Azure AD SAML Auth

[jboileau99]

Hi,

I'm trying to setup SAML auth through Azure AD. Is there any documentation on this? I saw this but sadly that is in German.

Thanks

[elhiss]

Any luck with the setup?

I have followed this guide https://www.booches.nl/2020/05/phpipam-azure-and-saml-authentication/ But... In Azure the login is a success but on the phpipam side I get a blank page with "invalid_response" and nothing in Tools>Log Files...

PHP Version 7.4.3 phpipam 1.4.1

[GaryAllan]

Hello @elhiss There's an updated SAML plugin in the master branch (v1.50). Also includes a debugging option which displays the reason for failure.

[elhiss]

@GaryAllan Thank you for the info! will update and see if I can get it to work.

[elhiss]

After update to master branch the error messages was a bit easier to understand, since it wasnt just "invalid_response" I had wrong format on the certificate, reentered it and now Single Sign On via Azure works. 👌

FYI I followed this guide except downloading the Base64 cert for the thumbprint. Instead I downloaded the Federation Metadata XML and extracted the x.509 cert from there.

[mark88d]

I cannot get this working even with the above. any further updates to this issue?

[BerendvW]

@mark88d: as per 1.5 certificate name is the (unencoded) certificate identifier is just some unique value wich should be the same in AAD Saml username should be the complete mapping as found in aad atribute Finally, you might need to change the attribute value for display_name and email (in aad)

[mark88d]

thanks @BerendvW thats great, worked

@mark88d: as per 1.5 certificate name is the (unencoded) certificate identifier is just some unique value wich should be the same in AAD Saml username should be the complete mapping as found in aad atribute Finally, you might need to change the attribute value for display_name and email (in aad)

[joakimlemb]

Anyone got this working with PHPipam 1.5.2 and AzureAD? The documentation is not good enough for this to be a straight forward setup, I'm currently stuck at a 403 forbidden error during POST to https://phpipam_uri/saml2/

[gnilronm]

@joakimlemb, I got that working yesterday, following the guide @elhiss posted and then made sure that my claims on the Enterprise App was correct. Here's my working config. Hope that helps.

[joakimlemb]

@gnilronm I'm not sure what was wrong but I just redid the entire config and made sure it matched yours, and it works now. Thank you.

Can't figure out JIT yet, but at least we can login with pre-provisioned users.

JIT error: Mandatory SAML JIT attribute missing : display_name (string)

Claims:

[vivek-skumar]

@gnilronm I'm not sure what was wrong but I just redid the entire config and made sure it matched yours, and it works now. Thank you.

Can't figure out JIT yet, but at least we can login with pre-provisioned users.

JIT error: Mandatory SAML JIT attribute missing : display_name (string)

Claims:

You need to make sure that you are adding the additional claims that JIT is expecting.

[vadaszgergo]

@vivek-skumar @elhiss @GaryAllan Based on those attributes, how does it know if a user should be admin or normal user? Can this setup automatically provision the user in phpIPAM, instead of manually creating the user first?

[GaryAllan]

https://github.com/phpipam/phpipam/blob/master/doc/Authentication/SAML2.md

See JIT and 'is_admin' attribute.

[Anyone9060]

@gnilronm I'm not sure what was wrong but I just redid the entire config and made sure it matched yours, and it works now. Thank you.

Can't figure out JIT yet, but at least we can login with pre-provisioned users.

JIT error: Mandatory SAML JIT attribute missing : display_name (string)

Claims:

I tried following this with Debugging on, I simply get a white page with: "Invalid username or password"

I am not prompted for a 2FA code like I normally would though. Is that the issue?

[Anyone9060]

I just got a new account working. I had to make a new user with "username" in IPAM that matches the UPN in Entra ID/AD.

Prior to this, all users were AD integrated and their "Username" in IPAM was simply "username" and not "username@domain.com"

• I was not able to modify an existing users, username in IPAM to add the @domain.com portion.
• ensure during all this testing you didn't inadvertently exclude yourself from MFA requirements. I found that out, and once corrected, MFA in M365 also worked during the SAML login.

Is there a way to convert existing AD users to SAML users? I can easily change the drop down for authentication, but I can't seem to change the usernames once they are already created.