Added some CAS and SAML settings. Not tested. Please test and send pull requests if it does not work.

See https://github.com/wekan/wekan/wiki/SAML and https://github.com/wekan/wekan/wiki/CAS

Thanks to xet7 !

Related #3204,
related #708

.devcontainer/Dockerfile

@@ -113,7 +113,22 @@ ENV \
     CORS_ALLOW_HEADERS="" \
     CORS_EXPOSE_HEADERS="" \
     DEFAULT_AUTHENTICATION_METHOD="" \
-    PASSWORD_LOGIN_ENABLED=true
+    PASSWORD_LOGIN_ENABLED=true \
+    CAS_ENABLED=false \
+    CAS_BASE_URL="" \
+    CAS_LOGIN_URL="" \
+    CAS_VALIDATE_URL="" \
+    SAML_ENABLED=false \
+    SAML_PROVIDER="" \
+    SAML_ENTRYPOINT="" \
+    SAML_ISSUER="" \
+    SAML_CERT="" \
+    SAML_IDPSLO_REDIRECTURL="" \
+    SAML_PRIVATE_KEYFILE="" \
+    SAML_PUBLIC_CERTFILE="" \
+    SAML_IDENTIFIER_FORMAT="" \
+    SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE="" \
+    SAML_ATTRIBUTES=""
 
 # Install OS
 RUN set -o xtrace \

.meteor/packages

@@ -97,3 +97,4 @@ easylogic:summernote
 cfs:filesystem
 ostrio:cookies
 tmeasday:check-npm-versions
+wekan-meteor-accounts-saml

.meteor/versions

@@ -192,6 +192,7 @@ wekan-accounts-cas@0.1.0
 wekan-accounts-oidc@1.0.10
 wekan-ldap@0.0.2
 wekan-markdown@1.0.9
+wekan-meteor-accounts-saml@0.0.18
 wekan-oidc@1.0.12
 yasaricli:slugify@0.0.7
 zimme:active-route@2.3.2

Dockerfile

@@ -115,7 +115,22 @@ ENV BUILD_DEPS="apt-utils libarchive-tools gnupg gosu wget curl bzip2 g++ build-
     CORS_ALLOW_HEADERS="" \
     CORS_EXPOSE_HEADERS="" \
     DEFAULT_AUTHENTICATION_METHOD="" \
-    PASSWORD_LOGIN_ENABLED=true
+    PASSWORD_LOGIN_ENABLED=true \
+    CAS_ENABLED=false \
+    CAS_BASE_URL="" \
+    CAS_LOGIN_URL="" \
+    CAS_VALIDATE_URL="" \
+    SAML_ENABLED=false \
+    SAML_PROVIDER="" \
+    SAML_ENTRYPOINT="" \
+    SAML_ISSUER="" \
+    SAML_CERT="" \
+    SAML_IDPSLO_REDIRECTURL="" \
+    SAML_PRIVATE_KEYFILE="" \
+    SAML_PUBLIC_CERTFILE="" \
+    SAML_IDENTIFIER_FORMAT="" \
+    SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE="" \
+    SAML_ATTRIBUTES=""
 
 # Copy the app to the image
 COPY ${SRC_PATH} /home/wekan/app

client/components/main/layouts.js

@@ -169,6 +169,19 @@ async function authentication(event, templateInstance) {
         });
       });
 
+    case 'saml':
+      return new Promise(resolve => {
+        const provider = Meteor.settings.public.SAML_PROVIDER;
+        Meteor.loginWithSaml(
+          {
+            provider,
+          },
+          function() {
+            resolve(FlowRouter.go('/'));
+          },
+        );
+      });
+
     case 'cas':
       return new Promise(resolve => {
         Meteor.loginWithCas(match, password, function() {

docker-compose.yml

@@ -601,7 +601,24 @@ services:
       # Hide password login form
       # - PASSWORD_LOGIN_ENABLED=true
       #-------------------------------------------------------------------
-    depends_on:
+      #- CAS_ENABLED=true
+      #- CAS_BASE_URL=https://cas.example.com/cas
+      #- CAS_LOGIN_URL=https://cas.example.com/login
+      #- CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate
+      #---------------------------------------------------------------------
+      #- SAML_ENABLED=true
+      #- SAML_PROVIDER=
+      #- SAML_ENTRYPOINT=
+      #- SAML_ISSUER=
+      #- SAML_CERT=
+      #- SAML_IDPSLO_REDIRECTURL=
+      #- SAML_PRIVATE_KEYFILE=
+      #- SAML_PUBLIC_CERTFILE=
+      #- SAML_IDENTIFIER_FORMAT=
+      #- SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE=
+      #- SAML_ATTRIBUTES=
+      #---------------------------------------------------------------------
+        depends_on:
       - wekandb
 
