Flarum SAML

ornanovitch

Hello again and thank you !
We are moving forward on installing your SAML extension, but we are facing a last issue : our IdP does the redirection correctly, but then your extension is telling us Could not process response: invalid_response: The Assertion of the Response is not signed and the SP requires it. It is strange because on our IdP (pysaml), the sign is enabled fot both response and assertion...

FTR, you can check our IdP script and the corresponding configuration here

Thank you anyway !

askvortsov

ornanovitch Just to confirm, this error is being thrown in Flarum?, and not by your IdP? Note that Flarum is intended to be a SP here, not an IdP.

ornanovitch

askvortsov Sorry for the confusion. Yes, the error is being thrown in Flarum, which is configured to be the SP :

askvortsov

v2.0.0

Updated for beta 15

mekici

askvortsov Is SAML2 SSO available in Microsoft Dynamics CRM?

ornanovitch

I just corrected my previous error (IdP/SP) to avoid the confusion !

askvortsov

v2.1.0

Fixed leftover fof components code
Added settings to enable/disable whether assertions and responses received from the IdP must be signed.

mekici From what I can tell, Microsoft Dynamics CRM support SAML as a Service Provider, so you can log into that via your central SAML IdP (Identity Provider). This extension makes Flarum a SAML Service Provider, meaning you could also hook it up to a central IdP. You won't be able to log into Microsoft Dynamics CRM via Flarum or vice versa though

ornanovitch Really sorry for the delay on this, feel free to bump discussions like this.

I'm not sure what's going wrong here, it might be worth checking to ensure that the assertion being transmitted is actually being signed. Out of curiosity, are you using the djangosaml2idp package? That one should work rather well with this extension. Regardless, in the most recent version I've added a setting to disable requiring a signed assertion.

mekici

askvortsov You won't be able to log into Microsoft Dynamics CRM via Flarum or vice versa though

Can't this be done?

That is, users registered in the Microsoft Dynamics CRM database cannot log in to Flarum with this information?

ornanovitch

askvortsov Really sorry for the delay on this, feel free to bump discussions like this.

No problem for the delay, we want to use saml but it's not a P1 objective.

I'm not sure what's going wrong here, it might be worth checking to ensure that the assertion being transmitted is actually being signed.

Yep, we are almost certain the assertion is actually signed (it works with other SP).

Out of curiosity, are you using the djangosaml2idp package? That one should work rather well with this extension.

We are using pysaml2

Regardless, in the most recent version I've added a setting to disable requiring a signed assertion

Wow, thank you very much for this, it works ! But we have a last little bug : our IdP does not provide avatar and your extension requires it regardless we have disable Attribute Sync :

Argument 1 passed to Flarum\Forum\Auth\Registration::provideAvatar() must be of the type string, null given, called in /var/www/flarum/vendor/askvortsov/flarum-saml/src/Controllers/ACSController.php on line 96

return $this->response->make(
    'saml-sso',
    $saml->getNameId(),
    function (Registration $registration) use ($saml, $email) {
        $registration
            ->provideTrustedEmail($email)
 THIS LINE  ->provideAvatar($saml->getAttribute('avatar')[0])
            ->suggestUsername('')
            ->setPayload([]);
   }

when I remove this line, it's working perfectly so we are not far from a working SAML solution ! 🙂

askvortsov

I'm pretty sure that Dynamics CRM SAML supports logging into Dynamics CRM via Active Directory, if that's what you're using, it should be possible to use this extension to log into Flarum via active directory as well. However I don't believe Dynamics CRM itself can work as a SAML IdP

askvortsov

v2.1.1

Don't set an avatar if one isn't provided (should fix ornanovitch )

ornanovitch

askvortsov awesome, I test ASAP thanks!

ornanovitch

askvortsov It's working like a charm, thanks again 😀

askvortsov

v2.2.0

Update for beta 16

RecLast

askvortsov Greetings,
I am using a Laravel system for my blog. I want to use this SSO plugin for my site. Can I make my Flarum log in when logged in to my blog? I wonder if there is a document or a more detailed explanation? I do not fully understand the logic. Can you help me with this?

askvortsov

RecLast HI! This configures Flarum as a SAML service provider. SAML is an authentication process standard frequently used in enterprise environments. For most sites, Oauth (an alternative authentication system) might be a better option though. If your main site isn't already set up as a SAML service provider you'll probably want to look into other extensions for SSO, as setting up SAML can be a bit complex.

https://www.google.com/amp/s/auth0.com/blog/amp/how-saml-authentication-works/

ludup

Hi,

I'm trying to setup SAML with a custom Identity Provider built on OpenSAML.

I have configured Flarum with metadata URL (I also tried the XML option too with the same results).

However, clicking on the SAML button on the sign on form results in "Invalid SAML Configuration: Check Settings".

I see the following in Apache's error log:

[Fri Apr 09 10:27:56.128805 2021] [php7:warn] [pid 21053] [client 192.168.2.10:34256] PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/flarum/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 90, referer: https://xxxxxxxxxxxxxxx/

Using SAML tracer in Firefox shows no communication with the Idp.

What am I missing?

askvortsov

ludup Hi! Could you screenshot your configuration page for this extension, with any sensitive information redacted? It looks like it's having issues pulling in metadata

ludup

Thanks for the quick response. Please see below.

Is there anything specific about the metadata URL you require? Or anything specific in the metadata. However, I don't see it hitting our server to request metadata.

Any logs I can enable in Flarum to gather more information?

askvortsov

ludup Can you confirm that when you visit the URL, it returns the XML metadata?