I have successfully integrate SAML with Azure AD . after the authentication the page redirect to url /pages/UI.php?login_saml=connected
but the page still showing the login page.
In saml.log
2023-05-18 09:42:48 | Debug | Login Response Ok.
2023-05-18 09:42:48 | Debug | Using nameId as the 'login', the value is 'myemail@mymail.com'
2023-05-18 09:42:48 | Debug | Redirecting to: /pages/UI.php?login_saml=connected
any ideas ?
In browser console:
Request URL:
/env-production/combodo-saml/acs.php
Request Method:
POST
Status Code:
302
Last edit: adam 2023-05-18
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello Adam
In my company I have to do exactly what you have done. Do you have a step-by-step document on how to do it. I thank you very much in advance.
Kind regards
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes the user already created in iTop. Really couldn't able to figure out or how do i check why after succesful authentication still not able to login? is that anything to do with cookies or cache as my domain with Cloudflare.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Would need to investigate more in-depth. Based on your log file above, your SAML response did properly contain your email address. So an "external user" (in iTop) exists for this person?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Jeff, yes the person with the email exists in iTop as an External User. There is no any other log for me to work with.
This is the return url i capture also stated connected.
I also get this, I need to click SAML login button twice.. The first time it takes me to Entra ID SAML and I authenticate OK, but then it redirects back to the login page and I need to click the SAML login again, then it's working. I created the htaccess file under the .. /itop directory but it still act the same way.
Any suggestion on how to troubleshoot?
Last edit: Niclas Eriksson 2024-03-12
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am facing the exact same issue discussed in this thread. I've tried modifying the .htaccess file as Adam suggested, but nothing has changed. The cookies being sent already include the "SameSite=Lax" parameter. The log messages appear just as described in the first post of this thread.
First SAML button press:
2024-04-09 09:56:40 | Debug | Login Response Ok.
2024-04-09 09:56:40 | Debug | Using nameId as the 'login', the value is 'xxxx@xxxx.com'
2024-04-09 09:56:40 | Debug | Redirecting to: https://itopurl.com/pages/UI.php
Second SAML button press:
2024-04-09 09:56:46 | Debug | Successfully logged in (user = 'xxxxx@xxxxx.com')
My provider is Azure.
Based on what I've read in the forum, this is a recurring problem. Does anyone have any ideas on how to solve it?
Thanks everyone.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I suppose a .HAR file + the detailed log (similar to the one you posted) would help. Just be very careful, as a .HAR file is not something you want to just publish publicly as it may contain sensitive information.
But the SAML response would also be very important.
The redirection URL is 100% correct?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Could be, or something with the processing; or with the webserver configuration.
Oh, another thing I'm thinking of: have you double-checked the "allowed_login_types"? Are those defined in the right order?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've modified and tested it in different ways; currently, I have it set up like this:
'allowed_login_types' => 'form|saml|basic|external|token',
I tried putting 'saml' first, and this way it does access the application directly without going through the form. What I'm looking for is for the form to appear, but not to have to click the SAML button twice. Instead, I want a single click to complete the entire workflow directly and access the application.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
After hours of code debugging and deug log reviewing, I found out that when the login is done, the extension never sets the "login_state" session variable which seems to have the login process start over again (from credentical check all the way to connected). Hence the second login push is needed.
I the bug report, I have described what solved the problem for me. Altough, I would appreciate a review and acomment from Combodo whether this is indeed the correct solution, or if there are better (more secure) ways.
❤️
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm using itop version 3.02 and SAML 1.1.2
I have successfully integrate SAML with Azure AD . after the authentication the page redirect to url /pages/UI.php?login_saml=connected
but the page still showing the login page.
In saml.log
2023-05-18 09:42:48 | Debug | Login Response Ok.
2023-05-18 09:42:48 | Debug | Using nameId as the 'login', the value is 'myemail@mymail.com'
2023-05-18 09:42:48 | Debug | Redirecting to: /pages/UI.php?login_saml=connected
any ideas ?