 #---------------------------------------------------------------------------------

packages/meteor-accounts-saml

@@ -0,0 +1 @@
+Subproject commit b91e65d728d1393ab83fe7dfdd37948b91c04161

releases/virtualbox/start-wekan.sh

@@ -361,6 +361,24 @@
       #---------------------------------------------------------------------
       # PASSWORD_LOGIN_ENABLED : Enable or not the password login form.
       #export PASSWORD_LOGIN_ENABLED=true
+      #---------------------------------------------------------------------
+      #export CAS_ENABLED=true
+      #export CAS_BASE_URL=https://cas.example.com/cas
+      #export CAS_LOGIN_URL=https://cas.example.com/login
+      #export CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate
+      #---------------------------------------------------------------------
+      #export SAML_ENABLED=true
+      #export SAML_PROVIDER=
+      #export SAML_ENTRYPOINT=
+      #export SAML_ISSUER=
+      #export SAML_CERT=
+      #export SAML_IDPSLO_REDIRECTURL=
+      #export SAML_PRIVATE_KEYFILE=
+      #export SAML_PUBLIC_CERTFILE=
+      #export SAML_IDENTIFIER_FORMAT=
+      #export SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE=
+      #export SAML_ATTRIBUTES=
+      #---------------------------------------------------------------------
 
       node main.js & >> ~/repos/wekan.log
       cd ~/repos

server/authentication.js

@@ -63,7 +63,10 @@ Meteor.startup(() => {
   };
 
   if (Meteor.isServer) {
-    if (process.env.OAUTH2_CLIENT_ID !== '') {
+    if (
+      process.env.OAUTH2_ENABLED === 'true' ||
+      process.env.OAUTH2_ENABLED === true
+    ) {
       ServiceConfiguration.configurations.upsert(
         // eslint-disable-line no-undef
         { service: 'oidc' },
@@ -85,5 +88,72 @@ Meteor.startup(() => {
         },
       );
     }
+  } else if (
+    process.env.CAS_ENABLED === 'true' ||
+    process.env.CAS_ENABLED === true
+  ) {
+    ServiceConfiguration.configurations.upsert(
+      // eslint-disable-line no-undef
+      { service: 'cas' },
+      {
+        $set: {
+          baseUrl: process.env.CAS_BASE_URL,
+          loginUrl: process.env.CAS_LOGIN_URL,
+          serviceParam: 'service',
+          popupWidth: 810,
+          popupHeight: 610,
+          popup: true,
+          autoClose: true,
+          validateUrl: process.env.CASE_VALIDATE_URL,
+          casVersion: 3.0,
+          attributes: {
+            debug: process.env.DEBUG,
+          },
+        },
+      },
+    );
+  } else if (
+    process.env.SAML_ENABLED === 'true' ||
+    process.env.SAML_ENABLED === true
+  ) {
+    ServiceConfiguration.configurations.upsert(
+      // eslint-disable-line no-undef
+      { service: 'saml' },
+      {
+        $set: {
+          provider: process.env.SAML_PROVIDER,
+          entryPoint: process.env.SAML_ENTRYPOINT,
+          issuer: process.env.SAML_ISSUER,
+          cert: process.env.SAML_CERT,
+          idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,
+          privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,
+          publicCertFile: process.env.SAML_PUBLIC_CERTFILE,
+          identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,
+          localProfileMatchAttribute:
+            process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,
+          attributesSAML: process.env.SAML_ATTRIBUTES || [
+            'sn',
+            'givenName',
+            'mail',
+          ],
+
+          /*
+          settings = {"saml":[{
+            "provider":"openam",
+            "entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",
+            "issuer": "https://sp.zimt.io/", //replace with url of your app
+            "cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",
+            "idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",
+             "privateKeyFile": "certs/mykey.pem",  // path is relative to $METEOR-PROJECT/private
+             "publicCertFile": "certs/mycert.pem",  // eg $METEOR-PROJECT/private/certs/mycert.pem
+             "dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
+             "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+             "localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
+             "attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.
+          }]}
+          */
+        },
+      },
+    );
   }
 });

server/saml.js

@@ -0,0 +1,5 @@
+Meteor.startup(() => {
+  if (process.env.SAML_PROVIDER !== '') {
+    Meteor.settings.public.SAML_PROVIDER = process.env.SAML_PROVIDER;
+  }
+});

