MRBS integration with SAML

[jberanek]

Hi, This is my first time working with saml so bear with me if I may ask something simple. I have setup SimpleSAMLphp on my server and tested out the default-sp connection and it is working fine.

When I try to setup the configuration on my MRBS saml authentication and test it out on the browser I get the Error message: Uncaught exception 'Error' in /var/www/html/webtest/lib/MRBS/Session/SessionSaml.php at line 64 Class 'SimpleSAML_Auth_Simple' not found

Below is my configuration in MRBS: $auth['type'] = 'saml'; $auth['session'] = 'saml'; $auth['saml']['ssp_path'] = 'simplesamlphp'; $auth['saml']['authsource'] = 'default-sp'; $auth['saml']['attr']['username'] = 'sAMAccountName'; $auth['saml']['attr']['mail'] = 'mail'; $auth['saml']['admin']['memberOf'] = ['CN=Lecture Capture,CN=Users,DC=usp,DC=ac,DC=fj']; $auth['saml']['disable_mrbs_session_init'] = true;

as my simplesamlphp folder is within my project folder. Any leads or advice would be appreciated

Reported by: *anonymous

Original Ticket: mrbs/support-requests/2750

[jberanek]

I think $auth['saml']['ssp_path'] needs to be an absolute, not a relative, path.

Original comment by: campbell-m

[jberanek]

Hi Campbell,

Thanks for your response. After a few back and forth the error Class 'SimpleSAML_Auth_Simple' was due to the fact it was an old method and I have changed it to use new \SimpleSAML\Auth\Simple(''). I now have a MRBS access denied message which I have attached. My config settings are mentioned below:

$auth['type'] = 'saml'; $auth['session'] = 'saml'; $auth['saml']['ssp_path'] = '/var/www/html/webtest/simplesamlphp'; $auth['saml']['authsource'] = 'default-sp'; $auth['saml']['attr']['username'] = 'nameid'; //from idp attribute $auth['saml']['attr']['mail'] = 'emailaddress'; //from idp attribute $auth['saml']['admin']['memberOf'] = ['CN=Lecture Capture,OU=App-AD-Bind-Accounts,DC=usp,DC=ac,DC=fj']; $auth['saml']['disable_mrbs_session_init'] = true;

Please advice.

Original comment by: *anonymous

Attachments: https://sourceforge.net/p/mrbs/support-requests/_discuss/thread/90a2a0c2ce/7f4e/7640/attachment/Screenshot%202023-04-27%20153547.png

[jberanek]

The values should match the ssp attributes name from simplesamlphp

$auth['saml']['attr']['username'] = 'nameid'; //from idp attribute $auth['saml']['attr']['mail'] = 'emailaddress'; //from idp attribute

Then it worked.

I am able to login as a normal user.

Original comment by: *anonymous

[jberanek]

Glad you've got it working. The SimpleSAML authentication was contributed a few years ago and I suspect it now needs to be updated to be compatible with the latest version of the SimpleSAMLphp library.

Original comment by: campbell-m

[iainmsi]

hi jberanek, I'm trying to set up simplsamlphp with mrbs and it looks like you've been through it, i'm running the latest version of mrbs and apache on ubuntu - simplesaml is in /var/www/bookings directory - simplesaml seems to be working I can login run a test and connects etc however I don't know about configuring mrbs and configuring it for admin users also ? Any help would be greatly appreciated !

[campbell-m]

How far have you got? Have you configured

// 'auth_saml' configuration settings
// (assuming Active Directory attributes):
$auth['saml']['ssp_path'] = '/opt/simplesamlphp';  // must be an absolute and not a relative path
$auth['saml']['authsource'] = 'default-sp';
$auth['saml']['attr']['username'] = 'sAMAccountName';
$auth['saml']['attr']['mail'] = 'mail';
$auth['saml']['attr']['givenName'] = 'givenname';
$auth['saml']['attr']['surname'] = 'sn';
$auth['saml']['admin']['memberOf'] = ['CN=Domain Admins,CN=Users,DC=example,DC=com'];
// Optional access control filter
//$auth['saml']['user']['memberOf'] = ['CN=Calendar Users,CN=Users,DC=example,DC=com'];
// MRBS session initialisation can interfere with session handling in some
// SAML libraries.  If so, set this to true.
$auth['saml']['disable_mrbs_session_init'] = false;

Note that the optional access control filter was only added post 1.11.4.

[iainmsi]

i've put that $auth['type'] = 'saml'; $auth['session'] = 'saml'; $auth['saml']['ssp_path'] = '/var/www/bookings/simplesamlphp/'; $auth['saml']['authsource'] = 'default-sp'; $auth['saml']['attr']['username'] = 'nameid'; //from idp attribute $auth['saml']['attr']['mail'] = 'emailaddress'; //from idp attribute $auth['saml']['disable_mrbs_session_init'] = false;

[campbell-m]

... and what happens/doesn't happen?

