Closed samip5 closed 4 months ago
Okay, so Authentik needs to POST it, not use redirect and it would somewhat work. However documentation doesn't really say what is required for user id format, so that's the next problem.
Browser console says: invalid user id format
, without any information what's the correct one as it doesn't accept email nor name apparently..
Also just noticed that the url params show: authenticate?flow=frontend&fullname=&identity=skyler
which suggests issues with also gething fullname and identity shouldn't be name I think?
Omni handles SAML ACS xml document. There it tries to find user email in some commonly spread attributes.
I think if Omni can't find the email it should display ACS in the logs.
Then you can analyze the ACS to see what's stored in the saml2:Attribute
tags.
We had people who were able to set up Authentik as a SAML provider. It might also be that something is misconfigured on the Authentik side.
You can check this TF module for the inspiration https://codeberg.org/CodeGameEat/homeserver-terraform-modules
And this slack thread https://taloscommunity.slack.com/archives/CMARMBC4E/p1714465168811959
It seems that by default, the SAML mappings in Authentik are those that Omni doesn't search for. Eg email attribute name is emailAddress instead.
Is there an existing issue for this?
Current Behavior
Currently it seems that SAML auth with Authentik is not succeeding due to "received invalid saml response" with error as
invalid xml: no root
Expected Behavior
I would have expected it to work without any issue.
Steps To Reproduce
v0.36.0-beta.0-16-gccca5b5
image tagWhat browsers are you seeing the problem on?
No response
Anything else?
Tried to follow the Keycloack how-to for Authentik, but that seemed to not be enough.