Skip to content

CRASM-2906 Replace Cognito with custom SP SAML auth endpoints #1322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 26 commits into
base: develop
Choose a base branch
from
Open

CRASM-2906 Replace Cognito with custom SP SAML auth endpoints #1322

wants to merge 26 commits into from

Conversation

@nickviola
Copy link
Contributor

@nickviola nickviola commented Nov 4, 2025
edited
Loading

🗣 Description

Replace Cognito with custom SAML auth service provider logic to authenticate users and change primary linking user. attribute to OktaID instead of email address. See CRASM Ticket for detailed documentation for new endpoints and process breakdown.

Certificate and Metadata URL ENV vars for encrypted deployments will be added via new Django S3 logic process (CRASM-2599)

New SAML endpoints (See CRASM Ticket for detailed documentation):

  1. GET /saml/metadata
  2. GET /saml/login
  3. POST /saml/acs
  4. GET /saml/logout

New auth flowchart:

auth-flow

💭 Motivation and context

This removes the need for additional third party user pool configuration/management and decreases failure point surface for authentication. This will allow us to remove the third party Cognito dependency and keep authentication flow complletely in the backend with direct SAML authentication with Okta. This also allows us to control the user upsert process and primary linking keys (OktaID vs NameID/Email).

🧪 Testing

Authentication Flow from a UI perspective should not change, Locally, you will need to make sure you have the OKTA_METADATA_URL added to your local env. This URL will be shared with the team for testing.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

@nickviola nickviola self-assigned this Nov 4, 2025
@nickviola nickviola marked this pull request as ready for review November 18, 2025 22:02
cduhn17
cduhn17 reviewed Nov 19, 2025
View reviewed changes
Copy link
Collaborator

@cduhn17 cduhn17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments

ameliav

This comment was marked as outdated.

Sign in to view

@nickviola nickviola requested review from ameliav and cduhn17 November 25, 2025 14:59
@nickviola
Copy link
Contributor Author

nickviola commented Nov 25, 2025

Known Frontend CI failures that are being addressed in other tickets:

Linter issues: https://maestro.dhs.gov/jira/browse/CRASM-3437
Logger syntax issue: https://maestro.dhs.gov/jira/browse/CRASM-3384
Regression Testing: https://maestro.dhs.gov/jira/browse/CRASM-3434

cduhn17
cduhn17 reviewed Nov 26, 2025
View reviewed changes
backend/src/xfd_django/xfd_api/auth_saml.py
validate_json_serialization,
)

logging.basicConfig(level=logging.INFO)
Copy link
Collaborator

@cduhn17 cduhn17 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is already a basicConfig in settings.py. In practice, one basicConfig is desirable in Django, if you have more than one, can cause unexpected results.

backend/src/xfd_django/xfd_api/auth_saml.py
raise RuntimeError("OKTA_SAML_METADATA_URL is not set")

# Fetch & parse IdP metadata
idp_data = _SamlConfig.idp_parser.parse_remote(OKTA_METADATA_URL)
Copy link
Collaborator

@cduhn17 cduhn17 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validate the URL before passing it into parse_remote. Wrap parse_remote in a try/except and log a clear error, then raise a controlled RuntimeError with a generic message, not the full stack trace or URL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cduhn17 cduhn17 cduhn17 left review comments

@hawkishpolicy hawkishpolicy Awaiting requested review from hawkishpolicy

@jayjaybunce jayjaybunce Awaiting requested review from jayjaybunce

@JCantu248 JCantu248 Awaiting requested review from JCantu248

@DJensen94 DJensen94 Awaiting requested review from DJensen94

@aloftus23 aloftus23 Awaiting requested review from aloftus23 aloftus23 is a code owner

@rapidray12 rapidray12 Awaiting requested review from rapidray12 rapidray12 is a code owner

@schmelz21 schmelz21 Awaiting requested review from schmelz21 schmelz21 is a code owner

@ameliav ameliav Awaiting requested review from ameliav

At least 2 approving reviews are required to merge this pull request.

Assignees

@nickviola nickviola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nickviola @ameliav @cduhn17