derricksmith / phpsaml

GLPI Plugin - SAML integration using the Onelogin SAML Library
MIT License
32 stars 24 forks source link

JIT Error: Unable to create user because missing claims (emailaddress) #108

Open Antcares opened 2 years ago

Antcares commented 2 years ago

Hello! I have configured the plugin in GLPI 9.5.9 and is functioning properly, but i am having this error when JIT is enabled and the user don't exist in GLPI:

JIT Error: Unable to create user because missing claims (emailaddress)

My IdP is keycloak, and i have created a mapper named emailaddress for send the email in te response (i attach the SAML file). Any help is appreciated. SAML_response

derricksmith commented 2 years ago

I took a look at phpsaml.class.php on line 84 and noticed that JIT requires both name and emailaddress to create the user.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

I updated the error message to check which claim is missing.

$missing = (empty(SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0]) ? 'name' : 'emailaddress'); $error = "JIT Error: Unable to create user because missing claims ($missing)";

Loz-001 commented 1 year ago

Hello, working with GLPI 10.0.5 and this wonderfull plugin :) I'm having the same error using SAML2 federation.

I comment this in phpsaml.class.php (line 84)

// if ((!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0])) && (!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]))){

replace by :

if ((!empty(self::$userdata['name'][0])) && (!empty(self::$userdata['emailaddress'][0]))){

as $userdata is an array.

And also line 90-93 comment this :

// "name" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0],
// "realname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0],
// "firstname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0],
// "_useremails" => array(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]),

by

"name" => self::$userdata['name'][0],
"realname" => self::$userdata['lastname'][0],
"firstname" => self::$userdata['firstname'][0],
"_useremails" => array(self::$userdata['emailaddress'][0]),

I'va been able to JIT provisionning a new user and map some attributes (email, firstname realname and Login Name)

Best regards

Laurent

SilvaFernando commented 1 year ago

Good night everybody!!!!

This

Hello, working with GLPI 10.0.5 and this wonderfull plugin :) I'm having the same error using SAML2 federation.

I comment this in phpsaml.class.php (line 84)

// if ((!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0])) && (!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]))){

replace by :

if ((!empty(self::$userdata['name'][0])) && (!empty(self::$userdata['emailaddress'][0]))){

as $userdata is an array.

And also line 90-93 comment this :

// "name" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0],
// "realname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0],
// "firstname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0],
// "_useremails" => array(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]),

by

"name" => self::$userdata['name'][0],
"realname" => self::$userdata['lastname'][0],
"firstname" => self::$userdata['firstname'][0],
"_useremails" => array(self::$userdata['emailaddress'][0]),

I'va been able to JIT provisionning a new user and map some attributes (email, firstname realname and Login Name)

Best regards

Laurent THanks, i do this in code and Gsuite authentication worked, i have one question, if we need mapping other attributes, it's possible?

Loz-001 commented 1 year ago

Sorry, I've not been able to map other attributes yet.

I would like to have at least the phone number to be mapped. If someone knows how-to add it :)

Laurent

SilvaFernando commented 1 year ago

@derricksmith, can you help us with this?

Thanks :)

DonutsNL commented 1 year ago

Todo: Add additional JIT validations to phpsaml.class.php : private static function performJit($relayState)

DonutsNL commented 1 year ago

Should be solved in my latest branch.

jbtele29 commented 1 year ago

Hello, I always have this problem with a specific user. I tried 1.3.0 version @DonutsNL fork but i still have a problem with this user

2023-07-10 17:58:34 [@xxxxxxxxx] JIT Error: Unable to create user because missing claims (emailaddress) 2023-07-10 17:58:34 [@xxxxxxxx]

JIT Error: Unable to create user because missing claims (emailaddress)

[2023-07-10 17:58:34] glpiphplog.WARNING: *** PHP Warning (2): Undefined global variable $_POST in /var/www/html/glpi/src/Application/View/TemplateRenderer.php at line 120

