Open viegelinsch opened 6 years ago
@viegelinsch, you ask:
Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?
I find only one easy solution =)
On Redmine side:
Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "https://redmine.institute.ru/auth/saml/callback",
:issuer => "https://redmine.institute.ru/auth/saml/metadata",
:single_logout_service_url => "https://redmine.institute.ru/auth/saml/sls",
:idp_sso_target_url => "https://idp-01.institute.ru/saml/saml2/idp/SSOService.php",
:idp_cert_fingerprint => "FC:29:.....:33:71",
:signout_url => "https://idp-01.institute.ru/saml/saml2/idp/SingleLogoutService.php?ReturnTo=",
:idp_slo_target_url => "https://idp-01.institute.ru/saml/saml2/idp/SingleLogoutService.php",
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
:name_identifier_value => "login",
:attribute_mapping => {
:login => 'extra.raw_info.login',
:mail => 'extra.raw_info.myEmail',
:firstname => 'extra.raw_info.cn',
:lastname => 'extra.raw_info.sn'
}
}
config.on_login do |omniauth_hash, user|
end
end
On SimpleSAMLphp as IdP side ( metadata/saml20-sp-remote.php ):
$metadata['https://redmine.institute.ru/auth/saml/metadata'] = array (
'entityid' => 'https://redmine.institute.ru/auth/saml/metadata',
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://redmine.institute.ru/auth/saml/callback',
'index' => 0,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://redmine.institute.ru/auth/saml/sls',
'ResponseLocation' => 'https://redmine.institute.ru/auth/saml/sls',
),
),
'authproc' => array(
91 => array(
'class' => 'core:AttributeCopy',
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'myEmail',
'myEmail' => 'login',
),
),
);
My solution based on mention "Redmine is only for internal work and only for our employers, so nobody from any other IdP cant use it"
Hi, my attribute_mapping looks like this:
:attribute_mapping => { :login => 'urn:oid:0.9.2342.19200300.100.1.1', :mail => 'urn:oid:0.9.2342.19200300.100.1.3', :firstname => 'urn:oid:2.5.4.42', :lastname => 'urn:oid:2.5.4.4' }
This results in the error message
translation missing: de.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.
To stay compatible with our federation, we have to use oid instead of mace.
Unfortunately the code splits at the dot https://github.com/chrodriguez/redmine_omniauth_saml/blob/4c8f0b58dc8f7a01c73e17e04c668b6d60c039d7/lib/redmine_omniauth_saml.rb#L67 , which doesn't work for us.
Have located the problem correctly? Is there any hint how to circumvent this? Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?
Kind regards, viegelinsch