search

chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 57 forks source link

plugin cannot parse attribute name with oid in SAML response #40

Open viegelinsch opened 6 years ago

viegelinsch commented 6 years ago

Hi, my attribute_mapping looks like this:

:attribute_mapping => { :login => 'urn:oid:0.9.2342.19200300.100.1.1', :mail => 'urn:oid:0.9.2342.19200300.100.1.3', :firstname => 'urn:oid:2.5.4.42', :lastname => 'urn:oid:2.5.4.4' }

This results in the error message translation missing: de.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.

To stay compatible with our federation, we have to use oid instead of mace.

Unfortunately the code splits at the dot https://github.com/chrodriguez/redmine_omniauth_saml/blob/4c8f0b58dc8f7a01c73e17e04c668b6d60c039d7/lib/redmine_omniauth_saml.rb#L67 , which doesn't work for us.

Have located the problem correctly? Is there any hint how to circumvent this? Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?

Kind regards, viegelinsch

nadz-goldman commented 6 years ago

@viegelinsch, you ask:

Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?

I find only one easy solution =)

On Redmine side:

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redmine.institute.ru/auth/saml/callback",
    :issuer                         => "https://redmine.institute.ru/auth/saml/metadata",
    :single_logout_service_url      => "https://redmine.institute.ru/auth/saml/sls",
    :idp_sso_target_url             => "https://idp-01.institute.ru/saml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "FC:29:.....:33:71",
    :signout_url                    => "https://idp-01.institute.ru/saml/saml2/idp/SingleLogoutService.php?ReturnTo=",
    :idp_slo_target_url             => "https://idp-01.institute.ru/saml/saml2/idp/SingleLogoutService.php",
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
    :name_identifier_value          => "login",
    :attribute_mapping              => {
      :login      => 'extra.raw_info.login',
      :mail       => 'extra.raw_info.myEmail',
      :firstname  => 'extra.raw_info.cn',
      :lastname   => 'extra.raw_info.sn'
    }
  }
  config.on_login do |omniauth_hash, user|
  end
end

On SimpleSAMLphp as IdP side ( metadata/saml20-sp-remote.php ):


$metadata['https://redmine.institute.ru/auth/saml/metadata'] = array (
  'entityid' => 'https://redmine.institute.ru/auth/saml/metadata',
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://redmine.institute.ru/auth/saml/callback',
      'index' => 0,
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://redmine.institute.ru/auth/saml/sls',
      'ResponseLocation' => 'https://redmine.institute.ru/auth/saml/sls',
    ),
  ),
  'authproc' => array(
        91 => array(
            'class' => 'core:AttributeCopy',
                'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'myEmail',
                'myEmail' => 'login',
        ),
    ),
);

My solution based on mention "Redmine is only for internal work and only for our employers, so nobody from any other IdP cant use it"