Auth Module openid-connect

[Glowsome]

Hi all,

As i am in need of an option for authentication for OpenID-connect / OAuth or SAML(2), and the implementation from Proxmox itself as supplier has been postponed since 2017 ( first req seen in that year)

i have decided to take on this project and start development of such.

Now don't get your cheers up too high, this means the following:

- i will need to brush up extensively in perl ( its been like ~20 years since i touched perl)
- i will need to setup a dev box with the development branch of PVE

My base of operation will be :

- an IdP based upon the product Microfocus AccessManager which supports multiple authentication-mechanisms including SAML2 / OAuth / OpenID-Connect.
- i will focus primarily on authentication, but will see what i can do in regards of authorisation lateron, possibly even with provisioning if i get to that point.
=> for the 2 latter stages it will mean your IdP's backend/directory is able to supply such information in a scope.
- just to disclose my backend for good manners, i am using an Microfocus/NetIQ eDirectory backend.

 

[Glowsome]

Ok, first up.

i have a box which (was production, but got replaced/decommissioned like a year ago, but was still lying around) and its a DL380Gen5, and since revival has been updated to latest ( as current) 6.3 PVE kernel ( an old box i had which was updates sucessfully ( Debian Buster))
- No vm's or LXC guests are on it, so i'm completely free to play around with it.

Following guildelines i started out with enabling the dev repo ( adapting as i am beyond the info as written on Build instructions
In essence it makes you add a repo :

echo "deb http://download.proxmox.com/debian buster pvetest" > /etc/apt/sources.list.d/pve-development.list wget -O- "http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg" | apt-key add -
In this i updated the key to reflect a 6.x key (originally it still reflects the 5.x key)

After that i (as said already had a normal pve 6.x env on the box) So running the specified apt update && dist-upgrade too a while for everything to install, still it all installed fine.

Now still following the Build instructions getting to item 12 it again triggered a huge install run, which after having waited out its run went without any issue.

i then as suggested installed the package 'devscripts' , which again took a ton of time to install together with all dependancies. ( i wanna be a lazy one so all helpers are highly appreciated )

Next came a defined list of packages which i also apparently am in need of ( as described in the Build instructions).

While processing the list i had some misfires in regards of the listed packages, so i truncated the list to a/the package that didnt get a hit :

Package iproute is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  iproute2

... running the apt install up and without the iproute package was fine, so i installed everything prior to the iproute package in the list, and then ( as suggested) iproute2 package.

Then for the next set of needed/to be installed packages defined on the Build instructions i ran the packages defined after ipset ( so omitting it) :

E: Unable to locate package pve-libspice-server-dev

So again skipped this package to atleast get all the other packages in, as no alternatives were offered for me i just left it i as at current i dont know what i should install as alternative.
Scrubbing this again from the list of packages i installed the next set....and it finished without issues.

The one thing that bothered me was the message i had unused kernels and should autoremove them ( most likely some remnant of the old install)

The following packages were automatically installed and are no longer required:
  pve-kernel-5.0 pve-kernel-5.0.21-5-pve pve-kernel-5.3.13-1-pve pve-kernel-5.3.13-3-pve pve-kernel-5.3.18-1-pve
  pve-kernel-5.3.18-2-pve
Use 'apt autoremove' to remove them.

So i ran the suggested 'apt autoremove', and for good measures after having finishes i rebooted the box.

So except from the one package i cant seem to grab i now have a dev-env as instructed. ( i might solve the one package i couldnt find later, but as it concerns Splice ... not bothered, as its beyond my development scope.

So it seems i now have my DEV box in order for engaging / starting in the project.

for now as its (in my timezone) 3:15 AM its my time to say g'nite and continue 2morrow.

For readers :
As this is a forum, and not like a real-life thingy depending on my availability it might take some time to post progress - hey - i'm doing this as a hobby, i still need to make my income by working.




Time to get some ZZ's !

 

[Glowsome]

Small update ...

Did Some backend work , i have created groups in my eDirectory representing the PVE (builtin) roles, which for future purposes will be exposed as a dedicated scope for OAuth.

As AccessManager allows me to assign roles based on group membership this can be transported with a created scope to the authentication module.

 

[victorhooi]

This is awesome/amazing!

Will definitely keep an eye on how this goes.

Just to confirm - does this mean we'll need to purchase a license for NetIQ Access Manager, in order to use your integration?

 

[Glowsome]

This is awesome/amazing!

Will definitely keep an eye on how this goes.

Just to confirm - does this mean we'll need to purchase a license for NetIQ Access Manager, in order to use your integration?

No, any Oauth-/OpenID-connect IdP will do, but i happen to have the mentioned product.

For example Okta would also work.

In essence any IdP which has a configuration endpoint ( where i will interact with to retrieve all other endpoints )is usable ( well thats my wish to implement it that way, as then with minimal configuration it would allow me to dynamically interact with the IdP.

See OpenID Connect Discovery link for explanation.

To clarify how i look upon it , and will be trying to make the authentication work:

1. retrieve info from configuration endpoint for PVE purposes ( like refreshtoken etc.)
2. redirect to IdP for authentication to get authorisation code ( after having authenticated)
3. let IdP redirect back with relevant info.
4. Exchange authorisation code with token endpoint to get id token/ refresh token
5. Query userinfo endpoint to retrieve attributes defined in scope(s) requested
6. use retrieved info in PVE - at first authentication, then (lateron) authorisation
7. Also a concern is when in this configuration one would press 'logout' it should not only logout in PVE, but also on the IdP ( SingleLogout experience), so need a redirect after logout of PVE.

