SAML auth - does anyone have it working?

[jberanek]

Hi.

I cannot ever get MRBS to successfully authenticate using SAML and am beginning to wonder if there is anyone out there who can.

I have a working simplesamlphp installation (v 1.17.6) and MRBS 1.7.3 with the following saml config params:

// Configuration parameters for 'saml' session scheme
$auth['type'] = 'saml';
$auth['session'] = 'saml';
$auth['saml']['ssp_path'] = '/var/simplesamlphp';
$auth['saml']['authsource'] = 'hasqld-sp';
$auth['saml']['attr']['username'] = 'uid';
$auth['saml']['attr']['mail'] = 'Email1';
$auth['saml']['admin'] = array('admin' => array('sso_admin'));

simplesamlphp debug logs show authentication succeeding all the way up to:

Session: doLogin("hasqld-sp")

But is then followed immediately by seven repeated lines of:

Session: 'hasqld-sp' not valid because we are not authenticated.

I don't have authentication required on the normally public pages such as day.php, so just refreshing the page shouldn't try to get authenticated but I can become successfully authenticated with a separate TESTAUTH script but refreshing the MRBS day.php page will instantly un-authenticate me:

Session: doLogin("hasqld-sp")
The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'.
Session: Valid session found with 'hasqldmrbs-sp'.
Session: Valid session found with 'hasqldmrbs-sp'.
Session: Valid session found with 'hasqldmrbs-sp'.
The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.
Session: 'hasqldmrbs-sp' not valid because we are not authenticated.

My TESTAUTH script shows the ssp->attributes as the following when authenticated:

Array ( [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn] => Array ( [0] => barry@upndomain.com ) [uid] => Array ( [0] => barry ) [Email1] => Array ( [0] => barry.j@myedudomain.edu.au ) [admin] => Array ( [0] => admin_sso ) )

Reported by: *anonymous

Original Ticket: mrbs/support-requests/1844

[jberanek]

So after a lot of troubleshooting I'm not sure what the real cause is but it seems to be something to do with sessions.

I've managed to get SAML auth to work by commenting out line 122 in init.inc

//init_sessions();

Does SAML auth take care of all the session stuff by itself or do its init_sessions() later?

Original comment by: slartimitvar

[jberanek]

I got a SimplSaml error when trying to access the Login page. When testing my SimplSaml using the Authentication Test in it's interface I was able to get authenticated (so SSP is setup correctly). I also commented out your line 122, and it gave me the MRBS page but it tells me the user is -invalid- so I'm guessing this won't work. Now, I've uncommented the line 122 out and going back to the site and it is giving me the root of my site to day.php, and I have the site in a folder called saml_clr when I click the login page.

Original comment by: warnertaylor

[jberanek]

Hey, I found this support request that helped my url issue. I'm still having an issue with -invalid- though. https://sourceforge.net/p/mrbs/support-requests/1836/

Original comment by: warnertaylor

[jberanek]

In your saml auth config what do you have set for $auth['saml']['attr']['username'] ? I think the value here needs to match an attribute name being returned from your SAML idp.

In my orignal question above I have it set as $auth['saml']['attr']['username'] = 'uid'; Then in my ssp->attributes being returned from my idp i have one called 'uid' which contains the username value. [uid] => Array ( [0] => barry )

This logs me in as barry.

Original comment by: slartimitvar

[jberanek]

Thanks, I've gotten the session working (with line 122 commented out) and it is showing my name and log off button. Thanks so much!

Original comment by: warnertaylor