SAML not working

[antonnvk]

Debug mode

• [X] I have enabled debug mode
• [X] I have read checked the Common Issues page

Describe the bug

I have set up an integration with ldap. After that I configured SAML. The settings were saved successfully. But when I try to go to https://mydomain/login/saml then I get a 403 Forbidden error.

Reproduction steps

1. Go to https://mydomain/login/saml
2. See 403 Forbiden error.

Expected behavior

See the form for saml authentication

Screenshots

Snipe-IT Version

v5.1.8 build 6148 (g3ca3de9e4) in Docker image

Operating System

Debian 10

Web Server

nginx 1.20.1

PHP Version

7.2.24-0ubuntu0.18.04.7

Operating System

Windows 10

Browser

Google Chrome, Firefox

Version

93.0.4577.63, 91.0.02

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

It`s fresh install.

[misilot]

I ran into this error when I messed up the IDP Metadata url in the configuration

[antonnvk]

I ran into this error when I messed up the IDP Metadata url in the configuration

Hi. Checked it out. IDP Metadata url is normal, I can download the metadata. But https://mydomain/saml/acs and https://mydomain/saml/sls also return 403 error

[datavici]

Check the IDP metadata box. When this happened to me, even though I uploaded metadata, the box was blank. Imported again and the XML was there (all on one line). after that, everything worked perfect.

[snipe]

Hi there - We haven't heard back in a bit, so I'm going to close this ticket for now, but will re-open it if you're still having issues.

[solarssk]

I have the same problem - I use SAML from Authentik

[snipe]

@uberbrady can you peek at this?

[uberbrady]

Take a look at storage/logs/Laravel.log and let me know what the bottom of that looks like? Sometimes can be helpful.

SAML tends to stress a bit more of our TLS integration than most of our stuff, so be on the lookout for things like missing OpenSSL.cnf and stuff like that.

[obsidiangroup]

I am currently having the same issue (using Authentik) on a pretty base install, but using the TurnKey Snipe-IT LXC.

I have enabled debugging (and can verify debug is enabled by the warning regarding having debug enabled). Checking /var/www/snipe-it/storage/logs/laravel.log has no content. However, checking the Exceptions section of the Debug panel, I see an exception being thrown stating 'SAML Not enabled'. This is puzzling as I have ticked the box to SAML:

Am I missing a config setting somewhere:

[uberbrady]

A lot of SAML failures can be traced down to openSSL issues - missing CA bundles, missing openssl.cnf files, stuff like that. I'm not familiar with that distribution, you might want to take it up with them.

(Our standard base install works fine with SAML; that's what we install for our customers and we have plenty of them that use SAML and it does work. I should know; I end up being the escalation point for most SAML issues.)

[snipe]

but using the TurnKey Snipe-IT LXC

I have no idea what that is.

[obsidiangroup]

but using the TurnKey Snipe-IT LXC

I have no idea what that is. TurnKey Snipe-It LXC

But now that I actually look at it, they are not anywhere near up-to-date -- v5.1.5, which is disappointing as they normally keep their containers up-to-date. I will install the current version and test.

[uberbrady]

Ouch, pretty brutal :( - please do, and get back to us. And if their install is busted, please do go yell at them. I don't like the idea of busted installs floating around on the internet :/

[BarnumD]

We have two working saml configurations, one in a prod environment and one in test. They work as far as login goes. However, on production Logout works, but in test it doesn't and provides a 403 result as seen above. Not sure why there is a difference between the environments. As far as I can tell all of the settings are the same. The only thing I can see that's different is that the production environment uses a real TLS certificate on the SnipeIt page and the test uses a self-signed.

These are the SAML custom settings used in both environments security.authnRequestsSigned=true security.logoutRequestSigned=true security.logoutResponseSigned=true security.signMetadata=true security.wantMessagesSigned=true security.wantAssertionsEncrypted=true security.wantAssertionsSigned=true

Is there a log file to get more information?

[tongshen-yong]

Hey awesome team of @snipe @uberbrady ,

I am facing the same issue. Have successfully enabled SAML federation using ADFS but getting the 403 error when trying to login. Could I get some insights please? Thank you!

Snipe-IT versionv6.1.1 build 10847 (g2ac4449ea)

Operating System Windows Server 2016

Web Server IIS 10

PHP Version PHP Version8.0.29

Laravel Version Laravel Version8.83.22

Browser Google Chrome

Version Version 114.0.5735.199 (Official Build) (64-bit)

Error Messages 09:19:06] LOG.warning: Trying OneLogin_Saml2_Auth failed. Setting SAML enabled to false. OneLogin_Saml2_Auth error message is: Invalid array settings: idp_not_found

[uberbrady]

Look at storage/logs/laravel.log and share your latest

[tongshen-yong]

@uberbrady Here you go. This is actually the latest line from storage/logs/laravel.log.

[2023-06-30 12:39:00] production.WARNING: Trying OneLogin_Saml2_Auth failed. Setting SAML enabled to false. OneLogin_Saml2_Auth error message is: Invalid array settings: idp_not_found

I do see that the error message is SAML is not enabled as well. However, my SAML setting is configured just fine.

[tongshen-yong]

@uberbrady Hey brady. I did some digging and found this: https://github.com/SAML-Toolkits/python3-saml/issues/364

It seems like a bug with the python-saml3 library. Any chance u might be able to edit that library and get it to work? :D Hope this helps!