In browser console:
Request URL:
/env-production/combodo-saml/acs.php
Request Method:
POST
Status Code:
302
Last edit: adam 2023-05-18
Hello Adam
In my company I have to do exactly what you have done. Do you have a step-by-step document on how to do it. I thank you very much in advance.
Kind regards
Has the user already been created in iTop before signing in?
Yes the user already created in iTop. Really couldn't able to figure out or how do i check why after succesful authentication still not able to login? is that anything to do with cookies or cache as my domain with Cloudflare.
Would need to investigate more in-depth. Based on your log file above, your SAML response did properly contain your email address. So an "external user" (in iTop) exists for this person?
Hi Jeff, yes the person with the email exists in iTop as an External User. There is no any other log for me to work with.
This is the return url i capture also stated connected.
Was there anything else to see in the debug logs? (Do mind to keep censoring sensitive info)
Please find the saml.log
Sorry, at first sight it all looks okay. :|
Yes it is.. Just that I'm not sure if Cloudflare CDN could cause the issue..
To exclude CloudFlare: can't you just bypass it?
Edit the local hosts file of your PC (assuming it's on the same internal network as your iTop environment), navigate to your iTop environment?
Finally i manage to solve this issue. Its due to the Cookies as it set to SameSite=Strict
So i have add .htaccess file within iTop folder and add this line
Now my SSO is working fine.. Thanks Jeff for your assistance..
I also get this, I need to click SAML login button twice.. The first time it takes me to Entra ID SAML and I authenticate OK, but then it redirects back to the login page and I need to click the SAML login again, then it's working. I created the htaccess file under the .. /itop directory but it still act the same way.
Any suggestion on how to troubleshoot?
Last edit: Niclas Eriksson 2024-03-12
Hello everyone,
I am facing the exact same issue discussed in this thread. I've tried modifying the .htaccess file as Adam suggested, but nothing has changed. The cookies being sent already include the "SameSite=Lax" parameter. The log messages appear just as described in the first post of this thread.
First SAML button press:
2024-04-09 09:56:40 | Debug | Login Response Ok.
2024-04-09 09:56:40 | Debug | Using nameId as the 'login', the value is 'xxxx@xxxx.com'
2024-04-09 09:56:40 | Debug | Redirecting to: https://itopurl.com/pages/UI.php
Second SAML button press:
2024-04-09 09:56:46 | Debug | Successfully logged in (user = 'xxxxx@xxxxx.com')
My provider is Azure.
Based on what I've read in the forum, this is a recurring problem. Does anyone have any ideas on how to solve it?
Thanks everyone.
I suppose a .HAR file + the detailed log (similar to the one you posted) would help. Just be very careful, as a .HAR file is not something you want to just publish publicly as it may contain sensitive information.
But the SAML response would also be very important.
The redirection URL is 100% correct?
To be honest, I'm not very comfortable sharing the .HAR file, as I might accidentally include some sensitive data.
The authentication response is correct, as shown in the log I sent. In fact, the first redirection is to https://itopurl.com/pages/UI.php?login_saml=connected.
I've checked the SAML response and it seems correct. Is there any particular data that might be significant?
I've seen in this forum that this is a recurring issue. Could it be a problem with the extension?
Could be, or something with the processing; or with the webserver configuration.
Oh, another thing I'm thinking of: have you double-checked the "allowed_login_types"? Are those defined in the right order?
I've modified and tested it in different ways; currently, I have it set up like this:
'allowed_login_types' => 'form|saml|basic|external|token',
I tried putting 'saml' first, and this way it does access the application directly without going through the form. What I'm looking for is for the form to appear, but not to have to click the SAML button twice. Instead, I want a single click to complete the entire workflow directly and access the application.
Check my bug report here: https://sourceforge.net/p/itop/tickets/2273/
After hours of code debugging and deug log reviewing, I found out that when the login is done, the extension never sets the "login_state" session variable which seems to have the login process start over again (from credentical check all the way to connected). Hence the second login push is needed.
I the bug report, I have described what solved the problem for me. Altough, I would appreciate a review and acomment from Combodo whether this is indeed the correct solution, or if there are better (more secure) ways.