derricksmith
commented
3 years ago The plug-in does not perform any JIT provisioning. The user account(email) must exist prior to logging in with SSO.
Closed riccp closed 3 years ago
derricksmith
commented
3 years ago The plug-in does not perform any JIT provisioning. The user account(email) must exist prior to logging in with SSO.
riccp
commented
3 years ago Thanks for the quick answer. But even if I create the user account (i've created with email and only the userpart and made no difference), that account has its authentication from "Authentication | GLPI internal database". And after the SSO I still got the error.
I have in the saml (among other stuff): <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">riccp</saml:NameID>
Shouldn't this be the email then?
derricksmith
commented
3 years ago nameid should be the email address.
riccp
commented
3 years ago nameid should be the email address.
Ok. Sorry to bother once more, but as I cannot change the IdP response, is there a way of changing this in the code?
What I saw is that we have the "NameIdFormat" setup to " 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'," in the lib/php-saml/settings.php. Is this file not being used?
derricksmith
commented
3 years ago That file ships with the library as an example. It is not used by the GLPI plugin - we build our settings into an array from the configuration settings on the plugin config page. I can add this as a feature request but as of now there is no way to dynamically change the NameIdFormat.
riccp
commented
3 years ago That feature would be nice.
Thanks for the clarification.
Em qua, 31 de mar de 2021 14:43, Derrick Smith @.***> escreveu:
That file ships with the library as an example. It is not used by the GLPI plugin - we build our settings into an array from the configuration settings on the plugin config page. I can add this as a feature request but as of now there is no way to dynamically change the NameIdFormat.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/derricksmith/phpsaml/issues/44#issuecomment-811282770, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIA2PWDB3U35X6W7GVSUF4DTGNNL5ANCNFSM4YI7H7RA .
juveboss
commented
2 years ago Hello,
I have a error : Error: app_not_configured_for_user Service is not configured for this user.
But the application is authorized for my organization.
Can you give me your configuration Google please ?
Hello, I have GLPI 9.5.3 and the 1.1 version of the plugin.
I was able to configure and SSO seems to be ok (I don't have access to the Google SAML and can only manage the GLPI - there's a team for that).
After SSO returns I get the "action not allowed".
Maybe it's similar to the https://github.com/derricksmith/phpsaml/issues/39 but I don't know how to debug that.
Apparently the glpi user is not being created after successful SSO. If the user is pre-created the same problem ocurrs.
What do I need to do to help debugging this?