snap-src/bin/wekan-help

@@ -478,6 +478,51 @@ echo -e "\n"
 echo -e "Enable or not password login Form"
 echo -e "\t$ snap set $SNAP_NAME password-login-enabled='false'"
 echo -e "\n"
+echo -e "CAS Enabled. Default: false"
+echo -e "\t$ snap set $SNAP_NAME cas-enabled='true'"
+echo -e "\n"
+echo -e "CAS Base URL."
+echo -e "\t$ snap set $SNAP_NAME cas-base-url='https://cas.example.com/cas'"
+echo -e "\n"
+echo -e "CAS Login URL."
+echo -e "\t$ snap set $SNAP_NAME cas-login-url='https://cas.example.com/login'"
+echo -e "\n"
+echo -e "CAS Validate URL."
+echo -e "\t$ snap set $SNAP_NAME cas-validate-url='https://cas.example.com/cas/p3/serviceValidate'"
+echo -e "\n"
+echo -e "SAML Enabled. Default: false"
+echo -e "\t$ snap set $SNAP_NAME saml-enabled='true'"
+echo -e "\n"
+echo -e "SAML Provider. openam or openidp."
+echo -e "\t$ snap set $SNAP_NAME saml-provider='openam'"
+echo -e "\n"
+echo -e "SAML Entrypoint."
+echo -e "\t$ snap set $SNAP_NAME saml-entrypoint=''"
+echo -e "\n"
+echo -e "SAML Issuer."
+echo -e "\t$ snap set $SNAP_NAME saml-issuer=''"
+echo -e "\n"
+echo -e "SAML Cert."
+echo -e "\t$ snap set $SNAP_NAME saml-cert=''"
+echo -e "\n"
+echo -e "SAML IDPS LO Redirect URL."
+echo -e "\t$ snap set $SNAP_NAME saml-ispslo-redirecturl=''"
+echo -e "\n"
+echo -e "SAML Private Keyfile."
+echo -e "\t$ snap set $SNAP_NAME saml-private-keyfile=''"
+echo -e "\n"
+echo -e "SAML Public Certfile."
+echo -e "\t$ snap set $SNAP_NAME saml-public-certfile=''"
+echo -e "\n"
+echo -e "SAML Identifier Format."
+echo -e "\t$ snap set $SNAP_NAME saml-identifier-format=''"
+echo -e "\n"
+echo -e "SAML Local Profile Match Attribute."
+echo -e "\t$ snap set $SNAP_NAME saml-local-profile-match-attribute=''"
+echo -e "\n"
+echo -e "SAML Attributes."
+echo -e "\t$ snap set $SNAP_NAME saml-attributes=''"
+echo -e "\n"
 # parse config file for supported settings keys
 echo -e "wekan supports settings keys"
 echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'"

start-wekan.bat

@@ -390,4 +390,21 @@ REM # LOGOUT_ON_MINUTES : The number of minutes
 REM # example : LOGOUT_ON_MINUTES=55
 REM SET LOGOUT_ON_MINUTES=
 
+REM SET CAS_ENABLED=true
+REM SET CAS_BASE_URL=https://cas.example.com/cas
+REM SET CAS_LOGIN_URL=https://cas.example.com/login
+REM SET CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate
+
+REM SET SAML_ENABLED=true
+REM SET SAML_PROVIDER=
+REM SET SAML_ENTRYPOINT=
+REM SET SAML_ISSUER=
+REM SET SAML_CERT=
+REM SET SAML_IDPSLO_REDIRECTURL=
+REM SET SAML_PRIVATE_KEYFILE=
+REM SET SAML_PUBLIC_CERTFILE=
+REM SET SAML_IDENTIFIER_FORMAT=
+REM SET SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE=
+REM SET SAML_ATTRIBUTES=
+
 node main.js

start-wekan.sh

@@ -362,7 +362,24 @@
       #---------------------------------------------------------------------
       # PASSWORD_LOGIN_ENABLED : Enable or not the password login form.
       #export PASSWORD_LOGIN_ENABLED=true
-
+      #---------------------------------------------------------------------
+      #export CAS_ENABLED=true
+      #export CAS_BASE_URL=https://cas.example.com/cas
+      #export CAS_LOGIN_URL=https://cas.example.com/login
+      #export CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate
+      #---------------------------------------------------------------------
+      #export SAML_ENABLED=true
+      #export SAML_PROVIDER=
+      #export SAML_ENTRYPOINT=
+      #export SAML_ISSUER=
+      #export SAML_CERT=
+      #export SAML_IDPSLO_REDIRECTURL=
+      #export SAML_PRIVATE_KEYFILE=
+      #export SAML_PUBLIC_CERTFILE=
+      #export SAML_IDENTIFIER_FORMAT=
+      #export SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE=
+      #export SAML_ATTRIBUTES=
+      #---------------------------------------------------------------------
       node main.js
       # & >> ../../wekan.log
       cd ../..

torodb-postgresql/docker-compose.yml

@@ -529,7 +529,23 @@ services:
       # example: PASSWORD_LOGIN_ENABLED=false
       # - PASSWORD_LOGIN_ENABLED
       #-------------------------------------------------------------------
-
+      #- CAS_ENABLED=true
+      #- CAS_BASE_URL=https://cas.example.com/cas
+      #- CAS_LOGIN_URL=https://cas.example.com/login
+      #- CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate
+      #---------------------------------------------------------------------
+      #- SAML_ENABLED=true
+      #- SAML_PROVIDER=
+      #- SAML_ENTRYPOINT=
+      #- SAML_ISSUER=
+      #- SAML_CERT=
+      #- SAML_IDPSLO_REDIRECTURL=
+      #- SAML_PRIVATE_KEYFILE=
+      #- SAML_PUBLIC_CERTFILE=
+      #- SAML_IDENTIFIER_FORMAT=
+      #- SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE=
+      #- SAML_ATTRIBUTES=
+      #---------------------------------------------------------------------
 
     depends_on:
       - mongodb