Menu

SSO SAML Authentication with Azure

adam
2023-05-18
2024-09-02
  • adam

    adam - 2023-05-18

    I'm using itop version 3.02 and SAML 1.1.2

    I have successfully integrate SAML with Azure AD . after the authentication the page redirect to url /pages/UI.php?login_saml=connected
    but the page still showing the login page.
    In saml.log
    2023-05-18 09:42:48 | Debug | Login Response Ok.
    2023-05-18 09:42:48 | Debug | Using nameId as the 'login', the value is 'myemail@mymail.com'
    2023-05-18 09:42:48 | Debug | Redirecting to: /pages/UI.php?login_saml=connected

    any ideas ?

    In browser console:
    Request URL:
    /env-production/combodo-saml/acs.php
    Request Method:
    POST
    Status Code:
    302

     

    Last edit: adam 2023-05-18
    • Cristian Ozan

      Cristian Ozan - 2024-01-02

      Hello Adam
      In my company I have to do exactly what you have done. Do you have a step-by-step document on how to do it. I thank you very much in advance.

      Kind regards

       
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2023-05-19

    Has the user already been created in iTop before signing in?

     
  • adam

    adam - 2023-05-20

    Yes the user already created in iTop. Really couldn't able to figure out or how do i check why after succesful authentication still not able to login? is that anything to do with cookies or cache as my domain with Cloudflare.

     
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2023-05-21

    Would need to investigate more in-depth. Based on your log file above, your SAML response did properly contain your email address. So an "external user" (in iTop) exists for this person?

     
  • adam

    adam - 2023-05-21

    Hi Jeff, yes the person with the email exists in iTop as an External User. There is no any other log for me to work with.
    This is the return url i capture also stated connected.

    https://login.microsoftonline.com/2556b656-c87e-43a2-aed4XXXXXXX...
    RelayState=https%3A%2F%2Fmydomain.com%2FiTop%2Fpages%2FUI.php%3Flogin_saml%3Dconnected%26login_saml%3Dconnected&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=UzoTcjBNKKJxuM%2Fgmlg7Hq%2B%2Fgt4%2B73y36tar25XgnR8Sn9Uc2fISPswL4HWHRaFHwN7rYF3ZjwUHAOjJqSDmsEghSi8LTJgdxOirPd1B4fNyszVw2u0EZjab6K83uouc2%2Bew2e6EbW0lD3lhpiOsTa2%2B%2FUHp5ZoiAfzOgHFE4SQ%3D

     
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2023-05-22

    Was there anything else to see in the debug logs? (Do mind to keep censoring sensitive info)

     
  • adam

    adam - 2023-05-22

    Please find the saml.log

     
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2023-05-22

    Sorry, at first sight it all looks okay. :|

     
  • adam

    adam - 2023-05-22

    Yes it is.. Just that I'm not sure if Cloudflare CDN could cause the issue..

     
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2023-05-22

    To exclude CloudFlare: can't you just bypass it?

    Edit the local hosts file of your PC (assuming it's on the same internal network as your iTop environment), navigate to your iTop environment?

     
  • adam

    adam - 2023-05-24

    Finally i manage to solve this issue. Its due to the Cookies as it set to SameSite=Strict

    So i have add .htaccess file within iTop folder and add this line

    <IfModule mod_headers.c>
        Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
    </IfModule>
    

    Now my SSO is working fine.. Thanks Jeff for your assistance..

     
    🎉
    2
  • Niclas Eriksson

    Niclas Eriksson - 2024-03-12

    I also get this, I need to click SAML login button twice.. The first time it takes me to Entra ID SAML and I authenticate OK, but then it redirects back to the login page and I need to click the SAML login again, then it's working. I created the htaccess file under the .. /itop directory but it still act the same way.
    Any suggestion on how to troubleshoot?

     

    Last edit: Niclas Eriksson 2024-03-12
  • RubenS

    RubenS - 2024-04-09

    Hello everyone,

    I am facing the exact same issue discussed in this thread. I've tried modifying the .htaccess file as Adam suggested, but nothing has changed. The cookies being sent already include the "SameSite=Lax" parameter. The log messages appear just as described in the first post of this thread.

    First SAML button press:
    2024-04-09 09:56:40 | Debug | Login Response Ok.
    2024-04-09 09:56:40 | Debug | Using nameId as the 'login', the value is 'xxxx@xxxx.com'
    2024-04-09 09:56:40 | Debug | Redirecting to: https://itopurl.com/pages/UI.php

    Second SAML button press:
    2024-04-09 09:56:46 | Debug | Successfully logged in (user = 'xxxxx@xxxxx.com')

    My provider is Azure.

    Based on what I've read in the forum, this is a recurring problem. Does anyone have any ideas on how to solve it?

    Thanks everyone.

     
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2024-04-09

    I suppose a .HAR file + the detailed log (similar to the one you posted) would help. Just be very careful, as a .HAR file is not something you want to just publish publicly as it may contain sensitive information.

    But the SAML response would also be very important.
    The redirection URL is 100% correct?

     
  • RubenS

    RubenS - 2024-04-09

    To be honest, I'm not very comfortable sharing the .HAR file, as I might accidentally include some sensitive data.

    The authentication response is correct, as shown in the log I sent. In fact, the first redirection is to https://itopurl.com/pages/UI.php?login_saml=connected.

    I've checked the SAML response and it seems correct. Is there any particular data that might be significant?

    I've seen in this forum that this is a recurring issue. Could it be a problem with the extension?

     
  • Jeffrey Bostoen

    Jeffrey Bostoen - 2024-04-09

    Could be, or something with the processing; or with the webserver configuration.
    Oh, another thing I'm thinking of: have you double-checked the "allowed_login_types"? Are those defined in the right order?

     
  • RubenS

    RubenS - 2024-04-09

    I've modified and tested it in different ways; currently, I have it set up like this:
    'allowed_login_types' => 'form|saml|basic|external|token',

    I tried putting 'saml' first, and this way it does access the application directly without going through the form. What I'm looking for is for the form to appear, but not to have to click the SAML button twice. Instead, I want a single click to complete the entire workflow directly and access the application.

     
  • Lucas Hökerberg

    Check my bug report here: https://sourceforge.net/p/itop/tickets/2273/

    After hours of code debugging and deug log reviewing, I found out that when the login is done, the extension never sets the "login_state" session variable which seems to have the login process start over again (from credentical check all the way to connected). Hence the second login push is needed.

    I the bug report, I have described what solved the problem for me. Altough, I would appreciate a review and acomment from Combodo whether this is indeed the correct solution, or if there are better (more secure) ways.

     
    ❤️
    1

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.