{"id":28693351,"url":"https://github.com/matteogioioso/saml-proxy","last_synced_at":"2025-06-14T08:13:05.660Z","repository":{"id":44116843,"uuid":"405646121","full_name":"MatteoGioioso/saml-proxy","owner":"MatteoGioioso","description":"Small proxy for SAML authentication, mainly developed to allow AWS SSO authentication with Kubernetes dashboards","archived":false,"fork":false,"pushed_at":"2024-04-23T12:58:30.000Z","size":236,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-20T17:39:32.972Z","etag":null,"topics":["authentication","aws","kubernetes","saml","saml2-sp-sso"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MatteoGioioso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-12T13:14:26.000Z","updated_at":"2024-04-23T12:56:16.000Z","dependencies_parsed_at":"2024-06-20T17:20:23.303Z","dependency_job_id":"02096f15-cc3d-42e4-af88-85bce3edebde","html_url":"https://github.com/MatteoGioioso/saml-proxy","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/MatteoGioioso/saml-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatteoGioioso%2Fsaml-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatteoGioioso%2Fsaml-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatteoGioioso%2Fsaml-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatteoGioioso%2Fsaml-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MatteoGioioso","download_url":"https://codeload.github.com/MatteoGioioso/saml-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatteoGioioso%2Fsaml-proxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259783084,"owners_count":22910304,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","aws","kubernetes","saml","saml2-sp-sso"],"created_at":"2025-06-14T08:13:01.658Z","updated_at":"2025-06-14T08:13:05.646Z","avatar_url":"https://github.com/MatteoGioioso.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Saml proxy\n\nSmall SAML 2.0 Service provider authentication proxy.\nI mainly built this to leverage direct AWS SSO authentication with external services such Kubernetes, Linkerd, Grafana dashboards.\n\n\u003e **NOTE** this proxy is tested using Nginx and Nginx ingress controller only\n\n## Usage\n\n### Configuration with AWS SSO\n\nTo be used with AWS SSO you need to create one Application per host.\nTo create a custom application follow those the docs [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html) or [here](https://static.global.sso.amazonaws.com/app-520727d4117d1647/instructions/index.htm?metadata=https)\n\nOne other important setting is the attributes mapping, you need to set the `Subject` to `transient` as showed below:\n\n![attribute mappings](assets/aws_sso_attribute_mappings.png)\n\n\n### Kubernetes\n\nYou can deploy Saml-proxy using the helm chart:\n\n```shell\n helm repo add saml-proxy https://matteogioioso.github.io/saml-proxy/\n helm repo update\n```\n\nYou can use this values and use one host per dashboard:\n```yaml\nconfig:\n samlMetadataEndpoint: \"https://portal.sso.ap-southeast-1.amazonaws.com/saml/metadata/000xxxxxxxXxxxx0000000\"\n samlHosts: [linkerd.company.com]\n\ningress:\n enabled: true\n className: \"nginx\"\n annotations: {}\n hosts:\n - host: linkerd.company.com\n paths:\n - path: /saml\n pathType: Prefix\n```\n\nWith Nginx ingress controller:\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n name: linkerd-dashboard-ingress\n namespace: linkerd-viz\n annotations:\n nginx.ingress.kubernetes.io/upstream-vhost: $service_name.$namespace.svc.cluster.local:8084\n nginx.ingress.kubernetes.io/configuration-snippet: |\n proxy_set_header Origin \"\";\n proxy_hide_header l5d-remote-ip;\n proxy_hide_header l5d-server-id;\n nginx.ingress.kubernetes.io/auth-url: \"https://linkerd.company.com/saml/auth\"\n nginx.ingress.kubernetes.io/auth-signin: \"https://linkerd.company.com/saml/sign_in?rd=$host$request_uri\"\n nginx.ingress.kubernetes.io/proxy-buffer-size: \"8k\"\n nginx.ingress.kubernetes.io/proxy-buffering: \"on\"\nspec:\n ingressClassName: nginx\n rules:\n - host: linkerd.company.com\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: web\n port:\n number: 8084\n```\n\n### Docker and nginx\n\nYour Nginx config should look something like this:\n\n```\nserver {\n ...