ssido68
commented
7 years ago So after some more digging I managed to sort my issue out with ADFS 2012 R2.
perhaps this will help someone in the future, so here are the changes I had to make:
saml.rb: Redmine::OmniAuthSAML::Base.configure do |config| config.saml = { :assertion_consumer_service_url => "https://redmine. company intranet.com/auth/saml/callback", # OmniAuth callback URL :issuer => "https://redmine. company intranet.com", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec. :idp_sso_target_url => "https:// company adfs.com/adfs/ls/", # SSO login endpoint :idp_cert_fingerprint => "certificate thumprint", # SSO ssl certificate fingerprint :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:email", :name_identifier_value => "email",
Optional signout URL :idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
:attribute_mapping => { :username => 'extra.raw_info.NameID', :login => 'extra.raw_info.username', :mail => 'extra.raw_info.emailaddress', :firstname => 'extra.raw_info.givenname', :lastname => 'extra.raw_info.surname', :email => 'extra.raw_info.emailaddress', } }
and on the adfs side, had to create customized rules: Claim rule 1: read information from AD
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("givenname", "emailaddress", "surname"), query = ";givenName,mail,sn;{0}", param = c.Value);Claim rule 2: transform name id
c:[Type == "emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:email");with that the signing in works properly.
chrodriguez
mriedmann
Hello there,
I've been trying to get the proper configuration for authenticating users towards our ADFS server with no luck so far. Has anyone achieved that already? Here's what I got so far:
saml.rb: Redmine::OmniAuthSAML::Base.configure do |config| config.saml = { :assertion_consumer_service_url => "https://redmine..com/auth/saml/callback", # OmniAuth callback URL
:issuer_name => "https://redmine..com",
:issuer => "https://redmine..com", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:idp_sso_target_url => "https://.com/adfs/ls/", # SSO login endpoint
:idp_cert_fingerprint => "", # SSO ssl certificate fingerprint
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
:idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
:name_identifier_value => "name_id", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
How will we map attributes from SSO to redmine attributes
} }
the ADFS claim rules brings SAM-Account-Name through a transform claim to Name ID in Persistent identifier format.
end result on redline when clicking the login with SAML button:
translation missing: en.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.thanks!