Locking Down Observium
Is there any way to setup SAML or Mutual TLS on the Observium server?
Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.com
Hi Chris,
We don't do SAML yet, though it's on my list try to implement at some point.
I'm actually not familiar with Mutual TLS, a brief conversation with our future overlord at OpenAI suggests it's client cert auth and seems to be primarily handled by the web server, and we just "accept" the username the webserver provides to us? This seems incredibly simple.
If I'm not being hallucinated at (a strong possibility) and it does work how it was explained, I think we should be able to implement a MutualTLS auth module.
adam.
Chris Cottingham via observium wrote on 2024-05-22 16:15:
Is there any way to setup SAML or Mutual TLS on the Observium server?
Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.com
observium mailing list -- observium@lists.observium.org To unsubscribe send an email to observium-leave@lists.observium.org
Awesome!
Thanks for the reply.
Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.com
On May 22, 2024, at 1:25 PM, Adam Armstrong via observium observium@lists.observium.org wrote:
Hi Chris,
We don't do SAML yet, though it's on my list try to implement at some point.
I'm actually not familiar with Mutual TLS, a brief conversation with our future overlord at OpenAI suggests it's client cert auth and seems to be primarily handled by the web server, and we just "accept" the username the webserver provides to us? This seems incredibly simple.
If I'm not being hallucinated at (a strong possibility) and it does work how it was explained, I think we should be able to implement a MutualTLS auth module.
adam.
Chris Cottingham via observium wrote on 2024-05-22 16:15:
Is there any way to setup SAML or Mutual TLS on the Observium server?
Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.com mailto:ccottingham@apple.com
observium mailing list -- observium@lists.observium.org mailto:observium@lists.observium.org To unsubscribe send an email to observium-leave@lists.observium.org mailto:observium-leave@lists.observium.org
observium mailing list -- observium@lists.observium.org To unsubscribe send an email to observium-leave@lists.observium.org
SimpleSAMLphp is what I see commonly in open source projects https://simplesamlphp.org/
We'd be willing test subjects (and have substantial IdP/SP knowledge) if you need it.
________________________________ Spencer J. Ryan| Manager, Technology and Infrastructure Miller Canfield T +1.313.496.7979 | F +1.313.496.7500 ________________________________
From: Adam Armstrong via observium observium@lists.observium.org Sent: Wednesday, May 22, 2024 4:25 PM To: Observium observium@lists.observium.org Cc: Chris Cottingham ccottingham@apple.com; Adam Armstrong adama@observium.org Subject: [Observium] Re: Locking Down Observium
Caution: This is an external email. Do not open attachments or click links from unknown or unexpected emails.
Hi Chris,
We don't do SAML yet, though it's on my list try to implement at some point.
I'm actually not familiar with Mutual TLS, a brief conversation with our future overlord at OpenAI suggests it's client cert auth and seems to be primarily handled by the web server, and we just "accept" the username the webserver provides to us? This seems incredibly simple.
If I'm not being hallucinated at (a strong possibility) and it does work how it was explained, I think we should be able to implement a MutualTLS auth module.
adam.
Chris Cottingham via observium wrote on 2024-05-22 16:15:
Is there any way to setup SAML or Mutual TLS on the Observium server?
Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.commailto:ccottingham@apple.com
_______________________________________________
observium mailing list -- observium@lists.observium.orgmailto:observium@lists.observium.org
To unsubscribe send an email to observium-leave@lists.observium.orgmailto:observium-leave@lists.observium.org
You have received a message from the law firm Miller Canfield. The information contained in or attached to this electronic mail may be privileged and/or confidential. If you received this transmission and are not the intended recipient, you should not read this message and are hereby notified that any dissemination, distribution or copying of this communication and/or its attachments is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and delete or destroy the original and any copies, electronic, paper or otherwise, that you may have of this communication and any attachments.
I've looked at simplesaml a few times, but complex auth is a little outside of my usual field so I've never been comfortable trying to implement it without the possibility of making a horrible mess and causing security issues.
Our auth system is actually quite simple, and it's probably trivial for someone who actually understands SAML to implement, just... getting it wrong would be bad. :)
Do you know of any platforms with relatively simple auth systems that have simplesamlphp implemented already? Perhaps seeing existing implementations would be useful.
I do think the MutualTLS seems very simple to implement though, unless I'm missing something!
adam.
Ryan, Spencer J. via observium wrote on 2024-05-22 21:41:
SimpleSAMLphp is what I see commonly in open source projects https://simplesamlphp.org/
We’d be willing test subjects (and have substantial IdP/SP knowledge) if you need it.
Spencer J. Ryan| Manager, Technology and Infrastructure *Miller Canfield* *T* +1.313.496.7979 | *F* +1.313.496.7500
*From:*Adam Armstrong via observium observium@lists.observium.org *Sent:* Wednesday, May 22, 2024 4:25 PM *To:* Observium observium@lists.observium.org *Cc:* Chris Cottingham ccottingham@apple.com; Adam Armstrong adama@observium.org *Subject:* [Observium] Re: Locking Down Observium
*Caution:*This is an external email. Do not open attachments or click links from unknown or unexpected emails.
Hi Chris,
We don't do SAML yet, though it's on my list try to implement at some point.
