// Maverics Recipe | Multiple IdP Selector version: 0.1 listenAddress: ":443" tls: maverics: certFile: keyFile: sonar: caFile: appgateways: - name: idp-selector idps: - name: azure type: azure authType: oidc graphURL: https://graph.microsoft.com oidcWellKnownURL: oauthRedirectURL: oauthClientID: oauthClientSecret: - name: salesforce type: azure authType: saml samlMetadataURL: samlConsumerServiceURL: samlEntityID: location: / upstream: https://sonar.strata.io errorPage: https://maverics.strata.io/azure/sonar/accessdenied unauthorizedPage: https://maverics.stratax.io/sonar/accessdenied tls: sonar headers: SM_USER: sonar.sm_user firstname: sonar.firstname lastname: sonar.lastname locations: - location: / isAuthenticated: funcName: IsAuthenticated code: |+ import ( "net/http" "maverics" "maverics/session" "maverics/log" ) func IsAuthenticated(ag *maverics.AppGateway, rw http.ResponseWriter, req *http.Request) bool { log.Info("msg", "start IsAuthenticated") for idpName, idp := range ag.IDPs { authenticated := session.GetString(req, idpName+".authenticated") if authenticated == "true" { return true } } return false } authenticate: funcName: Authenticate code: |+ import ( "net/http" "strings" "fmt" "maverics" "maverics/session" "maverics/log" ) func Authenticate(ag *maverics.AppGateway, rw http.ResponseWriter, req *http.Request) error { log.Info("msg", "start Authenticate") // Check if we already know which IDP to login to cookie, err := req.Cookie("selected-idp") if err == nil { log.Info("msg", "we remembered we want to login using " + cookie.Value) ag.IDPs[cookie.Value].CreateRequest().Login(rw, req); return nil } username := req.URL.Query().Get("username") log.Info("msg", fmt.Sprintf("username: %s", username)) if username != "" { if strings.ContainsAny(username, "@") { log.Info("msg", "logging into azure using " + username) cookie := http.Cookie{Name: "selected-idp", Value:"azure"} http.SetCookie(rw, &cookie) ag.IDPs["azure"].CreateRequest().Login(rw, req) return nil } else { log.Info("msg", "logging into salesforce using " + username) cookie := http.Cookie{Name: "selected-idp", Value:"salesforce"} http.SetCookie(rw, &cookie) ag.IDPs["salesforce"].CreateRequest().Login(rw, req) return nil } } // Send the username selector form rw.Write([]byte(idpForm)) return nil } // Provide them with choices of providers var idpForm = ` Sonar
Sonar Systems Co.
` loadAttrs: funcName: LoadAttrs code: |+ import ( "net/http" "maverics" "maverics/session" "maverics/log" ) func LoadAttrs(ag *maverics.AppGateway, rw http.ResponseWriter, req *http.Request) error { log.Info("msg", "start LoadAttrs") if session.GetString(req, "azure.authenticated") == "true" { log.Info("msg", "adding Azure attributes") session.Set(req, "sonar.sm_user", session.GetString(req, "azure.name")) session.Set(req, "sonar.firstname", session.GetString(req, "azure.given_name")) session.Set(req, "sonar.lastname", session.GetString(req, "azure.family_name")) session.Set(req, "sonar.email", session.GetString(req, "azure.preferred_username")) } else { session.Set(req, "sonar.sm_user", session.GetString(req, "salesforce.alias")) session.Set(req, "sonar.firstname", session.GetString(req, "salesforce.firstname")) session.Set(req, "sonar.lastname", session.GetString(req, "salesforce.lastname")) session.Set(req, "sonar.email", session.GetString(req, "salesforce.email")) } return nil } isAuthorized: funcName: IsAuthorized code: |+ import ( "fmt" "net/http" "maverics" "maverics/log" "maverics/session" ) func IsAuthorized( ag *maverics.AppGateway, rw http.ResponseWriter, req *http.Request, ) bool { for idpName, idp := range ag.IDPs { authenticated := session.GetString(req, idpName+".authenticated") if authenticated == "true" { return true } } return false } - location: /sonar/accessdenied allowUnauthenticated: true - location: /sonar/error allowUnauthenticated: true