Menu

SAML SSO problem

Extending and integrating iTop
Pavel Stetina
2023-08-21
2024-09-02

  • Pavel Stetina

    Pavel Stetina - 2023-08-21

    Hello,

    I'm using itop version 3.02 and SAML 1.1.2 at two our sites. One site works grate and the second one have a problem wih SAML login. I have two same configuration and the differencies are only at OS and MS Azure tenants.

    My problem:
    After click on the "Sign with SAML, browser redirects me to the MS login page and after authentication browser are redirected back to the iTop login page. In saml.log i found succesfull login for my account and redirect to https://itop.mydomain.com/pages/UI.php. 

    <samlp:Response ID="_xxxxxxxx" Version="2.0" IssueInstant="2023-08-21T17:01:47.726Z" Destination="https://itop.mydomain.com/env-production/combodo-saml/acs.php"
InResponseTo="ONELOGIN_bxxxxxxxxxxx"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
https://sts.windows.net/xxxxxxxx/
    </Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="xxxxxxxx" IssueInstant="2023-08-21T17:01:47.719Z" Version="2.0"
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://sts.windows.net/xxxxxxxxx/</Issuer>
        <Signature
            xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#Xxxxxxx">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>xxxxxxxxxxxx</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>xxxxxxx</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>xxxxxxx</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">johnd@mydomain.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="ONELOGIN_xxxxxx" NotOnOrAfter="2023-08-21T18:01:47.611Z" Recipient="https://itop.mydomain.com/env-production/combodo-saml/acs.php"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2023-08-21T16:56:47.611Z" NotOnOrAfter="2023-08-21T18:01:47.611Z">
            <AudienceRestriction>
                <Audience>https://itop.mydomain.com/env-production/combodo-saml</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue></AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue></AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
                <AttributeValue>[Ext] John Doe</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>https://sts.windows.net/</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>John</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>Doe</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>johnd@mydomain.com</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>johnd@mydomain.com</AttributeValue>
            </Attribute>
            <Attribute Name="employeeid">
                <AttributeValue>99</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2023-08-21T07:20:27.466Z" SessionIndex="_43c7fc9100">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

2023-08-21 19:01:45 | Debug | Login Response Ok.
2023-08-21 19:01:45 | Debug | Using attribute 'employeeid' as the 'login', the value is '99'
2023-08-21 19:01:45 | Debug | Redirecting to: https://itop.mydomain.com/pages/UI.php

    Second click to the "Sign with SAML" logged me in the iTop User Portal (my SAML account have only Portal User). In saml.log I found only this:

    2023-08-21 19:01:49 | Debug |  Successfully logged in (user = '99')

    This is my itop config:

            'combodo-saml' => array (
                'strict' => true,
                'debug' => true,
                'nameid' => 'employeeid',
                'idp' => array (
                  'entityId' => 'https://sts.windows.net/XXXXXXXX/',
                  'x509certMulti' =>
                  array (
                    'signing' =>
                    array (
                      0 => 'XXXXX',
                      1 => 'XXXXX',
                      2 => 'XXXXX',
                    ),
                  ),
                  'singleSignOnService' =>
                  array (
                    'url' => 'https://login.microsoftonline.com/XXXXXXXX/saml2',
                    'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                  ),
                  'singleLogoutService' =>
                  array (
                    'url' => 'https://login.microsoftonline.com/XXXXXX/saml2',
                    'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                    'responseUrl' => '',
                  ),
                 'security' => array(
                          'wantMessagesSigned' => false,
                          'wantAssertionsSigned' => true,
                          'authnRequestsSigned' => true,
                          'logoutRequestSigned' => true,
                          'logoutResponseSigned' => true,
                          'requestedAuthnContext' => array (
                                  0 => 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified',
                             ),
                      ),
                ),
                'idp_metadata_url' => 'https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXXX',
        ),
);

    PrintScreens from developers tool in browser attached:
    01_SAML-login.png - after first click
    02_SAML-login.png - after second click

    Any idea what I have wrong?

    Thx

     
    Thumbnail
    01_SAML-login.PNG
    Thumbnail
    02_SAML-login.PNG

    • Ounce

      Ounce - 2024-03-27

      @Pavel - Can you please help setting up the SAML.
      AADSTS50011: The reply URL 'https://xxx/env-production/combodo-saml/acs.php' specified in the request does not match the reply URLs configured for the application 'abcdefgh-1234-40b9-999e-0e3b9807e8eb'.

       

      • Jeffrey Bostoen

        Jeffrey Bostoen - 2024-03-27

        It's literally telling you what the issue is. On the Microsoft side, make sure the ACS URL is properly configured for the application :)

         

  • Lucas Hökerberg

    Lucas Hökerberg - 2024-02-26

    Add "Relay State" in step 1 in the SAML configuration in Azure. Set it to e.g., https://itop.mydomain.com/pages/UI.php, and it should work. =)

    EDIT: Nevermind... it worked while in inkognito for whatever reason, but not otherwise. Guess that setting does not do any differences.

     

    Last edit: Lucas Hökerberg 2024-02-26

  • Jeffrey Bostoen

    Jeffrey Bostoen - 2024-02-27

    Just to make sure: the "external user" account in iTop is "99" for this user?

     

  • Ounce

    Ounce - 2024-03-28

    @pavel - updated the Reply URL in the AAD to
    https://xxx/env-production/combodo-saml

    now getting the error -
    Invalid audience for this Response (expected 'abcdef-1234-8fa1-9d42022b4fcf', got 'spn:1abcdef-1234-47a5-8fa1-9d42022b4fcf')

     

    • Jeffrey Bostoen

      Jeffrey Bostoen - 2024-03-28

      Depends a lot on how exactly you set up the integration with Microsoft Entra ID.

      If done in a certain way, the entity ID in iTop will need to have the "spn:" prefix.

       

  • Ounce

    Ounce - 2024-03-28

    @jeffrey - Can you please help setting up the SAML. I can send a zoom link to quickly connect and go through the settings.

     

  • Lucas Hökerberg

    Lucas Hökerberg - 2024-09-02

    Based on your description, it might be the same issue I'm facing. When you are redirected back to the login page, try clicking login again. Are you being loged in right away then?

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.