Skip to content
This repository has been archived by the owner on May 17, 2021. It is now read-only.

Invalid Credentials [ en.notice_account_invalid_creditentials ] #38

Open
SecurityInMind opened this issue Nov 14, 2017 · 1 comment
Open

Invalid Credentials [ en.notice_account_invalid_creditentials ] #38

SecurityInMind opened this issue Nov 14, 2017 · 1 comment

Comments

@SecurityInMind
Copy link

Hi,

We are experiencing some troubles with getting this plugin to work with our Redmine, below you can find related details:

Environment:
Redmine version 3.4.3.stable
Ruby version 2.2.5-p319 (2016-04-26) [x86_64-linux]
Rails version 4.2.8
Environment production
Database adapter Mysql2
SCM:
Subversion 1.6.11
Git 1.7.1
Filesystem
Redmine plugins:
redmine_omniauth_saml 0.0.1

Our saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "http://redmine.local/auth/saml/callback", # OmniAuth callback URL
:issuer => "http://redmine.local", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:single_logout_service_url => "http://redmine.example.com/auth/saml/sls", # The SLS (logout) callback URL
:idp_sso_target_url => "https://redacted]/login.html", # SSO login endpoint
:idp_cert_fingerprint => "[redacted]", # SSO ssl certificate fingerprint
# Alternatively, specify the full certifiate:
#:idp_cert => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
:signout_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php?ReturnTo=", # Optional signout URL, not supported by all identity providers
:idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
:name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.username',
:mail => 'extra.raw_info.email',
:firstname => 'extra.raw_info.firstname',
:lastname => 'extra.raw_info.firstname'
}
}
config.on_login do |omniauth_hash, user|
# Implement any hook you want here
end
end

Here is the log:

9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==", "provider"=>"saml"}
(0.4ms) SELECT MAX(settings.updated_on) FROM settings
AnonymousUser Load (0.3ms) SELECT users.* FROM users WHERE users.type IN ('AnonymousUser') ORDER BY users.id ASC LIMIT 1
Current user: anonymous
EmailAddress Load (0.1ms) SELECT email_addresses.* FROM email_addresses WHERE email_addresses.address IS NULL LIMIT 1
Failed login for 'test@test.com' from [IP ADDRESS REDACTED] at 2017-11-14 15:39:49 UTC
Redirected to http://redmine.local/login
Completed 302 Found in 5ms (ActiveRecord: 0.9ms)

We will be waiting for your reply.
@nadz-goldman
Copy link

nadz-goldman commented Nov 14, 2017
edited
Loading

@SecurityInMind ,I didnt see any configuration from other side or explanation what is wrong, but here some cookies from me

Here working example

/redmine/config/initializers/90-saml.rb

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redmine.local/auth/saml/callback",
    :issuer                         => "https://redmine.local/auth/saml/metadata",
    :single_logout_service_url      => "https://redmine.local/auth/saml/sls",
    :idp_sso_target_url             => "https://idp.somewhere/saml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "some-fingerprint",
    :signout_url                    => "https://idp.somewhere/saml/saml2/idp/SingleLogoutService.php?ReturnTo=",
    :idp_slo_target_url             => "https://idp.somewhere/saml/saml2/idp/SingleLogoutService.php",
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :name_identifier_value          => "login",
    :attribute_mapping              => {
      :login      => 'extra.raw_info.urn:mace:dir:attribute-def:eduPersonPrincipalName',
      :mail       => 'extra.raw_info.urn:mace:dir:attribute-def:mail',
      :firstname  => 'extra.raw_info.cn',
      :lastname   => 'extra.raw_info.sn'
    }
  }
  config.on_login do |omniauth_hash, user|
  end
end

On another side we using SimpleSAMLphp as IdP and here content of metadata of redmine ( which as SP )


$metadata['https://redmine.local/auth/saml/metadata'] = array (
  'entityid' => 'https://redmine.local/auth/saml/metadata',
  'contacts' =>
  array (
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://redmine.local/auth/saml/callback',
      'index' => 0,
      'isDefault' => true,
    ),
  ),
  'SingleLogoutService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://redmine.local/auth/saml/sls',
      'ResponseLocation' => 'https://redmine.local/auth/saml/sls',
    ),
  ),
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  'validate.authnrequest' => false,
  'saml20.sign.assertion' => true,

  'authproc' => array(
      1 => array(
        'class' => 'saml:AttributeNameID',
        'attribute' => 'eduPersonPrincipalName',
        'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
      ),
    ),
);

Because we using LDAP and ruEduORg scheme for eduGain, here we NOT mapping attributes on 'authproc' block but give attribute which can used as login
Its easy =)

Also you can use debug on Redmine-side.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nadz-goldman @SecurityInMind