search

chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 57 forks source link

Invalid Credentials [ en.notice_account_invalid_creditentials ] #38

Open SecurityInMind opened 6 years ago

SecurityInMind commented 6 years ago

Hi,

We are experiencing some troubles with getting this plugin to work with our Redmine, below you can find related details:

Environment: Redmine version 3.4.3.stable Ruby version 2.2.5-p319 (2016-04-26) [x86_64-linux] Rails version 4.2.8 Environment production Database adapter Mysql2 SCM: Subversion 1.6.11 Git 1.7.1 Filesystem
Redmine plugins: redmine_omniauth_saml 0.0.1

Our saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config| config.saml = { :assertion_consumer_service_url => "http://redmine.local/auth/saml/callback", # OmniAuth callback URL :issuer => "http://redmine.local", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec. :single_logout_service_url => "http://redmine.example.com/auth/saml/sls", # The SLS (logout) callback URL :idp_sso_target_url => "https://redacted]/login.html", # SSO login endpoint :idp_cert_fingerprint => "[redacted]", # SSO ssl certificate fingerprint

Alternatively, specify the full certifiate:

:idp_cert => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",

:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", :signout_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php?ReturnTo=", # Optional signout URL, not supported by all identity providers :idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php", :name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout :attribute_mapping => {

How will we map attributes from SSO to redmine attributes

:login => 'extra.raw_info.username', :mail => 'extra.raw_info.email', :firstname => 'extra.raw_info.firstname', :lastname => 'extra.raw_info.firstname' } } config.on_login do |omniauth_hash, user|

Implement any hook you want here

end end

Here is the log:

9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==", "provider"=>"saml"} (0.4ms) SELECT MAX(settings.updated_on) FROM settings AnonymousUser Load (0.3ms) SELECT users. FROM users WHERE users.type IN ('AnonymousUser') ORDER BY users.id ASC LIMIT 1 Current user: anonymous EmailAddress Load (0.1ms) SELECT email_addresses. FROM email_addresses WHERE email_addresses.address IS NULL LIMIT 1 Failed login for 'test@test.com' from [IP ADDRESS REDACTED] at 2017-11-14 15:39:49 UTC Redirected to http://redmine.local/login Completed 302 Found in 5ms (ActiveRecord: 0.9ms)

We will be waiting for your reply.

nadz-goldman commented 6 years ago

@SecurityInMind ,I didnt see any configuration from other side or explanation what is wrong, but here some cookies from me

Here working example

/redmine/config/initializers/90-saml.rb

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redmine.local/auth/saml/callback",
    :issuer                         => "https://redmine.local/auth/saml/metadata",
    :single_logout_service_url      => "https://redmine.local/auth/saml/sls",
    :idp_sso_target_url             => "https://idp.somewhere/saml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "some-fingerprint",
    :signout_url                    => "https://idp.somewhere/saml/saml2/idp/SingleLogoutService.php?ReturnTo=",
    :idp_slo_target_url             => "https://idp.somewhere/saml/saml2/idp/SingleLogoutService.php",
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :name_identifier_value          => "login",
    :attribute_mapping              => {
      :login      => 'extra.raw_info.urn:mace:dir:attribute-def:eduPersonPrincipalName',
      :mail       => 'extra.raw_info.urn:mace:dir:attribute-def:mail',
      :firstname  => 'extra.raw_info.cn',
      :lastname   => 'extra.raw_info.sn'
    }
  }
  config.on_login do |omniauth_hash, user|
  end
end

On another side we using SimpleSAMLphp as IdP and here content of metadata of redmine ( which as SP )


$metadata['https://redmine.local/auth/saml/metadata'] = array (
  'entityid' => 'https://redmine.local/auth/saml/metadata',
  'contacts' =>
  array (
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://redmine.local/auth/saml/callback',
      'index' => 0,
      'isDefault' => true,
    ),
  ),
  'SingleLogoutService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://redmine.local/auth/saml/sls',
      'ResponseLocation' => 'https://redmine.local/auth/saml/sls',
    ),
  ),
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  'validate.authnrequest' => false,
  'saml20.sign.assertion' => true,

  'authproc' => array(
      1 => array(
        'class' => 'saml:AttributeNameID',
        'attribute' => 'eduPersonPrincipalName',
        'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
      ),
    ),
);

Because we using LDAP and ruEduORg scheme for eduGain, here we NOT mapping attributes on 'authproc' block but give attribute which can used as login Its easy =)

Also you can use debug on Redmine-side.