[FEATURE] SSO Congiruration with Entra ID (Azure AD)

[GokulVijayakumarRam]

Is your feature request related to a problem? Please describe.

I'm fairly new to CKAN. My organization uses Entra ID service and we would like to setup SSO in CKAN.
The README file was a bit vague and our team had trouble understanding how to configure/setup SSO with the plugin in CKAN

Describe the solution you'd like

An updated document which describes how we could setup the SSO in CKAN with ckanext-saml2auth plugin would be nice.
If some examples of the values in configuration file could be provided it will be really appreciated.

Describe alternatives you've considered

Any help in setting up the SSO will be appreciated.
Updated documents, detailed descriptions about the values in configuration files, step by step instructions of the setup etc.

Additional context
Im running CKAN 2.10.3 in ubuntu 22.04 environment

Thanks
Gokul

[GokulVijayakumarRam]

@amercader @gocemitevski @avdata99 @blazhovsky
Any help in this will be really appreciated

[avdata99]

@GokulVijayakumarRam I don't think we have a step by step document for this :(
You'll need to start by the Azure side and the create an IdP file and finally setup you local instance with the config values defined in the README file

[sriharirao-lh]

I am having the same issue. I have created the App on Azure side and I am getting the SSO login page but when I log in, it just shows internal server error. Any resolution on this: @avdata99 @GokulVijayakumarRam

[avdata99]

@sriharirao-lh I recommend reading the internal logs about this error.
A 500 error could be anything.

[mixmixmix]

I was able to configure SSO with Entra ID. It was difficult to identify where my configuration details were incorrect without seeing the response/queries that are not printed out in logs even with debug turned. I added my own log printing and was able to correct the values. On a logout I've hit the issue that looks like this #107, and I provided my fix in the comment.
Good luck!

Here for example, my config:

  ckanext.saml2auth.idp_metadata.location = remote
  ckanext.saml2auth.idp_metadata.remote_url = https://login.microsoftonline.com/[IdP_ID]/federationmetadata/2007-06/federationmetadata.xml?appid=[SP_APP_ID]
  ckanext.saml2auth.user_fullname = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  ckanext.saml2auth.user_email = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  ckanext.saml2auth.user_firstname = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  ckanext.saml2auth.user_lastname = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  ckanext.saml2auth.idp_metadata.remote_cert = /usr/lib/ckan/saml_idp.crt
  ckanext.saml2auth.entity_id = [Entity Id as set up at the IdP side]
  ckanext.saml2auth.want_response_signed = False
  ckanext.saml2auth.want_assertions_signed = False
  ckanext.saml2auth.logout_requests_signed = False
  ckanext.saml2auth.enable_ckan_internal_login = False

And in case you're inspecting logs, the following looks like an error but it is not:
When verifying signature of the metadata xml file, pysaml2 always checks a number of fields for the top level tag and prints out an "Error" when it fails to find them. However, when it eventually succeeds it does not provide any logs statements.

The following (in my case at least) was not an actual error:

error=func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_7ce8c2d2-df23-4e21-b6d6-bd7e0deba3a8')); xml error: 0: NULL
func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:
func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1409:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/tmpdox6353u.xml"

output=

{"time":"1729703991359327", "source":"uwsgi", "message":"2024-10-23 17:19:51,359 INFO  [ckan.config.middleware.flask_app]  302 /user/saml2login render time 0.161 seconds"}
{"time":"1729703991361284", "source":"uwsgi-req", "address":"130.209.157.49", "method":"GET", "protocol":"HTTP/1.1", "resp_size":2497, "req_body_size":0, "resp_status":302, "resp_time":0.163399"}
{"time":"1729703992399180", "source":"uwsgi", "message":"2024-10-23 17:19:52,398 INFO  [ckan.config.middleware.flask_app]  200 / render time 0.169 seconds"}
{"time":"1729703992406028", "source":"uwsgi-req", "address":"172.17.7.76", "method":"GET", "protocol":"HTTP/1.1", "resp_size":9312, "req_body_size":0, "resp_status":200, "resp_time":0.178086"}
{"time":"1729703992409951", "source":"uwsgi", "message":"2024-10-23 17:19:52,409 INFO  [ckan.config.middleware.flask_app]  200 / render time 0.181 seconds"}
{"time":"1729703992412887", "source":"uwsgi-req", "address":"172.17.7.76", "method":"GET", "protocol":"HTTP/1.1", "resp_size":9312, "req_body_size":0, "resp_status":200, "resp_time":0.184259"}
2024-10-23 17:19:54,478 ERROR [saml2.sigver] returncode=1