Open luciano-buono opened 4 months ago
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.
### FIXED
In case anyone also wants to setup SAML with AWS, this is the (quite misterious) settings I needed to update:
Set email as mapping username and also set baseurl (in case you are also behind an ingress proxy): Attribute Mapping - Username = email SAML Custom Settings: baseurl=https://DOMAIN/saml
Inside Identity Center custom app, MAKE SURE that you leave empty the Application Start URL (I tried to many paths like /
, /login/saml
, /saml/acs
, and none worked). Once it was empty, SAMLResponse was finally sent by AWS to snipeit
SAML Audience must be set to root path, not /SLS as SnipeIT docs reccomends
Set email user mapping in order to mach SnipeIT expected value
Create users in SnipeIT with email as its username
I confirm Luciano's setup. The same way it works for me, with the difference of the email -> username.
For the username to work leave "Attribute Mapping - Username" empty in SnipeIT (step 1) and add attribute mapping "NameId" -> "${user:name}" in AWS (step 4). Leave everything else as per Luciano's answer.
Debug mode
Describe the bug
Identity Center has custom applications that allow you to integrate its own Users Directory to be used and authenticate with it into your own made applications.
https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-setup.html
Once you finish the setup, a new App appers on the https://DOMAIN.awsapps.com/start#/ launcher, which you can click to initiate the AUTH flow into your app.
So, we have to 'possible' ways to log into Snipe using SAML:
Start flow from https://inventory.DOMAIN.cloud/login/saml
Start flow clicking in AWS launcher snipe-it app
Using normal flow, I can see (using SAML-TRACER app) that a SAML AuthnRequest request is sent to![image](https://github.com/snipe/snipe-it/assets/34195850/a3e42b56-67ff-4e25-a426-f57f400e1074)
https://portal.sso.us-west-2.amazonaws.com/saml/assertion/....
however, AWS denied the petition with a 403So I'm not sure here, but it looks like AWS is not allowing the auth flow to be started from custom app, it has to be started from their own. (Anyone can confirm?)
And here I have tried many snipeit paths but none of them works:
Setting the app![image](https://github.com/snipe/snipe-it/assets/34195850/9f37ddc1-c704-4172-9519-7b37622d2a47)
Reproduction steps
1. 2. 3. ...
Expected behavior
Should be able to login
Screenshots
No response
Snipe-IT Version
Docker version v6.33
Operating System
Docker version v6.33
Web Server
Docker version v6.33
PHP Version
Docker version v6.33
Operating System
No response
Browser
No response
Version
No response
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response