I'm actually not familiar with Mutual TLS, a brief conversation with our future overlord at OpenAI suggests it's client cert auth and seems to be primarily handled by the web server, and we just "accept" the username the webserver provides to us? This seems incredibly simple.
If I'm not being hallucinated at (a strong possibility) and it does work how it was explained, I think we should be able to implement a MutualTLS auth module.
adam.
Chris Cottingham via observium wrote on 2024-05-22 16:15:
Is there any way to setup SAML or Mutual TLS on the Observium server? Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.com <mailto:ccottingham@apple.com> _______________________________________________ observium mailing list --observium@lists.observium.org <mailto:observium@lists.observium.org> To unsubscribe send an email toobservium-leave@lists.observium.org <mailto:observium-leave@lists.observium.org>You have received a message from the law firm Miller Canfield. The information contained in or attached to this electronic mail may be privileged and/or confidential. If you received this transmission and are not the intended recipient, you should not read this message and are hereby notified that any dissemination, distribution or copying of this communication and/or its attachments is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and delete or destroy the original and any copies, electronic, paper or otherwise, that you may have of this communication and any attachments.
observium mailing list -- observium@lists.observium.org To unsubscribe send an email to observium-leave@lists.observium.org
Let me see if I can dig one up, nothing off the top of my head.
SAML to me is very much like X509, it seems overwhelming and has a million moving parts but if all you need to do is generate webserver certs you can ignore 99% of X509. Same thing with SAML.
Anyway, https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html
"Integrating authentication with your own application"
Looks like it's really just a few lines of code. You can require specific attributes (like user level!) be in the SAML response and access those in this array $as->getAttributes();
It seems like a fairly easy drop in for the auth system you've already written.
________________________________ Spencer J. Ryan| Manager, Technology and Infrastructure Miller Canfield T +1.313.496.7979 | F +1.313.496.7500 ________________________________
From: Adam Armstrong via observium observium@lists.observium.org Sent: Wednesday, May 22, 2024 4:47 PM To: Observium observium@lists.observium.org Cc: Adam Armstrong adama@observium.org Subject: [Observium] Re: Locking Down Observium
Caution: This is an external email. Do not open attachments or click links from unknown or unexpected emails.
I've looked at simplesaml a few times, but complex auth is a little outside of my usual field so I've never been comfortable trying to implement it without the possibility of making a horrible mess and causing security issues.
Our auth system is actually quite simple, and it's probably trivial for someone who actually understands SAML to implement, just... getting it wrong would be bad. :)
Do you know of any platforms with relatively simple auth systems that have simplesamlphp implemented already? Perhaps seeing existing implementations would be useful.
I do think the MutualTLS seems very simple to implement though, unless I'm missing something!
adam.
Ryan, Spencer J. via observium wrote on 2024-05-22 21:41:
SimpleSAMLphp is what I see commonly in open source projects https://simplesamlphp.org/
We'd be willing test subjects (and have substantial IdP/SP knowledge) if you need it.
________________________________ Spencer J. Ryan| Manager, Technology and Infrastructure Miller Canfield T +1.313.496.7979 | F +1.313.496.7500 ________________________________
From: Adam Armstrong via observium observium@lists.observium.orgmailto:observium@lists.observium.org Sent: Wednesday, May 22, 2024 4:25 PM To: Observium observium@lists.observium.orgmailto:observium@lists.observium.org Cc: Chris Cottingham ccottingham@apple.commailto:ccottingham@apple.com; Adam Armstrong adama@observium.orgmailto:adama@observium.org Subject: [Observium] Re: Locking Down Observium
Caution: This is an external email. Do not open attachments or click links from unknown or unexpected emails.
Hi Chris,
We don't do SAML yet, though it's on my list try to implement at some point.
I'm actually not familiar with Mutual TLS, a brief conversation with our future overlord at OpenAI suggests it's client cert auth and seems to be primarily handled by the web server, and we just "accept" the username the webserver provides to us? This seems incredibly simple.
If I'm not being hallucinated at (a strong possibility) and it does work how it was explained, I think we should be able to implement a MutualTLS auth module.
adam.
Chris Cottingham via observium wrote on 2024-05-22 16:15:
Is there any way to setup SAML or Mutual TLS on the Observium server?
Chris Cottingham Transmission Facility Engineering Systems + R&D | Apple Music (512) 412-1082 Cell. ccottingham@apple.commailto:ccottingham@apple.com
_______________________________________________
observium mailing list -- observium@lists.observium.orgmailto:observium@lists.observium.org
To unsubscribe send an email to observium-leave@lists.observium.orgmailto:observium-leave@lists.observium.org
You have received a message from the law firm Miller Canfield. The information contained in or attached to this electronic mail may be privileged and/or confidential. If you received this transmission and are not the intended recipient, you should not read this message and are hereby notified that any dissemination, distribution or copying of this communication and/or its attachments is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and delete or destroy the original and any copies, electronic, paper or otherwise, that you may have of this communication and any attachments.
_______________________________________________
observium mailing list -- observium@lists.observium.orgmailto:observium@lists.observium.org
To unsubscribe send an email to observium-leave@lists.observium.orgmailto:observium-leave@lists.observium.org
participants (3)
-
Adam Armstrong -
Chris Cottingham -
Ryan, Spencer J.