Joga1-2000
commented
11 months ago nothing is wrong so i will close it
Open Joga1-2000 opened 11 months ago
Joga1-2000
commented
11 months ago nothing is wrong so i will close it
I would like to share my experiences to get SamlAuth working with ADFS. We have a Windows based test Kanboard installation where I would like to make access via saml possible.
My environment : Win2022 with IIS and PHP 8.2, Kanboard 1.2.26, sqlite Database LDAP connect to AD and a Win2022 ADFS Server
After downloading the zip file and unpacking it to kanboard\plugins\SamlAuth it missed the Thirdparty Modul php-saml so i downloaded it manual and copy it to kanboard\plugins\SamlAuth\Thirdparty\php-saml.
And here are my Configuration settings:
SP Entity ID: is a unique string, i use the FQDN from Kanboard Server
Single Signon Service https://FQDN_Kanboard_Server/kanboard/index.php
Single Logout Service https://FQDN_Kanboard_Server/kanboard/logout (not sure about that)
SP Certificate public key from the Kanboard Server cert
SP Certificate Private Key privat key from the Kanboard Server cert in --> RAW format
_For the Identity Provider Configuration i used the informations from the https://FQDN_ADFS_Server/FederationMetadata/2007- 06/FederationMetadata. xml_
IDP Entity ID http://FQDN_ADFS_Server/adfs/services/trust
Single Signon Service https://FQDN_ADFS_Server/adfs/ls/
Single Logout Service https://FQDN_ADFS_Server/adfs/ls/
IDP Certificate public key from the ADFS Server cert
Identity Provider Attribute Mapping Full name Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Username Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Remove text in username attribute empty
Email Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Generate the Metadata XML and import it in ADFS. I configure the Claims as follow:
Rule 1: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";sAMAccountName,mail,displayName;{0}", param = c.Value);
Rule 2: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("temp_name"), query = ";sAMAccountName;{0}", param = c.Value);
Rule 3: c:[Type == "temp_name"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value = RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(c.Value, "A", "a"), "B", "b"), "C", "c"), "D", "d"), "E", "e"), "F", "f"), "G", "g"), "H", "h"), "I", "i"), "J", "j"), "K", "k"), "L", "l"), "M", "m"), "N", "n"), "O", "o"), "P", "p"), "Q", "q"), "R", "r"), "S", "s"), "T", "t"), "U", "u"), "V", "v"), "W", "w"), "X", "x"), "Y", "y"), "Z", "z"));
Because Kanboard usernames are case sensitive i have to convert the username, send by ADFS, to lowercases to prevent double users. (Rule 2 and3)
Maybe this will help someone to get this Plugin to work ....