Backtrace : src/Application/View/TemplateRenderer.php:135 Glpi\Application\View\TemplateRenderer->__construct() src/Html.php:1296 Glpi\Application\View\TemplateRenderer::getInstance() src/Html.php:2026 Html::includeHeader() plugins/phpsaml/front/acs.php:62 Html::nullHeader() public/index.php:82 require()

thanks

DonutsNL commented 1 year ago

Hi,

It looks like no (valid or complete) saml response is received by the acs. Make sure all claims are present in the samlresponse including the missing field email. The $_POST message can be ignored. The plugin captures the post before GLPI can process it and then clears it. Clearing the POST causes the warning you are seeing.

jbtele29 commented 1 year ago

Hello,

I think that the configuration on the adfs is not good but other users don't have sso problems when they test. I have this claims on adfs image

DonutsNL commented 1 year ago

Hi @jbtele29,

It is not possible for us to understand and support all idp tools out there that support Saml. Instead you should debug the Saml response and tweak it if required. Debugging is possible if you use the latest version of my branch you can actually dump the samlresponse and review it to see what is going wrong. To dump the responses:

  1. create a folder 'debug' inside the plugin directory;
  2. enable debug in the phpsaml config page;
  3. Replay the login, this should create a .php file in the debug folder.
  4. Open the dumped .php file to review the SamlResponse provided;
  5. It should have the missing claim:
  6. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
jbtele29 commented 1 year ago

Hello; i have a blank page when i use sso in debug.php i have [decryptedDocument] => DOMDocument Object ( [config] => [doctype] => [implementation] => (object value omitted) [documentElement] => (object value omitted) [actualEncoding] => [encoding] => [xmlEncoding] => [standalone] => 1 [xmlStandalone] => 1 [version] => 1.0 [xmlVersion] => 1.0 [strictErrorChecking] => 1 [documentURI] => /var/www/html/glpi/plugins/phpsaml/front/ [formatOutput] => [validateOnParse] => [resolveExternals] => [preserveWhiteSpace] => 1 [recover] => [substituteEntities] => [firstElementChild] => (object value omitted) [lastElementChild] => (object value omitted) [childElementCount] => 1 [nodeName] => #document [nodeValue] => [nodeType] => 9 [parentNode] => [childNodes] => (object value omitted) [firstChild] => (object value omitted) [lastChild] => (object value omitted) [previousSibling] => [nextSibling] => [attributes] => [ownerDocument] => [namespaceURI] => [prefix] => [localName] => [baseURI] => /var/www/html/glpi/plugins/phpsaml/front/

DonutsNL commented 1 year ago

Hi @jbtele29, You misunderstand. Using my latest version (from the DonutsNL branch). In the phpsaml configuration page accessible via the plugin page, there is a 'debug' toggle just for phpsaml. Enable that and save the phpsaml configuration. Next manually create a new folder in the GLPI_ROOT/plugins/phpsaml/ directory called 'debug.' i.e. "GLPI_ROOT/plugins/phpsaml/debug" or if you used the marketplace "GLPI_ROOT/marketplace/phpsaml/debug".

After these steps login again. The plugin should now have dumped the received samlResponse. Review this file to verify all the claims are provided using the required namespaces. Tweak your confguration to make sure the required namespaces are available. Then logging in using JIT should work correctly.

Do not share the samlResponse contents and do remove the debug folder after you are done.

jbtele29 commented 1 year ago

Hello , Yes i have samlreponse in debug folder and i used your for branch image but when i clikc for login, nothing change and i come back to login again in dump i had same info from your deleted dump in your branch

jbtele29 commented 1 year ago

Hi, I found the problem i imported test accounts on glpi with a different login but the same email as my main account so that was the problem I deleted the emails on my test accounts in ad and deleted the test accounts in glpi and now everything works as before. thanks

DonutsNL commented 1 year ago

hi @jbtele29,

I am glad you found and fixed the problem. And your feedback is also very usefull. It is true that currently the user creation proces itself is not properly evaluated. Problems during creation are not handled properly. This needs to be handled as well. Ill create a new issue for this problem.