#1781 MRBS saml integration

[Mona AbdelHady]

Hello,

I'm trying to integrate MRBS with our simplesaml setup and I keep getting the error below when I try to authenticate in MRBS:

Whoops! Unfortunately MRBS has encountered a fatal error. Please consult your system administrator.

I added the two lines below to internalconfig.inc.php:

error_reporting(-1);
ini_set('display_errors', '1');

And I got:

Uncaught exception 'SimpleSAML_Error_Exception' in /pathtosamlinstallation/modules/saml/lib/Auth/Source/SP.php at line 134
Could not find the metadata of an IdP with entity ID 'doamin/samlinstallation/www/saml2/idp/metadata.php'
#####0 /pathtosamlinstallation/modules/saml/lib/Auth/Source/SP.php(308): sspmod_saml_Auth_Source_SP->getIdPMetadata('https://www.cac...')
#####1 /pathtosamlinstallation/modules/saml/lib/Auth/Source/SP.php(390): sspmod_saml_Auth_Source_SP->startSSO('https://www.cac...', Array)
#####2 /pathtosamlinstallation/lib/SimpleSAML/Auth/Default.php(65): sspmod_saml_Auth_Source_SP->authenticate(Array)
#####3 /pathtosamlinstallation/lib/SimpleSAML/Auth/Simple.php(136): SimpleSAML_Auth_Default::initLogin('default-sp', 'https://www.cac...', NULL, Array)
#####4 /pathtosamlinstallation/lib/SimpleSAML/Auth/Simple.php(79): SimpleSAML_Auth_Simple->login(Array)
#####5 /pathtoMRBS/session/session_saml.inc(61): SimpleSAML_Auth_Simple->requireAuth()
#####6 /pathtoMRBS/mrbs_auth.inc(88): MRBS\authGet()
#####7 /pathtoMRBS/mrbs_auth.inc(137): MRBS\getAuthorised(1)
#####8 /pathtoMRBS/edit_entry.php(1120): MRBS\checkAuthorised()**

Below is my configuration in MRBS:

$auth['type'] = 'saml';
$auth['session'] = 'saml';
$auth['saml']['ssp_path'] = '../simplesamlphp';
$auth['saml']['authsource'] = 'default-sp';
$auth['saml']['attr']['username'] = 'sAMAccountName';
$auth['saml']['attr']['mail'] = 'mail';
$auth['saml']['admin']['memberOf'] = ['CN=Domain Admins,CN=Users,DC=domain,DC=domain,DC=domain'];

Thanks for you help.

[Anonymous]

I got the login to work but there is an access level error as follow:

You do not have the necessary rights to view this page

How can I set access levels in saml?

Thanks

[Campbell Morrison]

Looking at the code, access levels in the 'saml' auth type are set using $auth['saml']['admin']. This should be an associative array indexed by SAML attribute with values being an array of values for that attribute that will give admin access. For example

$auth['saml']['admin'] = array(
    'attr1' => array('value1', 'value2'),
    'attr2' => array('value3', 'value4')
  );

[Anonymous]

Can you please help with the access level configuration? If possible show me an exmaple of a user level. Thank you so much

[Anonymous]

So the values should be group memberships? what about regular users access? Thanks.

[Mona AbdelHady]

Never mind. Got it for admin users, will try to figure out regular users.

[Campbell Morrison]

Regular users should be automatically logged in as Level 1 users. You shouldn't need to configure anything. Is the username appearing in the top right hand corner? If so, which page can't you access?

[Mona AbdelHady]

Yes, the username appering on the right. Just the day.php page is giving me access denied error.

[Campbell Morrison]

Can you post your copy of mrbs_auth.inc here?

[Mona AbdelHady]

Sure. Attached.

[Campbell Morrison]

Thanks. Which version of MRBS are you using?

[Mona AbdelHady]

1.7.3

[Campbell Morrison]

One possibility is that $_SERVER['PHP_SELF'] is empty on your system. Can you try running the attached test program and let me know the output?

[Mona AbdelHady]

This is what I get:

PHP_SELF: /test.php
REQUEST_URI: /test.php

[Campbell Morrison]

Thanks. $_SERVER['PHP_SELF'] looks OK. Is it just day.php that's a problem? Can ordinary users access week.php and month.php, for example?

[Mona AbdelHady]

all the same not just day.php. Any regular user gets an access denied message.

[Campbell Morrison]

Here's a test version of auth/auth_saml.inc that should dump the user data coming back? Can you post it here having removed any confidential data? Or just send me a PM.

[Campbell Morrison]

Sorry, here's a revised version of the test auth_saml.inc.

[Anonymous]

Sorry for not getting back to yu earlier. Our website host support was able to figure it our and now SSO is working fine.

I have another question: how can I query another database to get other information to be sent in the initial email after booking? To explain more I want to get other records connected to the logged in user who is making the reservation from antoher database and send this information in the email body, Is this doable?

Thanks.

[Campbell Morrison]

As this is a separate topic I have raised a new ticket for it at https://sourceforge.net/p/mrbs/support-requests/1787/.