v2.1.0

  • Fixed leftover fof components code
  • Added settings to enable/disable whether assertions and responses received from the IdP must be signed.

mekici From what I can tell, Microsoft Dynamics CRM support SAML as a Service Provider, so you can log into that via your central SAML IdP (Identity Provider). This extension makes Flarum a SAML Service Provider, meaning you could also hook it up to a central IdP. You won't be able to log into Microsoft Dynamics CRM via Flarum or vice versa though

ornanovitch Really sorry for the delay on this, feel free to bump discussions like this.

I'm not sure what's going wrong here, it might be worth checking to ensure that the assertion being transmitted is actually being signed. Out of curiosity, are you using the djangosaml2idp package? That one should work rather well with this extension. Regardless, in the most recent version I've added a setting to disable requiring a signed assertion.

        askvortsov You won't be able to log into Microsoft Dynamics CRM via Flarum or vice versa though

        Can't this be done?

        That is, users registered in the Microsoft Dynamics CRM database cannot log in to Flarum with this information?

          I'm pretty sure that Dynamics CRM SAML supports logging into Dynamics CRM via Active Directory, if that's what you're using, it should be possible to use this extension to log into Flarum via active directory as well. However I don't believe Dynamics CRM itself can work as a SAML IdP

          askvortsov Really sorry for the delay on this, feel free to bump discussions like this.

          No problem for the delay, we want to use saml but it's not a P1 objective.

          I'm not sure what's going wrong here, it might be worth checking to ensure that the assertion being transmitted is actually being signed.

          Yep, we are almost certain the assertion is actually signed (it works with other SP).

          Out of curiosity, are you using the djangosaml2idp package? That one should work rather well with this extension.

          We are using pysaml2

          Regardless, in the most recent version I've added a setting to disable requiring a signed assertion

          Wow, thank you very much for this, it works ! But we have a last little bug : our IdP does not provide avatar and your extension requires it regardless we have disable Attribute Sync :

          Argument 1 passed to Flarum\Forum\Auth\Registration::provideAvatar() must be of the type string, null given, called in /var/www/flarum/vendor/askvortsov/flarum-saml/src/Controllers/ACSController.php on line 96

          return $this->response->make(
    'saml-sso',
    $saml->getNameId(),
    function (Registration $registration) use ($saml, $email) {
        $registration
            ->provideTrustedEmail($email)
 THIS LINE  ->provideAvatar($saml->getAttribute('avatar')[0])
            ->suggestUsername('')
            ->setPayload([]);
   }

          when I remove this line, it's working perfectly so we are not far from a working SAML solution ! 🙂

              8 days later
              2 months later
              6 days later

              askvortsov Greetings,
              I am using a Laravel system for my blog. I want to use this SSO plugin for my site. Can I make my Flarum log in when logged in to my blog? I wonder if there is a document or a more detailed explanation? I do not fully understand the logic. Can you help me with this?

                  RecLast HI! This configures Flarum as a SAML service provider. SAML is an authentication process standard frequently used in enterprise environments. For most sites, Oauth (an alternative authentication system) might be a better option though. If your main site isn't already set up as a SAML service provider you'll probably want to look into other extensions for SSO, as setting up SAML can be a bit complex.

                  https://www.google.com/amp/s/auth0.com/blog/amp/how-saml-authentication-works/

                    19 days later

                    Hi,

                    I'm trying to setup SAML with a custom Identity Provider built on OpenSAML.

                    I have configured Flarum with metadata URL (I also tried the XML option too with the same results).

                    However, clicking on the SAML button on the sign on form results in "Invalid SAML Configuration: Check Settings".

                    I see the following in Apache's error log:

                    [Fri Apr 09 10:27:56.128805 2021] [php7:warn] [pid 21053] [client 192.168.2.10:34256] PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/flarum/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 90, referer: https://xxxxxxxxxxxxxxx/

                    Using SAML tracer in Firefox shows no communication with the Idp.

                    What am I missing?

                      ludup Hi! Could you screenshot your configuration page for this extension, with any sensitive information redacted? It looks like it's having issues pulling in metadata

                        Thanks for the quick response. Please see below.

                        Is there anything specific about the metadata URL you require? Or anything specific in the metadata. However, I don't see it hitting our server to request metadata.

                        Any logs I can enable in Flarum to gather more information?

                          ludup Can you confirm that when you visit the URL, it returns the XML metadata?

                            Yes, I can go to that URL and download XML metadata.

                            But it looks like it never hits our web server.

                              ludup I've tagged v2.2.1, which probably won't fix the issue, but it should give us a better error message as to why it's not reaching your server. Please try that and share any errors.

                                Ok thanks, I've installed that and nothing appears to be different. Although I don't see the error in the apache log anymore.

                                Am I looking somewhere specific for log output?

                                  askvortsov Not getting anything in that folder.
                                  The Flarum folder is owned by www-data and is 775 permissions, the same for storage and log folders.

                                      ludup Ah, looks like I missed another catch layer so errors just weren't getting logged. Could you try again with v2.2.2?