search

tobybatch / kimai2

Docker containers for the kimai2 web application including docker-compose and kubernetes/helm deployment.
MIT License
181 stars 96 forks source link

SAML Authentication doesn't work with NPM #504

Closed dominikjas closed 1 year ago

dominikjas commented 1 year ago

Hello,

I'm trying to set up Azure SAML Authentication for Kimai in Docker. I'm running with this Dockerfile:

version: '3.5'
services:

  sqldb:
    image: mysql:5.7
    hostname: ***-zeiterfassung-mysql
    volumes:
      - kimai-mysql:/var/lib/mysql
    environment:
      - MYSQL_DATABASE=kimai
      - MYSQL_USER=kimaiuser
      - MYSQL_PASSWORD=****************
      - MYSQL_ROOT_PASSWORD=****************
    command: --default-storage-engine innodb
    restart: unless-stopped
    healthcheck:
      test: mysqladmin -p$$MYSQL_ROOT_PASSWORD ping -h localhost
      interval: 20s
      start_period: 10s
      timeout: 10s
      retries: 3
    networks:
      ***-zeiterfassung_network:
        ipv4_address: 172.16.0.11

  kimai:
    image: kimai/kimai2:apache
    hostname: ***-zeiterfassung-kimai
    volumes:
      - kimai-var:/opt/kimai/var
      - kimai-custom:/opt/kimai/config/packages/
      - kimai-apache2:/etc/apache2/
    expose:
      - 8001
    environment:
      - ADMINMAIL=**********
      - ADMINPASS=************
      - DATABASE_URL=mysql://kimaiuser:**************@172.16.0.11/kimai
      - TRUSTED_HOSTS=nginx,localhost,127.0.0.1,**************
    restart: unless-stopped
    networks:
      ***-zeiterfassung_network:
        ipv4_address: 172.16.0.12

volumes:
  kimai-var:
  kimai-mysql:
  kimai-custom:
  kimai-apache2:

networks:
  ***-zeiterfassung_network:
    external: true

Upfront to it I'm running a nginx proxy manager with this config:

server {
  set $forward_scheme http;
  set $server         "172.16.0.12";
  set $port           8001;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name ***************;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-2_access.log proxy;
  error_log /data/logs/proxy-host-2_error.log warn;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       http://172.16.0.12:8001;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Host $host:$server_port;
          proxy_set_header  X-Forwarded-Server $host;
          proxy_set_header  X-Forwarded-Port $server_port;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

Everthing besides the SAML Authentications works fine. When I'm trying to authenticate via Azure I'm getting this error:

grafik

The serverlog shows this error:

[2023-04-16 22:04:12] security.ERROR: The response was received at http://*************:8001/auth/saml/acs instead of https://*************/auth/saml/acs [] []

Actually, I would have thought that these entries (X-FORWARD ..) would eliminate exactly this behavior, but maybe I still have a mistake in my thinking.

Any ideas to this?

tobybatch commented 1 year ago

I can't see where you are specifying the remote auth endpoint.

kimai:
    saml:
        provider: azure
        activate: true
        title: Login with Azure AD
        mapping:
            - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: username }
            - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
            - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, kimai: alias }
            - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname, kimai: title }
        roles:
....

As outlined here https://www.kimai.org/documentation/saml-azure.html but error reads that you are connecting to an https endpoint with http.

Either way, this isn't (I think) a container issue. You want the actual Kimai repo https://github.com/kimai/kimai

dominikjas commented 1 year ago

Yes you're right I didn't post this local.yaml-config. I had to delete the part "provider" in this config to get the saml-function working at all. Well the solution was to set the baseurl under the section connection in the local.yaml. This was not described in this Doc https://www.kimai.org/documentation/saml-azure.html but you can find this at the very end of this Doc https://www.kimai.org/documentation/saml.html#proxy-and-http-vs-https