[JakeyPrime]

+1 With this issue, can't use Authentik at all with SnipeIT because of this error

[misilot]

@JakeyPrime what version of Snipe-IT are you running? I'm not using Authentik but Shibboleth, and am able to to utilize SAML with v6.1.2 (but have been using it for over a year now).

[JakeyPrime]

@JakeyPrime what version of Snipe-IT are you running? I'm not using Authentik but Shibboleth, and am able to to utilize SAML with v6.1.2 (but have been using it for over a year now).

6.1.1 pre build.

If you're ahead of me I'll jump to that and see if that fixes it, however I have my doubts

[misilot]

Probably not since I don't think much has changed with the SAML setup.

[misilot]

@uberbrady Hey brady. I did some digging and found this: https://github.com/SAML-Toolkits/python3-saml/issues/364

It seems like a bug with the python-saml3 library. Any chance u might be able to edit that library and get it to work? :D Hope this helps!

This application uses PHP and not python, but if you are getting a 403 on the IdP or it can't pull the IdP metadata, you might try pasting the IdP metadata directly instead of relying on SnipeIT to download it. Your firewall could be blocking it.

[JakeyPrime]

pasting the IdP metadata directly instead of relying on SnipeIT to download it. Your firewall could be blocking it.

I think he's referring to Authentik's library, rather than Snipe-IT'S but SAML works for every other app so that really can't be it.

Upgrading and trying the copy paste manually did nothing for me, same error.

[JakeyPrime]

To add: Same as above, but SAML is enabled...

[thesorskod]

currently having the same issues, was there a solution to this issue?

[JakeyPrime]

currently having the same issues, was there a solution to this issue?

Nope, just have to stick with excel for our entire org because it continues to not work, with any recent update.

[snipe]

@JakeyPrime I'm sorry you're running into trouble, but SAML definitely does work. We have hundreds of customers using it. If you'd like to offer logging info, etc, that would be helpful. @misilot is correct that not much has changed with SAML recently, since generally speaking, it just works for most people.

[JakeyPrime]

@snipe It seems that people who set it up a while ago are successful and it still works for them; but people setting up very specifically moderately recently are having this issue. I'm not the original author of this issue and now others are coming with the same issue, I have no more logs than what's already been posted by others, it's the exact same errors on our end.

We're not using docker and have the app working flawlessly in every other respect, just not SAML.

I'm happy to provide whatever you need, there's a lot of love in this project and we can see it's exceptionally well made, we just can't use it without SAML as our bosses are big babies...

[snipe]

@JakeyPrime I think this is a case of clinicians bias though - we see new customers every week setting it up without issue, so there must be some other configuration issue that we're all missing here.

I've pulled @uberbrady back into this to see if he has any additional insight.

we just can't use it without SAML as our bosses are big babies...

Hopefully they're not on Github ;)

[uberbrady]

The usual problems that I see are

• the metadata URL doesn't work, or the metadata isn't well-formed. Make sure you can download the metadata from your Snipe-IT server if you're using the metadata URL method.
• The NameID that's being passed does not correspond to a user that exists in Snipe-IT. That has to match with the username. If you are using a SAML implementation that doesn't, for some strange reason, pass a NameID - then use the "Attribute mapping - username" field and put the name of the SAML attribute that will match up to your Snipe-IT username
• We do not do just-in-time provisioning - because it would make no sense. We need to have records for all the users, not just the few who log in. The user needs to pre-exist in Snipe-IT.
• set LOG_LEVEL to debug in your .env - at least temporarily. That can help with the troubleshooting. Take a look at your storage/logs/laravel.log to see if anything useful pops up in there.
• It's possible to add SAML debugging tools (plug-ins) to your browser that will help capture the SAML assertions that are being made, so you can look at them and pick them apart - that can help track down what's going on too.
• On Windows machines, some of the crypto stuff that we need to do to look at certificates requires an openssl.cnf file - depends on which openssl provider you're using as to where it needs to go, but just having the file with just a few lines of vestigial stuff in there can often be enough.
• Take a look at your "SAML IdP Metadata XML" - at some point you should see a URL that points to your IdP in there. Can you get there? Do you have no URL referencing your IdP at all? If so, that's your problem.

That's all of the stuff I can think of for now that might help with that. Let us know what you find and we'll keep doing our best to try and point you down the right way.

[thesorskod]

@uberbrady

• the metadata URL doesn't work

-I'm able to download the metadata file 'snipe-it-metadata.xml' from my Snipe-IT server.

• The NameID that's being passed does not correspond to a user that exists in Snipe-IT.

-usernames in Snipe-IT match what is in Azure.

• Take a look at your "SAML IdP Metadata XML" - at some point, you should see a URL that points to your IdP in there. Can you get there? Do you have no URL referencing your IdP at all? If so, that's your problem.

-I'm hoping this is our issue, In our SAML IdP Metadata file 'snipe-it-metadata.xml' from our '/admin/saml' page. -I don't see a URL that points to our Metadata URL.

-storage/logs/laravel.log show

What's the correct way/format to add it?

[PonlorkBeang]

I found the above issue by remove s from http:// in Identifier (Entity ID) but i get another issue as below picture

[misilot]

You can add custom settings if needed to overwrite the defaults in the SAML library. But as long as the etntiy ID matches (http or https) in the IdP that doesn't matter. It can even be a custom URN instead.

Taylor these to your environment. They need to match what your IdP is expecting with the registered SP metadata you provided.

security.authnRequestsSigned=true
security.wantAssertionsEncrypted=true
security.wantAssertionsSigned=true

Other values are defined here.