d33b7f542855ecb119eb3077e194e5df3550cc21.diff

Unfortunately, since there is no debian package for cpanm Net::SAML2 package, it will not be supported by the Proxmox dev team.

What it emerges after exchange of mail, they prefer to leave on the OpenID with this Rust library :
=> https://github.com/ramosbugs/openidconnect-rs
This library will be "binded" with perlmod available here(https://git.proxmox.com/?p=perlmod.git;a=summary)


Sincerely,

Jbsky
 
Last edited:
  • Like
Reactions: netadvanced

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!