Skip to content
This repository has been archived by the owner on May 17, 2021. It is now read-only.

plugin cannot parse attribute name with oid in SAML response #40

Open
viegelinsch opened this issue Sep 5, 2018 · 1 comment
Open

plugin cannot parse attribute name with oid in SAML response #40

viegelinsch opened this issue Sep 5, 2018 · 1 comment

Comments

@viegelinsch
Copy link

Hi,
my attribute_mapping looks like this:

:attribute_mapping => { :login => 'urn:oid:0.9.2342.19200300.100.1.1', :mail => 'urn:oid:0.9.2342.19200300.100.1.3', :firstname => 'urn:oid:2.5.4.42', :lastname => 'urn:oid:2.5.4.4' }

This results in the error message translation missing: de.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.

To stay compatible with our federation, we have to use oid instead of mace.

Unfortunately the code splits at the dot

redmine_omniauth_saml/lib/redmine_omniauth_saml.rb

Line 67 in 4c8f0b5

h[symbol] = key.split('.') # Get an array with nested keys: name.first will return [name, first]
, which doesn't work for us.

Have located the problem correctly?
Is there any hint how to circumvent this?
Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?

Kind regards,
viegelinsch
@nadz-goldman
Copy link

@viegelinsch, you ask:

Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?

I find only one easy solution =)

On Redmine side:

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redmine.institute.ru/auth/saml/callback",
    :issuer                         => "https://redmine.institute.ru/auth/saml/metadata",
    :single_logout_service_url      => "https://redmine.institute.ru/auth/saml/sls",
    :idp_sso_target_url             => "https://idp-01.institute.ru/saml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "FC:29:.....:33:71",
    :signout_url                    => "https://idp-01.institute.ru/saml/saml2/idp/SingleLogoutService.php?ReturnTo=",
    :idp_slo_target_url             => "https://idp-01.institute.ru/saml/saml2/idp/SingleLogoutService.php",
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
    :name_identifier_value          => "login",
    :attribute_mapping              => {
      :login      => 'extra.raw_info.login',
      :mail       => 'extra.raw_info.myEmail',
      :firstname  => 'extra.raw_info.cn',
      :lastname   => 'extra.raw_info.sn'
    }
  }
  config.on_login do |omniauth_hash, user|
  end
end

On SimpleSAMLphp as IdP side ( metadata/saml20-sp-remote.php ):


$metadata['https://redmine.institute.ru/auth/saml/metadata'] = array (
  'entityid' => 'https://redmine.institute.ru/auth/saml/metadata',
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://redmine.institute.ru/auth/saml/callback',
      'index' => 0,
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://redmine.institute.ru/auth/saml/sls',
      'ResponseLocation' => 'https://redmine.institute.ru/auth/saml/sls',
    ),
  ),
  'authproc' => array(
		91 => array(
		    'class' => 'core:AttributeCopy',
		        'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'myEmail',
		        'myEmail' => 'login',
		),
    ),
);

My solution based on mention "Redmine is only for internal work and only for our employers, so nobody from any other IdP cant use it"

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nadz-goldman @viegelinsch