Add SAML 2.0 SSO.

Review Request #12254 — Created April 24, 2022 and submitted — Latest diff uploaded


Review Board


This change adds SAML 2.0 support for single-sign-on authentication. It
includes a few major pieces:

  • Infrastructure for SSO backends including registry, configuration
    machinery, and URL registration.
  • Updates to settings forms to allow me to toggle some subforms based on
    a checkbox enabler rather than via drop-downs.
  • SAML 2.0 backend which includes configuration, login/logout, and user

The vast majority of the settings available are specific to SAML,
including the various URLs and method settings. Because of some user
feedback we've already recieved, I've added a toggle to control the
behavior of user provisioning. In most cases, the person using this has
absolute trust in the integrity and correctness of their IdP, but in
some cases that may not be true. If the "username" parameter can not
necessarily be trusted, there's an option to force existing users to log
in with their Review Board password at least once.

Testing was done with a test application on with the
relevant configuration to authenticate to my server on localhost.

  • Logged in with existing user that had a username match.
  • Logged in with user that had an email match and saw correct detection
    of the existing user.
  • Logged in with a user that had no existing match and saw provision
    screen. Proceeded and was logged in with a new user with correct
  • Tested behavior of "require login" toggle.
  • Logged out from onelogin portal and saw GET request to the SLS
    endpoint which flushed the session and then redirected back to the
    onelogin login page.
  • Tested authentication configuration page, enabling/disabling settings,
    and making changes to settings. Tested behavior when the
    python3-saml package wasn't installed.
  • Tested text of button on login page, and that it redirected to the SSO
    login flow.
  • Ran unit tests.