search

chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 57 forks source link

SAML integration with Office 365 (Azure AD) #6

Closed patope closed 8 years ago

patope commented 9 years ago

I've been trying to setup redmine SSO with Office 365 SAML (actually it is Azure AD) service. I got it finally to work after minor modifications to code.

saml.rb

 :attribute_mapping              => {
      :login      => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
      :firstname  => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
      :lastname   => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
      :mail       => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
  }

And change i made to saml plugin.

--- redmine_omniauth_saml.rb.orig   2015-09-04 09:52:36.000000000 +0300
+++ redmine_omniauth_saml.rb    2015-09-04 09:52:24.000000000 +0300
@@ -64,11 +64,12 @@
         HashWithIndifferentAccess.new.tap do |h|
           required_attribute_mapping.each do |symbol|
             key = configured_saml[:attribute_mapping][symbol]
-            h[symbol] = key.split('.')                # Get an array with nested keys: name.first will return [name, first]
-              .map {|x| [:[], x]}                     # Create pair elements being :[] symbol and the key
-              .inject(omniauth) do |hash, params|     # For each key, apply method :[] with key as parameter
-                hash.send(*params)
-              end
+            h[symbol] = omniauth.extra.raw_info[key]
+#            h[symbol] = key.split('.')                # Get an array with nested keys: name.first will return [name, first]
+#              .map {|x| [:[], x]}                     # Create pair elements being :[] symbol and the key
+#              .inject(omniauth) do |hash, params|     # For each key, apply method :[] with key as parameter
+#                hash.send(*params)
+#              end
           end
         end
       end

I'm not really ruby developer, but i hope you will find this helpful and can fix this in mainline.

chrodriguez commented 9 years ago

As the sample initializer shows https://github.com/chrodriguez/redmine_omniauth_saml/blob/master/sample-saml-initializers.rb

You can achieve the same result editing the initializer without modifying plugin's code

patope commented 9 years ago

O365 SAML response attribute names are URIs and "key.split('.')" splits those uris in middle ....

patope commented 9 years ago

Here is example fragment from O365 saml response

... snip ...
    <AttributeStatement>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
        <AttributeValue>...uuid value...</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
        <AttributeValue>...uuid value...</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
        <AttributeValue>...email...</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
        <AttributeValue>...lastname...</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
        <AttributeValue>...firstname...</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
        <AttributeValue>...displayname...</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
        <AttributeValue>...URI...</AttributeValue>
      </Attribute>
    </AttributeStatement>
... snip ...
chrodriguez commented 8 years ago

@patope Is this feature still broken? Or does omniauth-saml fixed the problem? I close the issue, please reopen if needed

patope commented 8 years ago

I guess this is still broken, but we are no longer using redmine and therefore this no more relevant to us.

Problem here is that when we had attribute definition like: :login => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'. redmine tries to seek value for :login from hiearchy

http://schemas
  xmlsoap
    org/ws/2005/05/identity/claims/name
hex6ng commented 7 years ago

I trying to configure SAML for Azure AD and I'm facing the same issue. This is the error I'm getting:

NoMethodError (undefined method `[]' for nil:NilClass):
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:70:in `block (3 levels) in user_attributes_from_saml'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:69:in `each'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:69:in `inject'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:69:in `block (2 levels) in user_attributes_from_saml'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:65:in `each'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:65:in `block in user_attributes_from_saml'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:64:in `tap'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:64:in `user_attributes_from_saml'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:21:in `user_attributes_from_saml'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:7:in `find_or_create_from_omniauth'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/account_controller_patch.rb:32:in `login_with_saml_callback'