[bug] Using SAML with Authentik using v0.36.0-beta.0-16-gccca5b5 fails with invalid xml

[samip5]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Currently it seems that SAML auth with Authentik is not succeeding due to "received invalid saml response" with error as invalid xml: no root

Expected Behavior

I would have expected it to work without any issue.

Steps To Reproduce

1. Try to deploy on-prem test of Omni using v0.36.0-beta.0-16-gccca5b5 image tag
2. Setup Authentik's application for it using the guided one for SAML
3. Give it the metadata URL and try to start Omni
4. See it start up, but you're given forbidden after returning from IdP instead of logged-on.

What browsers are you seeing the problem on?

No response

Anything else?

Tried to follow the Keycloack how-to for Authentik, but that seemed to not be enough.

[samip5]

Okay, so Authentik needs to POST it, not use redirect and it would somewhat work. However documentation doesn't really say what is required for user id format, so that's the next problem.

Browser console says: invalid user id format, without any information what's the correct one as it doesn't accept email nor name apparently..

Also just noticed that the url params show: authenticate?flow=frontend&fullname=&identity=skyler which suggests issues with also gething fullname and identity shouldn't be name I think?

[Unix4ever]

Omni handles SAML ACS xml document. There it tries to find user email in some commonly spread attributes.

I think if Omni can't find the email it should display ACS in the logs. Then you can analyze the ACS to see what's stored in the saml2:Attribute tags.

[Unix4ever]

We had people who were able to set up Authentik as a SAML provider. It might also be that something is misconfigured on the Authentik side.

You can check this TF module for the inspiration https://codeberg.org/CodeGameEat/homeserver-terraform-modules

And this slack thread https://taloscommunity.slack.com/archives/CMARMBC4E/p1714465168811959

[samip5]

It seems that by default, the SAML mappings in Authentik are those that Omni doesn't search for. Eg email attribute name is emailAddress instead.