Mac-Rae
commented
4 years ago I have no simple way to test this ATM, I'll come back to this soon as see what I can do :+1:
Open fstorz opened 4 years ago
Mac-Rae
commented
4 years ago I have no simple way to test this ATM, I'll come back to this soon as see what I can do :+1:
fstorz
commented
4 years ago Here I can provide the structure of the Azure AD SAML token (all non relevant information was retained)
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_396dd96f-0873-40ce-a175-f688acb86acd" Version="2.0" IssueInstant="2020-02-23T13:31:26.300Z"
Destination="https://{host}/index.php?action=Login&module=Users" InResponseTo="ONELOGIN_...">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/{tenant-uuid}/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_396dd96f-0873-40ce-a175-f688acb86acd">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04e57ec5-3b4e-484d-8c3a-b08c19ee5c00" IssueInstant="2020-02-23T13:31:26.284Z" Version="2.0">
<Issuer>https://sts.windows.net/{tenant-uuid}/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_04e57ec5-3b4e-484d-8c3a-b08c19ee5c00">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">{email}</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_..." NotOnOrAfter="2020-02-23T14:31:26.112Z"
Recipient="https://{host}/index.php?action=Login&module=Users"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2020-02-23T13:26:26.112Z" NotOnOrAfter="2020-02-23T14:31:26.112Z">
<AudienceRestriction>
<Audience>https://{host}/index.php?action=Login&module=Users</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>{tenant-uuid}</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>{uuid}</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/{tenant-uuid}/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>{email}</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>{email}</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-02-23T13:31:18.612Z" SessionIndex="_...">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
tsmgeek
commented
3 years ago https://github.com/salesagility/SuiteCRM/pull/8996
Im proposing change to allow full override of the onelogin settings file, if you set 'onelogin' in config you define it exactly as per the library array, what you see in the UI is ignored.
fstorz
commented
3 years ago We use another tool which also provides SAML Login via OneLogin.
The solution there was to provide the URL to the IdP Metadata endpoint, which contains all necessary information.
For Azure this looks like https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<uuid>
PXKL
commented
2 years ago We use another tool which also provides SAML Login via OneLogin. The solution there was to provide the URL to the IdP Metadata endpoint, which contains all necessary information. For Azure this looks like
https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<uuid>
@fstorz can you provide any information how to do so? I tried everything I could find and this seems to be my last straw to hold on :-)
Regards
fstorz
commented
2 years ago @PXKL I'm sorry, but I cannot provide any further info, as I cannot remember exactly. What you could try (what I did that time), is to "debug" the php code for the SAML Login. I added some log output in the file /vendor/onelogin/php-saml/src/Saml2/Response.php (especially where the issuer is validated, for us on line 312).
Good Luck
// Check the issuers
$issuers = $this->getIssuers();
foreach ($issuers as $issuer) {
$trimmedIssuer = trim($issuer);
if (empty($trimmedIssuer) || $trimmedIssuer !== $idPEntityId) {It now seems to be a problem related to the authentication method.
Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.
@fstorz do you know where to change this ? Azure is giving me the resolution to:
Request to the developer of the application to remove the RequestedAuthnContext from the SAML request. Another option is to request the application owner to always prompt the user for a fresh authentication. To accomplish this, the application needs to add the value forceAuthn="true" as a parameter in the request to Azure AD.
Found it:
/opt/bitnami/suitecrm/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php
Change PasswordProtectedTransport to X509
Issue
We use Azure AD as SAML Provider. There the token issuer looks something like 'https://sts.windows.net/{uuid}/'. But the configuration for SAML defines for validation the same entityId for token request as for provider entityId (see SAML settings.php). But the provider entityId is used later for validation of the token (see Response Validation).
Expected Behavior
It should be possible to configure the Token Issuer of the SAML Provider in the UI
Actual Behavior
Currently only configuration for SAML Login URL, Logout URL and Certificate is possible. For validation, the same URL is used as for requesting a token (see settings.php).
Your Environment