[iainmsi]

absolutely nothing I did see briefly our SSO page but then nothing

[iainmsi]

spoke with our identity guy $auth['type'] = 'saml'; $auth['session'] = 'saml'; $auth['saml']['ssp_path'] = '/var/www/bookings/simplesamlphp/'; $auth['saml']['authsource'] = 'default-sp'; $auth['saml']['attr']['username'] = 'Nickname'; //from idp attribute $auth['saml']['attr']['mail'] = 'Mail'; //from idp attribute $auth['saml']['attr']['givenName'] = 'Given name'; $auth['saml']['attr']['surname'] = 'Surname'; $auth['saml']['disable_mrbs_session_init'] = false;

[campbell-m]

Are you getting any errors in your PHP error log?

[iainmsi]

I noticed if I click on room entry now it takes me to the login page and I've got access denied

[iainmsi]

is not a auth.saml php that needs to be created\edited?

[campbell-m]

What do you mean by "room entry"?

[iainmsi]

if want to book a room i click on a time \room it takes me to the login page where i get Access Denied You do not have the necessary rights to view this page.

I thought maybe I had to create an auth_saml.inc or edit mrbs_auth.inc ?

[campbell-m]

No, auth_saml.inc is a leftover from MRBS 1.7.1 and you shouldn't need to edit mrbs_auth.inc. When you say it takes you to the login page, is that your SSO login page or the MRBS login page?

[iainmsi]

It’s the mrbs login page

[campbell-m]

Sorry, I'm not sure I can help much more, but I'd expect it to go to your SSO login page. However I've never used Saml authentication. The only things I can suggest are (a) checking that you've done this bit:

 * This scheme assumes that you've already configured SimpleSamlPhp,
 * and that you have set up aliases in your webserver so that SimpleSamlPhp
 * can handle incoming assertions.  Refer to the SimpleSamlPhp documentation
 * for more information on how to do that.
 *
 * https://simplesamlphp.org/docs/stable/simplesamlphp-install
 * https://simplesamlphp.org/docs/stable/simplesamlphp-sp

and (b) asking @jagapen or @dorianim for help, both of whom have contributed to the AuthSaml.php code and presumably have it working.

[iainmsi]

Where would I configure admin accessStill with the config.inc ?

[campbell-m]

Looking at the code, I think you need to set $auth['saml']['admin'] which should an array of values keyed by attribute, eg

$auth['saml']['admin'] = ['attr' => 'value'];

I'm not sure the example in systemdefaults.inc.php is correct.

[iainmsi]

Its close It’s going through the saml page to our single sign on page where your enter details takes you back to rooms page but I’m not logged in when I click on a room entry I get access denied.

[campbell-m]

Even though you get "Access denied", is your name appearing at the right hand end of the banner?

[dorianim]

Hey there,

feel free to check out my mrbs docker container. It already contains a fully configured simplesamlphp: https://github.com/dorianim/mrbs-docker

The simplesamlphp setup is here: https://github.com/dorianim/mrbs-docker/blob/21a510e13bdc3f4480068255f73f7a864532b25c/Dockerfile#L51

And the configuration is here: https://github.com/dorianim/mrbs-docker/tree/main/root/var/www/simplesamlphp

[iainmsi]

No I’m not logged at all

[iainmsi]

thanks Dorian but I don't want to go down the docker road , im now getting this error why would it be looking for opt/simplesamlphp/lib its not a directory I use?

Uncaught exception 'Error' in /var/www/bookings/rooms/lib/MRBS/Session/SessionSaml.php at line 61Failed opening required '/opt/simplesamlphp/lib/_autoload.php' (include_path='.:/usr/share/php')

0 /var/www/bookings/rooms/lib/MRBS/Session/SessionFactory.php(14):

MRBS\Session\SessionSaml->__construct()

1 /var/www/bookings/rooms/mrbs_auth.inc(33):

MRBS\Session\SessionFactory::create()

2 /var/www/bookings/rooms/init.inc(40): MRBS\session()

3 /var/www/bookings/rooms/defaultincludes.inc(34): require_once('...')

4 /var/www/bookings/rooms/index.php(8): require('...')

5 {main}

MRBS GET: Array ( ) MRBS POST: Array ( )

0 MRBS\generate_backtrace() called at

[/var/www/bookings/rooms/functions_error.inc:219]

1 MRBS\output_error() called at

[/var/www/bookings/rooms/functions_error.inc:262]

2 MRBS\output_exception_error(object) called at

[/var/www/bookings/rooms/functions_error.inc:270]

On Fri, 1 Mar 2024 at 18:35, @.***> wrote:

No I’m not logged at all

On 1 Mar 2024, at 16:32, campbell-m @.***> wrote:



Even though you get "Access denied", is your name appearing at the right hand end of the banner?

— Reply to this email directly, view it on GitHub https://github.com/meeting-room-booking-system/mrbs-code/issues/3431#issuecomment-1973500691, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5VBMHP4DB5CE5BVONNIREDYWCUTFAVCNFSM6AAAAAA2J7JRCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTGUYDANRZGE . You are receiving this because you commented.Message ID: @.***>

[campbell-m]

I don't know whether #3607 helps?

