Closed Aghiles-S closed 1 year ago
DonutsNL
commented
1 year ago You should be able to pick this up in the acs.php file and work your way from there. acs.php passes the SAMLResponse to the php saml lib where the response is decoded. Claims if received properly should be available in the resulting phpsaml object.
Aghiles-S
commented
1 year ago i already used the default claims transmitted
( $input = array( "name" => SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0], "realname" => SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0], "firstname" => SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0], "_useremails" => array(SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]), "password" => $password, "password2" => $password, )
, i want to transmit another attribute as a claim from azure ad to glpi-phpsaml, do you know how to add a custom claim which isn't in the glpi's app claims list of azure ad to have it here with "(SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
DonutsNL
commented
1 year ago If you download the latest (not yet merged because derrick seems unavailable as of late) version from my repo, it has an option to dump the samlresponse to file if you create a debug folder in the plugin folder and enable debug. You can then review the raw payload with its claims to see what schema is used for your property. You should be able to work from there.
dont forget to remove the debug folder and contents after because its content could allow for replay attacks.
Aghiles-S
commented
1 year ago Thank you @DonutsNL
DonutsNL
commented
1 year ago Please close the issue if you are helped 😉
Hi, I want to automate the assignment of users to their corresponding service entities upon their first login. I have already managed to assign them based on their email addresses by modifying the code of phpsaml.class.php (glpiLogin function). However, I now want to assign them based on their service membership, and I am unable to retrieve the "service" field from Azure AD, which is synchronized with AD. How can I transmit this Azure AD claim which isn't in claims list?
I added this code in inc/phpsaml.class.php to assign them to entities with "@xxxxx.xx"
if(strpos($input["_useremails"][0], '@xxxxxx')){ $input['_entities_id'] = 1; } if(strpos($input["_useremails"][0], '@yyyyyyy')){ $input['_entities_id'] = 5; } else{ if(strpos($input["_useremails"][0], '@vvvvvvv')){ $input['_entities_id'] = 0; } }
entities_id are in the table "glpi_entities"