LDAP & SAML API Conversion Summary¶
Conversion Completed ✅¶
All LDAP and SAML authentication endpoints have been converted to POST for end-to-end encryption compliance.
Endpoint Summary¶
LDAP Endpoints¶
| Endpoint | Method | Purpose |
|---|---|---|
/auth/ldap/config |
POST | Fetch LDAP config (empty body) or create/update (with JSON) |
/auth/ldap/login |
POST | Authenticate via LDAP |
SAML Endpoints¶
| Endpoint | Method | Purpose |
|---|---|---|
/auth/saml/config |
POST | Fetch SAML config (empty body) or create/update (with JSON) |
/auth/saml/login |
POST | Initiate SAML login flow |
/auth/saml/acs |
POST | SAML Assertion Consumer Service |
/auth/saml/metadata |
GET or POST | Retrieve SP metadata (GET for IdP, POST for E2E encryption) |
Unified Endpoint¶
| Endpoint | Method | Purpose |
|---|---|---|
/auth/third-party/login |
POST | Unified LDAP/SAML login endpoint |
Key Changes¶
1. Config Endpoints Unified¶
Before:
- GET /auth/ldap/config - Fetch only
- PUT /auth/ldap/config - Create/update only
- GET /auth/saml/config - Fetch only
- PUT /auth/saml/config - Create/update only
After:
- POST /auth/ldap/config - Fetch (empty body) OR create/update (with payload)
- POST /auth/saml/config - Fetch (empty body) OR create/update (with payload)
2. SAML Metadata Made Flexible¶
Before:
- GET /auth/saml/metadata only
After:
- GET /auth/saml/metadata - For external IdP compatibility
- POST /auth/saml/metadata - For E2E encrypted clients
3. All User-Facing Endpoints POST¶
All endpoints that require authentication or send encrypted payloads now use POST:
- ✅ POST /auth/ldap/login
- ✅ POST /auth/saml/login
- ✅ POST /auth/saml/acs
- ✅ POST /auth/ldap/config
- ✅ POST /auth/saml/config
- ✅ POST /auth/third-party/login
Implementation Details¶
Config Endpoint Logic¶
Both /auth/ldap/config and /auth/saml/config now handle both operations:
@r.post("/ldap/config")
def ldap_config(request: CustomRequest, payload: Optional[schemas.LDAPConfigIn] = None):
"""Fetch or update LDAP configuration
POST with no body = fetch config
POST with JSON body = create/update config
"""
db = request.state.db_session
# Check if this is an update request (has payload)
if payload and any([payload.uri, payload.bind_dn, payload.base_dn]):
# Update config
upsert_ldap_config(db, **payload.dict(exclude_none=True))
db.commit()
return {"status": "success"}
else:
# Fetch config
cfg = get_ldap_config(db)
if not cfg:
return {}
return {...}
Metadata Endpoint Flexibility¶
@r.get("/saml/metadata")
def get_saml_metadata():
"""For IdP compatibility (external fetch)"""
# ... returns XML metadata
@r.post("/saml/metadata")
def post_saml_metadata():
"""For E2E encrypted clients"""
# ... returns XML metadata (same implementation)
Usage Examples¶
Fetch LDAP Config (POST with empty body)¶
Update LDAP Config (POST with JSON)¶
curl -X POST http://localhost:8000/auth/ldap/config \
-H "Content-Type: application/json" \
-d '{
"uri": "ldap://ldap.example.com",
"bind_dn": "cn=admin,dc=example,dc=com",
"bind_password": "admin"
}'
Login via LDAP¶
curl -X POST http://localhost:8000/auth/ldap/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'method=ldap&username=john.doe&password=password123'
Get SAML Metadata (POST)¶
Initiate SAML Login¶
curl -X POST http://localhost:8000/auth/saml/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'relay_state=http://app.example.com/dashboard'
Benefits¶
✅ End-to-End Encryption - All sensitive data can be encrypted in request bodies
✅ Consistent API - All endpoints use the same HTTP method
✅ Query String Flexibility - No sensitive data in URLs
✅ Backward Compatible - GET /saml/metadata still works for external IdPs
✅ Intelligent Routing - Config endpoints handle both fetch and update
✅ Secure - Passwords and keys never appear in URLs or response bodies
Testing¶
See LDAP_SAML_WORKFLOW.md for complete testing documentation.
Run tests:
Documentation Files¶
- LDAP_SAML_WORKFLOW.md - Complete workflow documentation with curl examples
- LDAP_SAML_API_REFERENCE.md - Detailed API endpoint reference
- test_ldap_saml_integration.py - Comprehensive test suite