[iainmsi]

I’m making some progress I can login now I had to set $auth[“saml”[attr”][“username”] =“urn:oid:2.3.5.4.535.54.1”;That logs me in as a user I need to work out how to list username as  admins

[Gergama]

I believe you need to point the attribute to the complete identifier path containing the "username" information. The path for the identifier should be available in your Simple SAML configuration area. Here is an example of our attribute:

$auth['saml']['attr']['username'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username';

Hope that helps. I struggled as well because I am a newbie at SAML but with a little luck we got ours working.

[iainmsi]

Hi thanks for the suggestion  but I’ve got the login working however I just get logged in as a standard user, I don’t know how to define the admin users, I’ve seen other posts using domain groups and ou = etc. however that’s for Active Directory I’m using edirectory which doesn’t use groups. I was hoping the list of users ids I previously used for ldap $auth [admin][] = “myuserid” would still work but it’s not. 

[Gergama]

We struggled with this as well, but tweaked the code and managed it get it working. Give it a try and I hope it helps.

config.php Specify individual usernames of admins:

unset($auth["admin"]); // Include this when copying to config.inc.php
$auth["admin"][] = "jane.doe";
$auth["admin"][] = "john.doe";

/web/lib/MRBS/AUTH/AuthSaml.php Replace entire getLevel function (approx line 80) with this code:

  private function getLevel(string $username) : int
  {
    global $auth;
    $userData = \MRBS\session()->ssp->getAttributes();
    $current_username = \MRBS\session()->getUsername();
    if (isset($current_username) && $current_username === $username)
    {
      return $this->getDefaultLevel($username);
      return 1;
    }
    return 0;
  }

[campbell-m]

Would it help if I changed the code so that if $auth['saml']['admin'] is not set then it looks for admins in the config file (the same way that LDAP authentication works)?

And if $auth['saml']['admin'] is set then looking at the code I believe this needs to be an array of values keyed by attribute, eg

$auth['saml']['admin'] = ['attr1' => 'value1', 'attr2' => 'value2'];

[iainmsi]

Definitely that help me if  a list of users can be defined  as admins in the config file.

[campbell-m]

I've just added it in 933c16d. If you want to define admins in the config file make sure you don't have $auth['saml']['admin'] set.

[Gergama]

That is great campbell-m Thank you!

[iainmsi]

Thanks for doing that but unfortunately its still not working for me the urn:oid vaulues match the attribute names - I don't have a username attribute from saml mine is Nickname ?

$auth["admin"][] = "xxxx"; $auth["admin"][] = "xxxxx"; $auth["admin"][] = "xxxx"; $auth["admin"][] = "xxxx"; $auth["admin"][] = "xxxx"; $auth["admin"][] = "xxxx";

$auth['type'] = 'saml'; $auth['session'] = 'saml'; $auth['saml']['authsource'] = 'default-sp'; $auth['saml']['ssp_path'] = '/var/www/bookings/simplesamlphp'; $auth['saml']['attr']['username'] ="urn:oid:1.3.6.1.4.1.5923.1.1."; $auth['saml']['attr']['givenname'] ="urn:oid:2.5.4.2"; $auth['saml']['attr']['mail'] = "urn:oid:0.9.2342.19200300.10"; $auth['saml']['disable_mrbs_session_init'] = false;

[Gergama]

You need to check to be sure $auth['saml']['admin'] is not set for the code campbell-m added to take effect. By default, the systemdefaults.inc.php may have it set. Look for this in that file: $auth['saml']['admin']['memberOf'] = ['CN=Domain Admins,CN=Users,DC=example,DC=com']; If it's there, either comment it out in that file or unset it by overriding it in the config.php file.

[campbell-m]

I don't have a username attribute from saml mine is Nickname ?

Would you not just put in the config file whatever name you log in with? For example

$auth['admin'][] = 'iainmsi';  // or whatever you are on your system

[iainmsi]

Thankyou both that seem to be working # $auth['saml']['admin']['memberOf'] = ['CN=Domain Admins,CN=Users,DC=example,DC=com']; on systemdefaults.inc.php seems to be resolved. Many thanks

[Gergama]

Hurray! Glad you got it working!

[iainmsi]

Thanks for your help another thing we found that’s useful was logging out of saml was editing the saml20-idpremote file single logout service you change the url to go to a more helpful logout url.On 14 Mar 2024, at 17:05, Gergama @.***> wrote: Hurray! Glad you got it working!

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

[jberanek]

Thankyou both that seem to be working # $auth['saml']['admin']['memberOf'] = ['CN=Domain Admins,CN=Users,DC=example,DC=com']; on systemdefaults.inc.php seems to be resolved. Many thanks

Just a quick reminder: never make changes in systemdefaults.inc.php, always add config values to config.inc.php. This way you can upgrade MRBS without overwriting your configuration.