#1836 SAML auth redirect

[Oliver]

I have a vanila 1.7.3 install on Apache on Ubuntu 16.04 and am trying to get saml auth working.
My simplesamlphp setup is working/testing fine standalone.
The MRBS login button sends me off to get authenticated against my ADFSv3 service but it returns me after authenticating to the root domain instead of the MRBS path.

MRBS is at https://server.domain.com/apps/mrbs/ but post authentication I get returned to https://server.domain.com/ and MRBS never gets to process the login.

Is there a documented way to get the "ReturnTo" parameter working with MRBS saml implementation?
The default return to current page doesn't seem to be working for me.

[John Beranek]

Hmm, the SAML session code uses a common function to find the page you're on (this_page()) which uses PHP's PHP_SELF or REQUEST_URI parameters.

This should be working everywhere...you don't have any strange URL rewrite/proxying configuration do you?

[Oliver]

No strange rewriting.

To be more specific, when on https://server.domain.com/apps/mrbs/day.php?year=2019&month=09&day=18&area=0&room=0 and I click the "Login" button I get to authenticate on my ADFS login page and then get returned to https://server.domain.com/day.php?year=2019&month=09&day=18&area=0&room=0.

So it's retaining the page but not the full path.

[John Beranek]

Oh my, you have a point... just tried with the 'php' session scheme and it's the same, but works because there the URL is used as a relative URL:

<input type="hidden" name="target_url" value="index.php?view=month&amp;page_date=2019-09-18&amp;area=1&amp;room=2">

The same goes for when you try to create a booking when you're not logged in, and get a login page, the target URL is relative and not absolute.

I'm thinking the SAML session code should be calling url_base() as well as this_page() in order to build an absolute URL. So in session/session_saml.php:

// Print the logon entry on the top banner.
function print_logon_box()
{
  global $ssp;

  $target_url = this_page(true);
  $url_base = url_base();
  $user=getUserName();

  if ($ssp->isAuthenticated())
  {
    print_report_link(isset($user) ? $user : '-invalid-');
    print_saml_logoff_button($url_base.'/'.$target_url);
  }
  else
  {
    print_saml_logon_button($url_base.'/'.$target_url);
  }
}

[John Beranek]

In fact, url_base() always end in a '/', so make that:

// Print the logon entry on the top banner.
function print_logon_box()
{
  global $ssp;

  $target_url = this_page(true);
  $url_base = url_base();
  $user=getUserName();

  if ($ssp->isAuthenticated())
  {
    print_report_link(isset($user) ? $user : '-invalid-');
    print_saml_logoff_button($url_base.$target_url);
  }
  else
  {
    print_saml_logon_button($url_base.$target_url);
  }
}

[Oliver]

It doesn't like the call to url_base()

If I instead hard set $url_base to the correct URL for my site then it successfully returns from SAML/ADFS auth to right where it needs to. This is good.

It isn't logging in a user but that is going to be something else in my SAML config which I can start to troubleshoot now.

Thanks heaps John!

[Warner Taylor]

I had set the variable, and it stopped the redirect stuff. Thanks for the help

[John Beranek]

Oh, url_base() was added after the 1.7.3 release - it's available later in the 1.7 branch, so will be in 1.7.4.

[Oliver]

Hi again.

I now can't get MRBS to ever consider my SAML session as authenticated. In fact it unauthenticates any existing SAML session.

Hand off to ADFS idp works and prompts for auth if needed.

I've written a little php script which replicates the MRBS login button form to call the simplesaml auth and then dispalys the ssp attributes if logged in.
I can have this page open and refreshing to show currently authenticated state. As soon as I click "login" in the MRBS interface in another tab I get instantly de-authenticated as far an simplesaml is concerned. If I query the ADFS idp I can see authentication there is still current.

If I set the security on the default day.php page in MRBS to require level 1 auth then it will just loop from MRBS to ADFS repeatedly until simplesaml interjects and complains about the endless looping.

I can test and see that the getUserName() function in session_saml.inc is being called and the $ssp->isAuthenticated() check is always putting an end to it there.

I simply can't work out why it won't ever setup an authenticated session and is, in fact, even un-authenticating any existing session with simplesaml.

[Oliver]

So after a lot of troubleshooting I'm not sure what the real cause is but it seems to be something to do with sessions.

I've managed to get SAML auth to work by commenting out line 122 in init.inc

//init_sessions();

[Warner Taylor]

I had to do the same thing, but I'm getting a user logged in as "-invalid-" so I don't know if this is working correctly with this commented out. Also, when I'm logged in as an admin (set by $auth['saml']['admin']['memberOf'] = ['CN=......................,DC=...............,DC=.........']; I'm not able to click and add rooms so I'm guessing there is a session issue going on here.

[Warner Taylor]

This is the error I was getting before commenting out the init_sessions() before I clicked Login;

E_WARNING in C:\inetpub\wwwroot\simplesaml\lib\SimpleSAML\SessionHandlerPHP.php at line 355
session_set_cookie_params(): Cannot change session cookie parameters when session is active
MRBS GET: Array
(
[year] => 2019
[month] => 10
[day] => 02
[area] => 0
[room] => 0
)
MRBS POST: Array
(
)
MRBS SESSION: Array
(
)

[Kieran Bailey]

Hi Oliver

I also had to comment this line out too before my auth has started working now. Using ADFS also. Getting the same issues with admin users so looking at that now.

[Campbell Morrison]

If anyone has a SAML server that they could give me access to for testing, then please send me a private message.

[Oliver]

I couldn't get the 'memberof' thing working at all.
To get admin login working I set :

$auth['saml']['admin'] = array('admin' => array('sso_admin'));

Then my idp does a group membership lookup and returns an attribute called 'admin' with a value of 'sso_admin' and it works.

My idp is Microsoft ADFS and my claim rule for this was a standard groupsid memberof rule which I copied, deleted, and re-created as a custom rule to force it to be named as 'admin'.

Custom rule text below. NOTE the only bit I had to edit was Type = "admin" value in the issue statement.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-491208099-1586638040-270679777-6370", Issuer == "AD AUTHORITY"]
 => issue(Type = "admin", Value = "admin_sso", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

[Anonymous]

Thank you for your information.
We are using Azure and I have an array called $UserGroups and I've used a search if(in_array("HDPortal_Admin", $UserGroups)) to determine admins in my other programming? This is usually an if statement and determines if something shows up or not for Admins only. Do you think I could do the same thing with this? Does something just have to be in that array as even a "yes" for it to work

[Warner Taylor]

This was my post above

[Warner Taylor]

I got it working by doing this:
$auth['saml']['admin'] = array('http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' => array('MRBS_Admins'));
Thank you SO MUCH for your help Oliver!

[Anonymous]

Hi,
I am encountering the same issues, but commenting out the init_sessions() I am now able to login. There is still the issue with admins. I assume, that your 'MRBS_Admins' is your AD group where the MRBS admins belong. I used your approach but it is not working.
Instead of this, I used:
$auth['saml']['admin']['memberOf'] = ['CN=MRBS_admins,OU=Admin,OU=Groups,OU=.....,DC=...,DC=.....,DC=..'];
And, bingo!

But what the heck are the sessions not working? I am using SAML in other app's without any problems.

[John Beranek]

FYI, the SimpleSAML support in MRBS was submitted by a non-core MRBS developer:
https://sourceforge.net/u/jornane/profile/
@jornane (unsure if this reference will work)

It may be worth attempting to contact him with an SF message...