search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
10.46k stars 3.06k forks source link

Enable SAML using AWS IAM Identity Center #14433

Open luciano-buono opened 4 months ago

luciano-buono commented 4 months ago

Debug mode

Describe the bug

Identity Center has custom applications that allow you to integrate its own Users Directory to be used and authenticate with it into your own made applications.

https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-setup.html

Once you finish the setup, a new App appers on the https://DOMAIN.awsapps.com/start#/ launcher, which you can click to initiate the AUTH flow into your app.

So, we have to 'possible' ways to log into Snipe using SAML:

  1. Start flow from https://inventory.DOMAIN.cloud/login/saml

  2. Start flow clicking in AWS launcher snipe-it app

  3. Using normal flow, I can see (using SAML-TRACER app) that a SAML AuthnRequest request is sent to https://portal.sso.us-west-2.amazonaws.com/saml/assertion/.... however, AWS denied the petition with a 403 image

So I'm not sure here, but it looks like AWS is not allowing the auth flow to be started from custom app, it has to be started from their own. (Anyone can confirm?)

  1. Using AWS app launcher, looks like they directly send an SAMLResponse, not expecting a SAMLAuthnRequest first. image

And here I have tried many snipeit paths but none of them works:

Setting the app image

Reproduction steps

1. 2. 3. ...

Expected behavior

Should be able to login

Screenshots

No response

Snipe-IT Version

Docker version v6.33

Operating System

Docker version v6.33

Web Server

Docker version v6.33

PHP Version

Docker version v6.33

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

welcome[bot] commented 4 months ago

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

luciano-buono commented 4 months ago

### FIXED

In case anyone also wants to setup SAML with AWS, this is the (quite misterious) settings I needed to update:

  1. Set email as mapping username and also set baseurl (in case you are also behind an ingress proxy): Attribute Mapping - Username = email SAML Custom Settings: baseurl=https://DOMAIN/saml

  2. Inside Identity Center custom app, MAKE SURE that you leave empty the Application Start URL (I tried to many paths like /, /login/saml, /saml/acs, and none worked). Once it was empty, SAMLResponse was finally sent by AWS to snipeit

  3. SAML Audience must be set to root path, not /SLS as SnipeIT docs reccomends image

  4. Set email user mapping in order to mach SnipeIT expected value image

  5. Create users in SnipeIT with email as its username

iv-stdoutlabs commented 2 weeks ago

I confirm Luciano's setup. The same way it works for me, with the difference of the email -> username.

For the username to work leave "Attribute Mapping - Username" empty in SnipeIT (step 1) and add attribute mapping "NameId" -> "${user:name}" in AWS (step 4). Leave everything else as per Luciano's answer.