So alot of work to be done.....

 

[Glowsome]

Just a bit of an update.

I started out with adding visibility of the authentication method in Data center -> Permissions -> Authentication.
The (to be further implemented) method now has an entry under the 'Add'-button.
Clicking the method will spawn a form that allows entries according to the required parameters i have set.

So from that point it is made 'visible', but it also holds a 'tfa' field, which ( for this method should not be needed - as i am redirecting authentication outside of PVE, adhering to authentication methods (or in AccessManager terms Authentication contracts).


What i am struggling with now is 2 things :
1- The underlying schema does not want to accept what i have set up... and i cant seem to grasp where i can extend the schema at the moment, so
2- How to get rid of the 'tfa'-field, as its not gonna be used anyways, as i am diverting authentication to my IdP.

i posted to the devel mailing list to hopefully clarify this.

.. remember.. this also is a learning curve for me.. so i hope they will be graceful in providing me with info.

 

[victorhooi]

Hi Michael,

Were you able to get the answers you needed from the pve-devel list? =)

How is the project coming along?

Regards,
Victor

 

[Glowsome]

Hi Michael,

Were you able to get the answers you needed from the pve-devel list? =)

How is the project coming along?

Regards,
Victor

Hi Yes, i got my answers very helpfull list-contributors, but still running into issues which require me to do more research .. will take some time to fiddle it all together, and over the holidays ( with no time off) its all on a low burner.

Most likely my issues are because implementing this feature is spread out over multiple git repos and my unfamiliarity to the layout of PM itself.

 

[rule88]

Hi @Glowsome,

how is progress going? I needed I might be able to help testing. We currently have keycloak as IdP and are looking for a proxmox OpenID-connect / OAuth or SAML(2) solution as well.

Happy to hear how I can assist, unfortunately Perl is not one of my capabilities, feel free do DM me.

 

[victorhooi]

@Glowsome How are things going? What sort of issues did you hit? Anything we or anybody else could help with maybe? =)

Really appreciate you kick-starting this awesome effort.

 

[Blais]

Hello,

Were you able to make any progress on your initiative?

I was able to test a keyclock(docker) + pfsense(vm from iso) solution with samlv2 => OK.

Sincerely

Jbsky

 

[Blais]

To initiate a SSO proxmox post install environment :​

Environment :​

• vscode
• git init on /usr/share

To install perl-net-saml2 :​

apt-get install libxml2 make gcc libssl-dev libperl-dev git cpanminus

Install perl package:
cpanm Net::SAML2

make link :
ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl/5.28.1/Net/SAML2 ln -s /usr/local/share/perl/5.28.1/Net/SAML2 /usr/share/perl5/Net/SAML2

To restart properly after applying a change:​

systemctl stop pvedaemon && systemctl stop pveproxy
systemctl start pvedaemon && systemctl start pveproxy

 

[dcsapak]

hi, great that you take your time for this. did you already see the dev documentation? https://pve.proxmox.com/wiki/Developer_Documentation
it would probably a good idea to ask dev related questions on the pve-devel mailing list (and to possibly send in the patches)

 

[Blais]

Hello dcsapak,

Of course I will send a patch if I can get something to work with Saml.

But in the meantime, the hardest part is still to come.

I'm at the redirection stage with some tweaking.


Nothing really usable for the moment.

Still attached my sources.


Sincerely,

Jbsky

 

[Blais]

Hello,

Configuration so that it works with my sources:​

Assuming you already have a working keycloak/pfsense environment in SSO, to configure the domain part, add the following to your /etc/pve/domains.cfg file.

root@node2:/usr/share# cat /etc/pve/domains.cfg

saml: DOM
        Identity_Provider_Entity_ID https://key.jbsky.lan/auth/realms/master
        Service_Provider_Entity_ID pve
        Identity_Provider_Url_Metadata https://key.jbsky.lan/auth/realms/master/protocol/saml/descriptor
        Identity_Provider_x509_CA_Certificate /etc/ssl/certs/cacert_jbsky.pem
        Service_Provider_Private_Key /saml/key
        Service_Provider_Sign-on_URL api2/saml/access/sso
        default 0

/saml/key is the private key part to retrieve in the client configured in keycloak.
Transform it in the rsa private key format.

-----BEGIN RSA PRIVATE KEY-----
MIIE[...]==
-----END RSA PRIVATE KEY-----

Keycloak part​

Matching identifiers properly (SP and IdP)





Sincerely,

Jbsky

 

[Blais]

SAMLv2 is functional with the cpanm Net::SAML2 package, last available source :

src : https://github.com/jbsky/proxmox-saml2-auth/commit/d33b7f542855ecb119eb3077e194e5df3550cc21.diff

Unfortunately, since there is no debian package for cpanm Net::SAML2 package, it will not be supported by the Proxmox dev team.

What it emerges after exchange of mail, they prefer to leave on the OpenID with this Rust library :
=> https://github.com/ramosbugs/openidconnect-rs
This library will be "binded" with perlmod available here(https://git.proxmox.com/?p=perlmod.git;a=summary)


Sincerely,

Jbsky