A simple saml proxy for SSO integration

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

An important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.

TLDR: Like oauth2-proxy, but for SAML. Typical SAML SSO providers include PingId, Okta, OneLogin etc.

So you can easily add SSO protection without modifying existing applications.

TLDR:

server{
  ...
  location / {
    auth_request /auth;
    auth_request_set $saml_email $upstream_http_saml_email;
    proxy_set_header Saml-Email $saml_email;
    error_page 401 = /start?redirect=$request_uri;
    proxy_pass http:https://app:4567;
  }

  location /auth {
    internal;
    proxy_pass http:https://saml-proxy:9292;
  }

  location /start {
    proxy_pass http:https://saml-proxy:9292;
  }

  location /consume {
    proxy_pass http:https://saml-proxy:9292;
  }
}

Sequence Diagram:

Take a look at saml-proxy-example

The * is the attribute name returned by your SSO. The value is the HTTP header you want returned to nginx's auth_request

The only time it makes outbound http call is when it tries to load idp metadata from a remote URL

You can also put your override configs in /app/config/