chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 56 forks source link

Proper configuration for Active Directory Federation services? #28

Open ssido68 opened 7 years ago

ssido68 commented 7 years ago

Hello there,

I've been trying to get the proper configuration for authenticating users towards our ADFS server with no luck so far. Has anyone achieved that already? Here's what I got so far:

saml.rb: Redmine::OmniAuthSAML::Base.configure do |config| config.saml = { :assertion_consumer_service_url => "https://redmine..com/auth/saml/callback", # OmniAuth callback URL :issuer_name => "https://redmine..com", :issuer => "https://redmine..com", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec. :idp_sso_target_url => "https://.com/adfs/ls/", # SSO login endpoint :idp_cert_fingerprint => "", # SSO ssl certificate fingerprint :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", :idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php", :name_identifier_value => "name_id", # Which redmine field is used as name_identifier_value for SAML logout :attribute_mapping => {

How will we map attributes from SSO to redmine attributes

 :login      => 'extra.raw_info.username',
 :mail       => 'extra.raw_info.email',
 :firstname => 'extra.raw_info.firstname',
 :lastname => 'extra.raw_info.lastname',
 :name_id => 'extra.raw_info.nameidentifier'

} }

the ADFS claim rules brings SAM-Account-Name through a transform claim to Name ID in Persistent identifier format.

end result on redline when clicking the login with SAML button: translation missing: en.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.

thanks!

ssido68 commented 7 years ago

So after some more digging I managed to sort my issue out with ADFS 2012 R2.

perhaps this will help someone in the future, so here are the changes I had to make:

saml.rb: Redmine::OmniAuthSAML::Base.configure do |config| config.saml = { :assertion_consumer_service_url => "https://redmine. company intranet.com/auth/saml/callback", # OmniAuth callback URL :issuer => "https://redmine. company intranet.com", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec. :idp_sso_target_url => "https:// company adfs.com/adfs/ls/", # SSO login endpoint :idp_cert_fingerprint => "certificate thumprint", # SSO ssl certificate fingerprint :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:email", :name_identifier_value => "email",

Optional signout URL :idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",

:attribute_mapping => { :username => 'extra.raw_info.NameID', :login => 'extra.raw_info.username', :mail => 'extra.raw_info.emailaddress', :firstname => 'extra.raw_info.givenname', :lastname => 'extra.raw_info.surname', :email => 'extra.raw_info.emailaddress', } }

and on the adfs side, had to create customized rules: Claim rule 1: read information from AD

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("givenname", "emailaddress", "surname"), query = ";givenName,mail,sn;{0}", param = c.Value);

Claim rule 2: transform name id

c:[Type == "emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:email");

with that the signing in works properly.

chrodriguez commented 7 years ago

Thanks for sharing. I think we could create a wiki with this expriences...

mriedmann commented 7 years ago

@ssido68 is there any chance that you could test your setup against an ADFS 4.0? If pretty lost here

I'am using the config posted above and my ADFS already gives me a "valid-looking" saml-response, but after posting it to redmine (3.3.0) I only get redircted to /auth/failure?message=invalid_ticket&origin=....

Is there a way to enable some debugging on this plugin? I don't see any error messages in any logfiles (not even with debug logging enabled).

Any ideas would be appreciated. Thanks!