Pin Zulip SAML ACS to https

Force https-only Zulip SAML login
2026-04-19 01:49:25 -07:00 · 2026-04-19 01:43:43 -07:00
1 changed files with 15 additions and 1 deletions
--- a/nixos/modules/burrow-zulip.nix
+++ b/nixos/modules/burrow-zulip.nix
@ -340,13 +340,27 @@ services:
      SETTING_ZULIP_ADMINISTRATOR: "${cfg.administratorEmail}"
      TRUST_GATEWAY_IP: "True"
      SETTING_SEND_LOGIN_EMAILS: "False"
-      ZULIP_AUTH_BACKENDS: "EmailAuthBackend,SAMLAuthBackend"
+      ZULIP_AUTH_BACKENDS: "SAMLAuthBackend"
      CONFIG_application_server__http_only: true
      CONFIG_application_server__nginx_listen_port: ${toString cfg.port}
      CONFIG_application_server__queue_workers_multiprocess: false
      ZULIP_CUSTOM_SETTINGS: |
        EMAIL_BACKEND = "django.core.mail.backends.filebased.EmailBackend"
        EMAIL_FILE_PATH = "/data/logs/emails"
+        EXTERNAL_URI_SCHEME = "https://"
+        SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+        USE_X_FORWARDED_HOST = True
+        SESSION_COOKIE_SECURE = True
+        CSRF_COOKIE_SECURE = True
+        SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
+        SOCIAL_AUTH_SAML_REDIRECT_IS_HTTPS = True
+        SOCIAL_AUTH_SAML_SP_ENTITY_ID = "https://${cfg.domain}"
+        SOCIAL_AUTH_SAML_SP_EXTRA = {
+            "assertionConsumerService": {
+                "url": "https://${cfg.domain}/complete/saml/",
+                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+            },
+        }
        SOCIAL_AUTH_SAML_ORG_INFO = {
            "en-US": {
                "displayname": "Burrow Zulip",
Author	SHA1	Message	Date
Conrad Kramer	78d83c5079	Pin Zulip SAML ACS to https Some checks failed Build Rust / Cargo Test (push) Successful in 3m55s Details Build Site / Next.js Build (push) Failing after 2s Details Lint Governance / BEP Metadata (push) Successful in 0s Details	2026-04-19 01:49:25 -07:00
Conrad Kramer	4c3dcdd17b	Force https-only Zulip SAML login	2026-04-19 01:43:43 -07:00