ADFS Integration documentation

[SergK]

Hi,

Are there any documentation on how to integrate this plugin with ADFS server. I have an issue with endless loop, which looks like:

... ckan/user/login -> adfs -> ckan/user/logout -> adfs -> ...

I'm not the saml2 guru, probably some logs can help:

2017-11-24 10:38:04,110 DEBUG [saml2.response] --- AVA: {'http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0': [u'75U2HEMXzhf4MExmir4mVERoW02SEIX__xx0PTnb01U'], 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': [u'J.Doe@example.com']}
2017-11-24 10:38:04,112 INFO  [saml2.client_base] --- ADDED person info ----
2017-11-24 10:38:04,112 INFO  [saml2.s2repoze.plugins.sp] Session_info: {'authn_info': [('urn:federation:authentication:windows', [], '2017-11-24T10:37:59.579Z')], 'name_id': <saml2.saml.NameID object at 0x7f0ea111be10>, 'not_on_or_after': 1511523479, 'session_index': '_3d0d0786-484e-4a7b-bd0a-3080f867d4e2', 'came_from': None, 'ava': {'http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0': [u'75U2HEMXzhf4MExmir4mVERoW02SEIX__xx0PTnb01U'], 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': [u'J.Doe@example.com']}, 'issuer': 'http://example.com/adfs/services/trust'}
2017-11-24 10:38:04,112 DEBUG [saml2.s2repoze.plugins.sp] Identity: {'login': '2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=EXAMPLE%5Cjdoe', 'password': '', 'repoze.who.userid': '2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=EXAMPLE%5Cjdoe', 'user': {'http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0': [u'75U2HEMXzhf4MExmir4mVERoW02SEIX__xx0PTnb01U'], 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': [u'J.Doe@example.com']}}
2017-11-24 10:38:04,117 DEBUG [ckan.lib.authenticator] Login failed - username '2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=EXAMPLE%5Cjdoe' not found
2017-11-24 10:38:04,121 DEBUG [ckanext.saml2] REMOTE_USER = "2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=EXAMPLE%5Cjdoe"
2017-11-24 10:38:04,121 DEBUG [ckanext.saml2] NameId: EXAMPLE\\jdoe
2017-11-24 10:38:04,124 DEBUG [ckanext.saml2] repoze.who.identity = {'authenticator': <saml2.s2repoze.plugins.sp.SAML2Plugin object at 0x7f0ea0def3d0>, 'repoze.who.userid': '2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=EXAMPLE%5Cjdoe', 'password': '', 'user': {'http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid1.0': [u'75U2HEMXzhf4MExmir4mVERoW02SEIX__xx0PTnb01U'], 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': [u'J.Doe@example.com']}, 'login': '2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=EXAMPLE%5Cjdoe', 'identifier': <saml2.s2repoze.plugins.sp.SAML2Plugin object at 0x7f0ea0def3d0>}
2017-11-24 10:38:04,126 ERROR [ckanext.saml2] Couldn't create or update user account ID:
2017-11-24 10:38:04,126 ERROR [ckanext.saml2] Error 'email'
2017-11-24 10:38:04,166 DEBUG [ckan.config.middleware.pylons_app] Pylons route match: {'action': u'read', 'controller': u'user', 'id': u'logout'} Origin: core
2017-11-24 10:38:04,167 DEBUG [ckan.config.middleware] Route support answers for GET /user/logout: [(False, 'flask_app'), (True, 'pylons_app', 'core')]

[SergK]

https://github.com/DataShades/ckanext-saml2/blob/link-master/ckanext/saml2/plugin.py#L412 is expected to see email in dict instead I have http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

[SergK]

ok, this issue was fixed by:

1. using custom claim rule

   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
   => issue(store = "Active Directory", types = ("email", "id", "name"), query = ";mail,sAMAccountName,sn;{0}", param = c.Value);

2. Adding email field. otherwise user creation will faile data_dict['email'] = saml_info['email'][0] https://github.com/DataShades/ckanext-saml2/blob/link-master/ckanext/saml2/plugin.py#L415