MRBS saml integration
Brought to you by:
jberanek
Hello,
I'm trying to integrate MRBS with our simplesaml setup and I keep getting the error below when I try to authenticate in MRBS:
Whoops! Unfortunately MRBS has encountered a fatal error. Please consult your system administrator.
I added the two lines below to internalconfig.inc.php:
error_reporting(-1); ini_set('display_errors', '1');
And I got:
Uncaught exception 'SimpleSAML_Error_Exception' in /pathtosamlinstallation/modules/saml/lib/Auth/Source/SP.php at line 134 Could not find the metadata of an IdP with entity ID 'doamin/samlinstallation/www/saml2/idp/metadata.php' #####0 /pathtosamlinstallation/modules/saml/lib/Auth/Source/SP.php(308): sspmod_saml_Auth_Source_SP->getIdPMetadata('https://www.cac...') #####1 /pathtosamlinstallation/modules/saml/lib/Auth/Source/SP.php(390): sspmod_saml_Auth_Source_SP->startSSO('https://www.cac...', Array) #####2 /pathtosamlinstallation/lib/SimpleSAML/Auth/Default.php(65): sspmod_saml_Auth_Source_SP->authenticate(Array) #####3 /pathtosamlinstallation/lib/SimpleSAML/Auth/Simple.php(136): SimpleSAML_Auth_Default::initLogin('default-sp', 'https://www.cac...', NULL, Array) #####4 /pathtosamlinstallation/lib/SimpleSAML/Auth/Simple.php(79): SimpleSAML_Auth_Simple->login(Array) #####5 /pathtoMRBS/session/session_saml.inc(61): SimpleSAML_Auth_Simple->requireAuth() #####6 /pathtoMRBS/mrbs_auth.inc(88): MRBS\authGet() #####7 /pathtoMRBS/mrbs_auth.inc(137): MRBS\getAuthorised(1) #####8 /pathtoMRBS/edit_entry.php(1120): MRBS\checkAuthorised()**
Below is my configuration in MRBS:
$auth['type'] = 'saml'; $auth['session'] = 'saml'; $auth['saml']['ssp_path'] = '../simplesamlphp'; $auth['saml']['authsource'] = 'default-sp'; $auth['saml']['attr']['username'] = 'sAMAccountName'; $auth['saml']['attr']['mail'] = 'mail'; $auth['saml']['admin']['memberOf'] = ['CN=Domain Admins,CN=Users,DC=domain,DC=domain,DC=domain'];
Thanks for you help.
I got the login to work but there is an access level error as follow:
You do not have the necessary rights to view this page
How can I set access levels in saml?
Thanks
Looking at the code, access levels in the 'saml' auth type are set using
$auth['saml']['admin']
. This should be an associative array indexed by SAML attribute with values being an array of values for that attribute that will give admin access. For exampleCan you please help with the access level configuration? If possible show me an exmaple of a user level. Thank you so much
So the values should be group memberships? what about regular users access? Thanks.
Never mind. Got it for admin users, will try to figure out regular users.
Regular users should be automatically logged in as Level 1 users. You shouldn't need to configure anything. Is the username appearing in the top right hand corner? If so, which page can't you access?
Yes, the username appering on the right. Just the day.php page is giving me access denied error.
Can you post your copy of mrbs_auth.inc here?
Sure. Attached.
Thanks. Which version of MRBS are you using?
1.7.3
One possibility is that
$_SERVER['PHP_SELF']
is empty on your system. Can you try running the attached test program and let me know the output?This is what I get:
PHP_SELF: /test.php
REQUEST_URI: /test.php
Thanks.
$_SERVER['PHP_SELF']
looks OK. Is it just day.php that's a problem? Can ordinary users access week.php and month.php, for example?all the same not just day.php. Any regular user gets an access denied message.
Here's a test version of auth/auth_saml.inc that should dump the user data coming back? Can you post it here having removed any confidential data? Or just send me a PM.
Sorry, here's a revised version of the test auth_saml.inc.
Sorry for not getting back to yu earlier. Our website host support was able to figure it our and now SSO is working fine.
I have another question: how can I query another database to get other information to be sent in the initial email after booking? To explain more I want to get other records connected to the logged in user who is making the reservation from antoher database and send this information in the email body, Is this doable?
Thanks.
As this is a separate topic I have raised a new ticket for it at https://sourceforge.net/p/mrbs/support-requests/1787/.