\n server_name localhost;\n\n location /saml/ {\n\t proxy_pass http://saml-proxy:9000;\n\t proxy_set_header Host $host;\n\t proxy_set_header X-Auth-Request-Redirect $request_uri;\n proxy_set_header X-Forwarded-Uri $request_uri;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_set_header X-Forwarded-Host $host;\n }\n\n location = /saml/auth {\n internal;\n proxy_pass http://saml-proxy:9000;\n proxy_pass_request_body off;\n proxy_set_header Content-Length \"\";\n proxy_set_header X-Original-URI $request_uri;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_set_header X-Forwarded-Host $host;\n }\n\n location / {\n\t\t auth_request /saml/auth;\n\t\t\terror_page 401 = /saml/sign_in?rd=$host$request_uri;\n\n\t\t auth_request_set $auth_cookie $upstream_http_set_cookie;\n\t\t add_header Set-Cookie $auth_cookie;\n\n\t\t proxy_buffer_size 256k;\n proxy_buffers 4 512k;\n proxy_busy_buffers_size 512k;\n\n\t\t proxy_pass http://dashboard:5000;\n\t }\n}\n\n```\n\nAnd then your `docker-compose.yaml`:\n\n```yaml\nservices:\n proxy:\n build:\n context: nginx/\n dockerfile: Dockerfile\n ports:\n - \"443:443\"\n networks:\n - saml-proxy-network\n\n dashboard:\n networks:\n - saml-proxy-network\n build:\n context: dashboard\n dockerfile: Dockerfile\n\n saml-proxy:\n image: public.ecr.aws/hirvitek/saml-proxy:latest\n networks:\n - saml-proxy-network\n environment:\n - SAML_PROXY_METADATA_ENDPOINT=https://my-idp/metadata/xxxxxxxxxxxxxxxxxx\n - SAML_PROXY_HOSTS=[\"mydashboard.exampl.com\"]\n - SAML_PROXY_SSL_CERTIFICATE_AUTOGENERATE=true\n - PORT=9000\n```\n\nYou can check the full example and run it locally in the example folder: `example/dockerCompose`\n\n---\n\n## Config \n\n| Environmental variable \t| Helm variable \t| Type \t| Description \t| Default \t| Example \t|\n|-------------------------------------------\t|-------------------------------------\t|-----------------------\t|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\t|---------\t|---------\t|\n| `SAML_PROXY_METADATA_ENDPOINT` \t| `config.samlMetadataEndpoint` \t| string \t| The metadata endpoint of your Identity provider \t| \"\" \t| https://portal.sso.ap-southeast-1.amazonaws.com/saml/metadata/000xxxxxxxXxxxx0000000 \t|\n| `SAML_PROXY_HOSTS` \t| `config.samlHosts` \t| JSON array of strings \t| List of allowed hosts \t| [] \t| [linkerd.company.com, grafana.company.com] \t|\n| `SAML_PROXY_ENTITY_ID` | `config.samlEntityId` \t| string | The identity provider entity id \t| \"\" \t| SAMLProxy \t|\n| `SAML_PROXY_ALLOW_IDP_INITIATED` \t| `config.samlAllowIdpInitiated` \t| boolean \t| Allow authentication directly from the identity provider \t| true \t| \t|\n| `SAML_PROXY_SIGN_REQUEST` \t| `config.samlSignRequest` \t| boolean \t| Sign the SAML request using the certificates \t| true \t| \t|\n| `SAML_PROXY_SSL_CERTIFICATE_PATH` \t| `config.sslCertificatePath` \t| string \t| If you decide to bring your own TLS certificates you can specify the path here (Note: you don't need to use this if `SAML_PROXY_SSL_CERTIFICATE_AUTOGENERATE` is set to true) \t| \"\" \t| /path/to/certs/cert.crt \t|\n| `SAML_PROXY_SSL_CERTIFICATE_KEY_PATH` \t| `config.sslCertificateKeyPath` \t| string \t| If you decide to bring your own TLS certificates you can specify the path of the certificate's key here (Note: you don't need to use this if `SAML_PROXY_SSL_CERTIFICATE_AUTOGENERATE` is set to true) \t| \"\" \t| /path/to/certs/cert.key \t|\n| `SAML_PROXY_SSL_CERTIFICATE_AUTOGENERATE` \t| `config.sslCertificateAutogenerate` \t| boolean \t| If set to true it will auto-generate self-signed certificates everytime the server starts, set this to false if you are using custom TLS | true \t| \t|\n| `SAML_PROXY_PROTOCOL` \t| `config.protocol` \t| string \t| Useful if you want to test the proxy locally using \t| \"https\" \t| \t|\n| `PORT` \t| `config.proxyPort` \t| number \t| The proxy server port \t| 9000 \t| \t|","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatteogioioso%2Fsaml-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatteogioioso%2Fsaml-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatteogioioso%2Fsaml-proxy/lists"}