Open smclinden opened 2 years ago
Ok, so did anyone even TEST the SAML configuration for ADFS? It doesn't seem so.
SAML with active directory works well for a lot of users. Can you share your saml configuration?
"providers": { "saml": { "identifier": "saml", "strategy": "SamlStrategy", "config": { "issuer": "opencti", "entry_point": "https://login.microsoftonline.com/e0.../saml2", "saml_callack_url": "https://opencti.domain:4000/auth/saml/callback", "callback_url": "https://openct.domain:4000/auth/saml/callback", "authnContext":["http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password", "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509"], "cert": "MIIC8DCC...vA3r", "roles_management": { "role_attributes": [ "Role" ], "roles_mapping": [ "ADGroup" ] } } }, "local": { "strategy": "LocalStrategy", "config": { "disabled": true } }
Note that I tried different authnContexts. But itself, the the authenticationmethod/windows came closest but rejected it because the login required MFA.
When I tried various others, it went to saml/consume rather than auth/saml/callback.
Coud you try with saml_callback_url instead of saml_callack_url (missing b)? [+ remove callback_url] For info authnContext is not supported officially. If the option is taken in to account with a file it could not work in env vars.
For info authnContext is not supported officially. If the option is taken in to account with a file it could not work in env vars.
It seems to make a difference WRT how the call is handled. I removed it and did as you suggested, and it accepted my login credentials and brought me back to the login page.
I had to take localStrategy out because it was trying to login every couple of miliseconds!
I could not get into the real dashboard. Just back to the login page where SAML was the only option because localStrategy was denied.
{"auth":{"ip":"172.20..x.y","referer":"https://login.microsoftonline.com/"},"category":"AUDIT","level":"error","message":"LOG IN","resource":{"error":"Restricted access, ask your administrator","provider":"saml"},"timestamp":"2022-10-10T12:56:21.676Z"," version":"5.3.15"}
For that you need to correctly setup the roles_management part. If this config is setup and the mapping cannot find any correct mapping the user will not be able to connect.
"roles_management": {
"role_attributes": ["Role"],
"roles_mapping": ["asso_limeo_founder:Administrator"]
}
Roles mapping must be 'external-role:internal-role'
Description
SAML authentication to ADFS does not appear to be working according to manual install instructions. This was moved from a Question to a Bug
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
SAML authentication should work
Actual Output
According to the passport saml-too source code, the default callback should be "host:port://saml/consume unless other options are provided.
But using the sample configuration in the documentation for Manual Install, the argument to saml_callback_url which uses the path auth/:protocol/callback isn't being used by passport saml since the error message implies that the default URL is being used.
There seems to be a mismatch between the configuration in the documentation and what is expected by passport saml. In particular,
doesn't exist.
The error message, above, is generated when I access
suggesting that the callback URL value in the config is not being passed to passport.