jberanek
commented
2 years ago sorry that was me, didn't mean to post anonymously.
Original comment by: craigknights
Open jberanek opened 2 years ago
jberanek
commented
2 years ago sorry that was me, didn't mean to post anonymously.
Original comment by: craigknights
jberanek
commented
2 years ago Looking at the MRBS code I think it should be
$auth['saml']['admin'] = array('saml_admins' => 'saml_admins');Can you try that?
Original comment by: campbell-m
jberanek
commented
2 years ago thanks so much, I will in the morning
Original comment by: craigknights
jberanek
commented
2 years ago no sorry, it doesn't seem to work. the user is not made an admin..
thank you, Craig
Original comment by: craigknights
jberanek
commented
2 years ago Can you add the following debugging line at line 86 of lib/MRBS/Auth/AuthSaml.php (ie just after $current_username = \MRBS\session()->getUsername();):
error_log(var_export($userData, true));and let me know the output in your PHP error log? Remember to edit out any sensitive data. Either post it here or send me a PM.
Original comment by: campbell-m
jberanek
commented
2 years ago sourceforge hated that paste, blocked it.. all good.
I think this is what you need?
many thanks, Craig
[Tue Oct 11 11:46:48.353211 2022] [php7:notice] [pid 116600] [client 10.161.51.229:54295] array (\n 'username' => \n array (\n 0 => 'myname@myschool.school.xx',\n ),\n 'saml_admins' => \n array (\n 0 => 'saml_admins',\n ),\n), referer: https://bookings.myschool.school.xx/index.php [Tue Oct 11 11:46:48.353311 2022] [php7:notice] [pid 116600] [client 10.161.51.229:54295] \nE_WARNING in /var/www/html/mrbs/web/lib/MRBS/Auth/AuthSaml.php at line 93\nInvalid argument supplied for foreach()\nMRBS GET: Array\n(\n [view] => day\n [view_all] => 1\n [page_date] => 2022-10-12\n [area] => 2\n [room] => 4\n)\nMRBS POST: Array\n(\n)\nMRBS SESSION: Array\n(\n [SimpleSAMLphp_SESSION] => C:18:"SimpleSAML\Session":2333:{a:10:{s:9:"sessionId";s:26:"u5l6s3pp6e5nm5u4unl4sdva58";s:9:"transient";b:0;s:7:"trackid";s:10:"2b65d7d5fb";s:16:"rememberMeExpire";N;s:5:"dirty";b:0;s:19:"callback_registered";b:0;s:9:"dataStore";a:2:{s:22:"\SimpleSAML\Auth\State";a:0:{}s:39:"\SimpleSAML\Auth\Source.LogoutCallbacks";a:1:{s:64:"10:default-sphttps://accounts.google.com/o/saml2?idpid=XXXXXXXX";a:3:{s:7:"expires";s:17:"sessionEndTimeout";s:7:"timeout";s:17:"sessionEndTimeout";s:4:"data";a:2:{s:8:"callback";a:2:{i:0;s:22:"SimpleSAML\Auth\Source";i:1;s:14:"logoutCallback";}s:5:"state";a:2:{s:41:"\SimpleSAML\Auth\DefaultAuth.logoutSource";s:10:"default-sp";s:36:"\SimpleSAML\Auth\Source.logoutSource";s:10:"default-sp";}}}}}s:12:"associations";a:0:{}s:9:"authToken";s:43:"_eb764fe9e6ba83fa5fff1e2b913e92fc3fcbf8677b";s:8:"authData";a:1:{s:10:"default-sp";a:12:{s:28:"saml:AuthenticatingAuthority";a:1:{i:0;s:51:"https://accounts.google.com/o/saml2?idpid=XXXXXXXX";}s:17:"saml:AuthnInstant";i:1665354442;s:20:"saml:sp:SessionIndex";s:33:"_f009149b70ccd4df7a1cd4bbcef3f994";s:20:"saml:sp:AuthnContext";s:50:"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified";s:16:"saml:sp:prevAuth";a:4:{s:2:"id";s:33:"_d89d23383a1e6046a2da31f6735c033c";s:6:"issuer";s:51:"https://accounts.google.com/o/saml2?idpid=XXXXXXXX";s:12:"inResponseTo";s:43:"_1623c2a131ee62130a3c9b5bf30df0b63b3515a082";s:8:"redirect";s:102:"https://bookings.myschool.school.xx/view_entry.php?view=day&year=2022&month=10&day=11&area=2&id=13025";}s:11:"saml:sp:IdP";s:51:"https://accounts.google.com/o/saml2?idpid=XXXXXXXX";s:10:"Attributes";a:2:{s:8:"username";a:1:{i:0;s:30:"myname@myschool.school.xx";}s:11:"saml_admins";a:1:{i:0;s:11:"saml_admins";}}s:11:"LogoutState";a:4:{s:16:"saml:logout:Type";s:5:"saml2";s:15:"saml:logout:IdP";s:51:"https://accounts.google.com/o/saml2?idpid=XXXXXXXX";s:18:"saml:logout:NameID";O:21:"SAML2\\XML\\saml\\NameID":6:{s:11:", referer: https://bookings.myschool.school.xx/index.php
Original comment by: craigknights
jberanek
commented
2 years ago Thanks. Sorry, my fault, the config setting should have been
$auth['saml']['admin'] = array('saml_admins' => array('saml_admins'));If that works you can remove the diagnostic line.
Original comment by: campbell-m
jberanek
commented
2 years ago Yes that works perfectly. Thank you so much for your assistance!
Original comment by: craigknights
Hi, I've got saml working for logins, but I can't seem to define who the admins are. I'm using saml to auth against Google Apps. There are two attributes returned, the username which is just the email address of the google user, and saml_admins is set to "saml_admins" when the user is in the google group saml_admins.
I've tried the line below in config.inc.php: $auth['saml']['admin'] = array( 'saml_admins' => array('myname@domain.co.xx') );
where the account is in the saml_admins group
but that account is unable to administer other peoples bookings or edit the mrbs setup
running MRBS 1.10.0 with iniit sessions disabled so it works, and simplesamlphp auth'ing to Google Apps.
thanks, Craig
Reported by: *anonymous
Original Ticket: mrbs/support-requests/2616