Multitenant Error

[nykroy]

Same error on 1.2.0 versión

I report that on issue #72

When i use multitenant it send me to the clients microsoft login. I login correctly but it send me to the same saml error Could you help me ?

I made the emterprise app and a conector con my client to premit multitenant

[DonutsNL]

Just reviewed the linked issue. Im using Azure as well and it works fine. This makes me suspect a config error somewhere.

I assume you created an AAD enterprise application using the SAML2 toolkit using the provided instruction?

In addition:

1. PasswordProtectedTransport is definitly not supported by AzureAD, select Password instead.
2. If you want allow both X509 and Password then select none in the config, else it will not match with Exact matching and Azure AD only allows for exact matching.
3. Make sure you use the correct certificates, application IDs and the like.

I made the emterprise app and a conector con my client to premit multitenant.

How precisely did you do this?

Rgrds,

[nykroy]

This is my config on the clients tenant i have the same but i have only add to the plugin teh x509 certificate of my tenant.

I try to use now this config without results... same error

[nykroy]

i see that video https://www.youtube.com/watch?v=nslV9fbXBxc to create the enterprise app and normal app for multitenant.

Is it correct? Could you help me?

Regards

[chris-gralike-AMIS]

.

[DonutsNL]

Hi Currently enjoying my vacation a bit and can only do so much in the meanwhile 😎

firstoff as far as i am able to evaluate, your config looks fine. Assuming you used the information provided by the Azure SAML2 enterprise application you created.

On the authN context. You should leave it blank. Users either log in using password and mfa (first time logon) or use the x509 and mfa when they allready have a valid session. You allow both methods by leaving the selection blank. Selecting an option will prohibit access by one or the other depending on your selection.

Be aware that there has been a bug in how the saml library was configured by phpsaml. As a result the authn xml header was composed incorrectly. This bug has been fixed in the latest version of the phpsaml code. Make sure you pull and use that version. This bug is likely causing the invalid response error.

As far as multitenancy goes, this should be handled by the Idp (Azure). All saml cares about is to know if the logon (authentication) is valid and succesfull.

The data passed by the Idp is then used to compare it with a preprovisioned glpi user matching email or by provisioning a new glpi user just in time (jit). Different tenant will mean a different user@domain.tld is passed to glpi. Be aware that the jit option has not yet been fully implemented. Instead of rules (like ldap) it will currently use the default glpi rules (root entity/default profile) to create the user.

rgrds

[nykroy]

Thanks for your feedback i will try change the enterpise application to solve que problem. if i resolve the problema i will send you a guide for that for the rest of people that need this functions.

Regards

[DonutsNL]

Ps. On the signature validation error, make sure the correct Azure provided certificate is used in your config. The certificate is generated when using the Azure SAML enterprise application and should be available in its config. Without this certificate, the validation will always fail as designed.

also see: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options

[nykroy]

The certificate is correct the problem is the client tenant don't send the request through the principal tenant that give me the certificate. I think is a problem with my tenant config but I don't see the problem. I have an enterprise app and a normal app but I don't know create a delegation between the tenants :) I see the code of plugin is prepared for mor than one configuration (?SSO=1 and the table) maybe if you add the option for configure more than one sso config I can add all apps off clients.

[Gambware]

Did guys found any solutions to Multi-Tenant Auth on Azure? Thanks !

[nykroy]

@Gambware no, i am with the same problema