Closed stefanomarty closed 3 months ago
Well, it seems there was a configuration error on the IdP and the Invalid CSRF token was just a consequence. After a more careful check of the log I found this error:
[2024-03-16 14:54:02] app.ERROR: Found attributes: Array ( \
[Family name] => Array ( [0] => Demo ) \
[Full name] => Array ( [0] => demoagent ) \
[Email address] => Array ( [0] => demoagentboiler@[Redacted] ) \
[Given name] => Array ( [0] => Agent ) \
[sessionIndex] => 70c1c409-432c-4115-a1f8-175ca93918f0::e74c7058-39e9-4238-bc26-51a410f7592a ) [] []
and those array index names looked very strange: [Family name],[Full name],[Email address] instead of [last_name],[username],[email], etc...
I checked on Keycloak and those index names where saved in the "Friendly name" field of the User attribute. After changing the "Friendly name" field to the original SAML attribute name, the issue was solved and the user were able to login. I was misled by the SAML-tracer extension in Firefox because those "Friendly names" never showed up there and everything looked normal.
I still don't understand why the SAML plugin reads those Friendly names instead of the standard SAML Attribute name, but once you know it you can easily solve the problem. Hope this can help someone facing the same problem!
why the SAML plugin reads those Friendly names instead of the standard SAML Attribute name
Is it possibly because:
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=true
You can set that to false
and it should use the standard SAML Attribute name.
why the SAML plugin reads those Friendly names instead of the standard SAML Attribute name
Is it possibly because:
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=true
You can set that tofalse
and it should use the standard SAML Attribute name.
Ahahah... it was just under my nose for all these hours and I simply couldn't see it!!!
That's why you always need another pair of eyes, sometimes you can't see what's right in front of you!
Thanks! 👍
Issue
I am trying to setup a SAML login on a fresh SuiteCRM v.8.5.1 install.
I followed the instructions here: https://docs.suitecrm.com/8.x/admin/configuration/saml-configuration/
IDP is a Keycloak instance already serving other apps without errors. .env.local is configured to use the email as SAML_USERNAME_ATTRIBUTE (user are registered in SuiteCRM with email as username):
The SAML exchange looks good, I can see the SAML 2.0 Assertion and the SAML 2.0 AttributeStatement (using the SAM-tracer extension in Firefox). Here's an example of the answer from Keycloak:
It looks fine to me, all the attributes are the correct ones and they coincidw with the user already registered in the CRM, but the user never get logged in, they always are redirected to logged-out blank page.
In the suitecrm log I can see the problem is caused by "Invalid CSRF token"
I have tried many different suggestions fund on the internet but nothing solved the issue so far.
What am I missing?
Thanks in advance for your help!