search

chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 57 forks source link

Internal error after SAML login #21

Closed rozmarbeka closed 7 years ago

rozmarbeka commented 7 years ago

The communication is OK between my SSO and Redmine instance but I have the following error when I got redirected to http://issues.bud01.atlasoft.lan/auth/saml. I can check the SAML respnse in Chrome's SAML plugin, it's ok but I'm not sure that my attribute mapping is correct.

I have the following in the production.log:

Started POST "/auth/saml/callback" for 192.168.1.43 at 2016-10-28 10:56:50 +0200
Processing by AccountController#login_with_saml_callback as HTML
  Parameters: {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIH ...", "provider"=>"saml"}
  Current user: anonymous
Completed 500 Internal Server Error in 3ms (ActiveRecord: 0.5ms)

RuntimeError (Redmine::OmniAuthSAML must be configured from an initializer. See README of redmine_omniauth_saml for instructions):
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'

My config looks like as follows:

RedmineSAML = HashWithIndifferentAccess.new(
    :assertion_consumer_service_url => "http://issues.bud01.atlasoft.lan/auth/saml/callback", # The redmine application hostname
    :issuer                         => "http://issues.bud01.atlasoft.lan",   # The issuer name
    :idp_sso_target_url             => "http://auth.bud01.atlasoft.lan/simplesaml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "7B:FB:41:E0:83:04:ED:23:6F:69:0C:E8:51:4E:B2:99:FE:FB:7A:1F", # SSL fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:email",
    :name_identifier_value          => "email",
    :logout_admin                   => "http://auth.bud01.atlasoft.lan/simplesaml/saml2/idp/SingleLogoutService.php", # SSO logout
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :username      => 'extra.raw_info.username',
      :username  => 'extra.raw_info.first_name',
      :username   => 'extra.raw_info.last_name',
      :email       => 'extra.raw_info.personal_email'
    }
)
rozmarbeka commented 7 years ago

I also tried the attribute mapping this way:

:attribute_mapping              => {                   
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.username',
      :firstname  => 'extra.raw_info.username',
      :lastname   => 'extra.raw_info.username',
      :mail       => 'extra.raw_info.email',
      :uid       => 'extra.raw_info.email',
    }
chrodriguez commented 7 years ago

What was the problem? Did you find it out?

rozmarbeka commented 7 years ago

Yes, thanks. I was replacing the configs between version 3.0 and 2.0. At the beginning we started with version 2.5. And I filled out that, and copied that version :/

I'm facing with attribute mapping issue now, but it will be solved soon I think.

Nice job BTW!

rozmarbeka commented 7 years ago

Could you tell me eg. what do :login and extra.raw_info.username mean? Is the key a ruby variable name and the value coming from SSO server?

rozmarbeka commented 7 years ago

It found the email but complaining about missing identifier, firstname and lastname with this config:

 :attribute_mapping              => {               
           :login      => 'extra.raw_info.username',       
           :firstname  => 'extra.raw_info.firstname',      
           :lastname   => 'extra.raw_info.lastname',
           :mail       => 'extra.raw_info.email',
        }

I put every attribute into the SAML response (username, firstname, lastname, email).

rozmarbeka commented 7 years ago

I had to append :firstname, :lastname, :login attributes to redmine_omniauth_saml.rb line 83. to get user creation work. I think it should be work without that or is it normal?

      def required_attribute_mapping
        [ :mail, :firstname, :lastname, :login ]
      end
chrodriguez commented 7 years ago

Last PR brokes this functionality:

https://github.com/chrodriguez/redmine_omniauth_saml/commit/f7c17d6721ae143a46fff06f245ca5926e346a47

I'm going to revert it

Thanks for your contribution!

rozmarbeka commented 7 years ago

And what if someone's SSO just sending :mail and don't want to create users based on these values like me, just log in? They won't be able to login without these attributes. Or am I wrong?

chrodriguez commented 7 years ago

This are requirements from User model: https://github.com/redmine/redmine/blob/master/app/models/user.rb#L108

I can't confirm mail is a requirement...

rozmarbeka commented 7 years ago

I'm talking about that what was the purpose of the PR you mentioned?

marquicus commented 3 years ago

I got this error at runtime execution when I put the config file inside /config folder, anyways when I put in the /config/initializers the issue was solved

<rails root>/config/initializers/saml.rb