SSO SAML Authentication with Azure

[adam]

I'm using itop version 3.02 and SAML 1.1.2

I have successfully integrate SAML with Azure AD . after the authentication the page redirect to url /pages/UI.php?login_saml=connected
but the page still showing the login page.
In saml.log
2023-05-18 09:42:48 | Debug | Login Response Ok.
2023-05-18 09:42:48 | Debug | Using nameId as the 'login', the value is 'myemail@mymail.com'
2023-05-18 09:42:48 | Debug | Redirecting to: /pages/UI.php?login_saml=connected

any ideas ?

In browser console:
Request URL:
/env-production/combodo-saml/acs.php
Request Method:
POST
Status Code:
302

[Cristian Ozan]

Hello Adam
In my company I have to do exactly what you have done. Do you have a step-by-step document on how to do it. I thank you very much in advance.

Kind regards

[Jeffrey Bostoen]

Has the user already been created in iTop before signing in?

[adam]

Yes the user already created in iTop. Really couldn't able to figure out or how do i check why after succesful authentication still not able to login? is that anything to do with cookies or cache as my domain with Cloudflare.

[Jeffrey Bostoen]

Would need to investigate more in-depth. Based on your log file above, your SAML response did properly contain your email address. So an "external user" (in iTop) exists for this person?

[adam]

Hi Jeff, yes the person with the email exists in iTop as an External User. There is no any other log for me to work with.
This is the return url i capture also stated connected.

https://login.microsoftonline.com/2556b656-c87e-43a2-aed4XXXXXXX...
RelayState=https%3A%2F%2Fmydomain.com%2FiTop%2Fpages%2FUI.php%3Flogin_saml%3Dconnected%26login_saml%3Dconnected&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=UzoTcjBNKKJxuM%2Fgmlg7Hq%2B%2Fgt4%2B73y36tar25XgnR8Sn9Uc2fISPswL4HWHRaFHwN7rYF3ZjwUHAOjJqSDmsEghSi8LTJgdxOirPd1B4fNyszVw2u0EZjab6K83uouc2%2Bew2e6EbW0lD3lhpiOsTa2%2B%2FUHp5ZoiAfzOgHFE4SQ%3D

[Jeffrey Bostoen]

Was there anything else to see in the debug logs? (Do mind to keep censoring sensitive info)

[adam]

Please find the saml.log

[Jeffrey Bostoen]

Sorry, at first sight it all looks okay. :|

[adam]

Yes it is.. Just that I'm not sure if Cloudflare CDN could cause the issue..

[Jeffrey Bostoen]

To exclude CloudFlare: can't you just bypass it?

Edit the local hosts file of your PC (assuming it's on the same internal network as your iTop environment), navigate to your iTop environment?

[adam]

Finally i manage to solve this issue. Its due to the Cookies as it set to SameSite=Strict

So i have add .htaccess file within iTop folder and add this line

<IfModule mod_headers.c>
    Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
</IfModule>

Now my SSO is working fine.. Thanks Jeff for your assistance..

[Niclas Eriksson]

I also get this, I need to click SAML login button twice.. The first time it takes me to Entra ID SAML and I authenticate OK, but then it redirects back to the login page and I need to click the SAML login again, then it's working. I created the htaccess file under the .. /itop directory but it still act the same way.
Any suggestion on how to troubleshoot?

[RubenS]

Hello everyone,

I am facing the exact same issue discussed in this thread. I've tried modifying the .htaccess file as Adam suggested, but nothing has changed. The cookies being sent already include the "SameSite=Lax" parameter. The log messages appear just as described in the first post of this thread.

First SAML button press:
2024-04-09 09:56:40 | Debug | Login Response Ok.
2024-04-09 09:56:40 | Debug | Using nameId as the 'login', the value is 'xxxx@xxxx.com'
2024-04-09 09:56:40 | Debug | Redirecting to: https://itopurl.com/pages/UI.php

Second SAML button press:
2024-04-09 09:56:46 | Debug | Successfully logged in (user = 'xxxxx@xxxxx.com')

My provider is Azure.

Based on what I've read in the forum, this is a recurring problem. Does anyone have any ideas on how to solve it?

Thanks everyone.

[Jeffrey Bostoen]

I suppose a .HAR file + the detailed log (similar to the one you posted) would help. Just be very careful, as a .HAR file is not something you want to just publish publicly as it may contain sensitive information.

But the SAML response would also be very important.
The redirection URL is 100% correct?

[RubenS]

To be honest, I'm not very comfortable sharing the .HAR file, as I might accidentally include some sensitive data.

The authentication response is correct, as shown in the log I sent. In fact, the first redirection is to https://itopurl.com/pages/UI.php?login_saml=connected.

I've checked the SAML response and it seems correct. Is there any particular data that might be significant?

I've seen in this forum that this is a recurring issue. Could it be a problem with the extension?

[Jeffrey Bostoen]

Could be, or something with the processing; or with the webserver configuration.
Oh, another thing I'm thinking of: have you double-checked the "allowed_login_types"? Are those defined in the right order?

[RubenS]

I've modified and tested it in different ways; currently, I have it set up like this:
'allowed_login_types' => 'form|saml|basic|external|token',

I tried putting 'saml' first, and this way it does access the application directly without going through the form. What I'm looking for is for the form to appear, but not to have to click the SAML button twice. Instead, I want a single click to complete the entire workflow directly and access the application.

[Lucas Hökerberg]

Check my bug report here: https://sourceforge.net/p/itop/tickets/2273/

After hours of code debugging and deug log reviewing, I found out that when the login is done, the extension never sets the "login_state" session variable which seems to have the login process start over again (from credentical check all the way to connected). Hence the second login push is needed.

I the bug report, I have described what solved the problem for me. Altough, I would appreciate a review and acomment from Combodo whether this is indeed the correct solution, or if there are better (more secure) ways.