lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-11-08T11:36:24Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/13Check that authLogout is well managed in AuthMulti2017-11-08T11:36:24ZClément OUDOTCheck that authLogout is well managed in AuthMultiThe logout process call authLogout method from the authentication module. We should test how this works with AuthMulti.The logout process call authLogout method from the authentication module. We should test how this works with AuthMulti.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/14Use CSS framework for templates2017-11-08T11:36:24ZClément OUDOTUse CSS framework for templatesFor example YAML : http://www.yaml.de/en/home.htmlFor example YAML : http://www.yaml.de/en/home.html1.4.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/27OpenID provider2017-11-08T11:36:31ZClément OUDOTOpenID providerModule IssuerDBOpenID.pmModule IssuerDBOpenID.pm1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/30[SAML] Unit tests2017-11-08T11:36:31ZClément OUDOT[SAML] Unit testsWe should provide unit tests (*.t) for SAML modulesWe should provide unit tests (*.t) for SAML modules1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/33[SAML] Check "Destination" attribute2017-11-08T11:36:31ZClément OUDOT[SAML] Check "Destination" attributeSAML messages can carry a "Destination" attribute. We should check that its value is the authentication portal URL.SAML messages can carry a "Destination" attribute. We should check that its value is the authentication portal URL.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/37[SAML] Proxy restriction should include all known IDP, and not only target IDP2017-11-08T11:36:31ZClément OUDOT[SAML] Proxy restriction should include all known IDP, and not only target IDPIn AuthSAML, we can allow or not that authn statements were proxified. For now, we just test this was not proxified, but we should allow proxy for all known IDP (in our circle of trust), and just refuse them from unknown IDP.In AuthSAML, we can allow or not that authn statements were proxified. For now, we just test this was not proxified, but we should allow proxy for all known IDP (in our circle of trust), and just refuse them from unknown IDP.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/42[SAML][SP] Attrubtes sent trought IDP initiated SSO are not registered into s...2017-11-08T11:36:31ZClément OUDOT[SAML][SP] Attrubtes sent trought IDP initiated SSO are not registered into session1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/44[SAML][SP] IDP list when unknown IDP in IDP cookie2017-11-08T11:36:31ZClément OUDOT[SAML][SP] IDP list when unknown IDP in IDP cookie1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/46[logout] verify referer into logout process2017-11-08T15:56:39ZThomas Chemineau[logout] verify referer into logout processWhen handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP ...When handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP request when user goes to the portal. An error is produced: "Bad URL".
1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/35[SAML] Manage SLO trough SOAP2017-11-08T15:56:41ZClément OUDOT[SAML] Manage SLO trough SOAPThe idea is to use images that will call a script on the portal. This script will manage SLO SOAP request and catch the response.
We should use a special SLO cookie, so that script is aware of which user is asking SLO. This can't be the...The idea is to use images that will call a script on the portal. This script will manage SLO SOAP request and catch the response.
We should use a special SLO cookie, so that script is aware of which user is asking SLO. This can't be the main WebSSO cookie because it is already destroyed at this stage (local logout already occured).1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/21Special characters from SAML attribute statement are not well encoded2017-11-08T16:01:40ZClément OUDOTSpecial characters from SAML attribute statement are not well encodedSAML attributes are not automatically encoded in UTF-8. We should maybe check this before register them into session.
This can be tested by using AuthSAML with an IDP sending attributes values containing accentsSAML attributes are not automatically encoded in UTF-8. We should maybe check this before register them into session.
This can be tested by using AuthSAML with an IDP sending attributes values containing accents1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3[SAML] Attribute authority declaration in metadata2017-11-08T16:01:43ZClément OUDOT[SAML] Attribute authority declaration in metadata1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2[SAML] Attribute authority2017-11-08T16:01:45ZClément OUDOT[SAML] Attribute authorityLemonLDAP::NG IDP will also be an SAML2 attribute authority.LemonLDAP::NG IDP will also be an SAML2 attribute authority.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/36[SAML] Check dates and other conditions in SLO requests2017-11-08T16:01:50ZClément OUDOT[SAML] Check dates and other conditions in SLO requests1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/32[SAML] Manage Artifact methods for SAML messages emission in SP2017-11-08T16:01:51ZClément OUDOT[SAML] Manage Artifact methods for SAML messages emission in SPSP know how to handle an artifact in a received SAML message, but do not know how to send its messages trought artifact methodsSP know how to handle an artifact in a received SAML message, but do not know how to send its messages trought artifact methods1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/40[SAML] Dedicated portal errors code for SAML errors2017-11-08T16:01:52ZClément OUDOT[SAML] Dedicated portal errors code for SAML errorsFor now, SAML errors are only reported in Apache error log. User only see "Error". For some specific SAML errors, we should give more information to final user.For now, SAML errors are only reported in Apache error log. User only see "Error". For some specific SAML errors, we should give more information to final user.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/31[SAML] Proxy IDP2017-11-08T16:01:52ZClément OUDOT[SAML] Proxy IDPWe can configure LemonLDAP::NG as SP and IdP. We have to work on some functionnalities to be full proxy IDP compliany :
* Reuse authnStatement from SP in IDP
* Check proxyCount and other proxy conditionsWe can configure LemonLDAP::NG as SP and IdP. We have to work on some functionnalities to be full proxy IDP compliany :
* Reuse authnStatement from SP in IDP
* Check proxyCount and other proxy conditions1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/19Select authentication module on authentication portal2017-11-08T16:02:00ZClément OUDOTSelect authentication module on authentication portalWe should be able to propose multiple authentication scheme so the user can choose how to log.
For example, we should let the user choose to use OpenID, SAML or a local authentication.
We can try to map each authentication shema to a U...We should be able to propose multiple authentication scheme so the user can choose how to log.
For example, we should let the user choose to use OpenID, SAML or a local authentication.
We can try to map each authentication shema to a URI :
* http://auth.example.com/openid
* http://auth.example.com/saml
* http://auth.example.com/ldap
Depending on the URI, portal will choose its auth module. If no auth module in uri, it will propose known authentication methods
1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/28Read user information from OpenID provider2017-11-08T16:02:00ZClément OUDOTRead user information from OpenID providerThis should be implemented in UserDBOpenID.pmThis should be implemented in UserDBOpenID.pm1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/29Improve application menu configuration2017-11-08T16:02:02ZClément OUDOTImprove application menu configurationApplication list in menu is not very easy to configure (it's a big hash in lemonldap-ng.ini).
We have to discuss on how manage application list in our next stable version. It seems it's maybe not a good practice to pass HTML code to tem...Application list in menu is not very easy to configure (it's a big hash in lemonldap-ng.ini).
We have to discuss on how manage application list in our next stable version. It seems it's maybe not a good practice to pass HTML code to templates. We should rather have methods that will return all authorized applications for a category.
We have maybe to simplify how application list can be build. For example, Myabe we should only accept 1 or 2 levels of category. Same idea, is this mandatory to have applications under applications? If we restrict this, it could be then easier to configure from a graphical point of view.1.0