Flarum SAML

askvortsov

v2.1.0

Fixed leftover fof components code
Added settings to enable/disable whether assertions and responses received from the IdP must be signed.

mekici From what I can tell, Microsoft Dynamics CRM support SAML as a Service Provider, so you can log into that via your central SAML IdP (Identity Provider). This extension makes Flarum a SAML Service Provider, meaning you could also hook it up to a central IdP. You won't be able to log into Microsoft Dynamics CRM via Flarum or vice versa though

ornanovitch Really sorry for the delay on this, feel free to bump discussions like this.

I'm not sure what's going wrong here, it might be worth checking to ensure that the assertion being transmitted is actually being signed. Out of curiosity, are you using the djangosaml2idp package? That one should work rather well with this extension. Regardless, in the most recent version I've added a setting to disable requiring a signed assertion.

mekici

askvortsov You won't be able to log into Microsoft Dynamics CRM via Flarum or vice versa though

Can't this be done?

That is, users registered in the Microsoft Dynamics CRM database cannot log in to Flarum with this information?

ornanovitch

askvortsov Really sorry for the delay on this, feel free to bump discussions like this.

No problem for the delay, we want to use saml but it's not a P1 objective.

I'm not sure what's going wrong here, it might be worth checking to ensure that the assertion being transmitted is actually being signed.

Yep, we are almost certain the assertion is actually signed (it works with other SP).

Out of curiosity, are you using the djangosaml2idp package? That one should work rather well with this extension.

We are using pysaml2

Regardless, in the most recent version I've added a setting to disable requiring a signed assertion

Wow, thank you very much for this, it works ! But we have a last little bug : our IdP does not provide avatar and your extension requires it regardless we have disable Attribute Sync :

Argument 1 passed to Flarum\Forum\Auth\Registration::provideAvatar() must be of the type string, null given, called in /var/www/flarum/vendor/askvortsov/flarum-saml/src/Controllers/ACSController.php on line 96

return $this->response->make(
    'saml-sso',
    $saml->getNameId(),
    function (Registration $registration) use ($saml, $email) {
        $registration
            ->provideTrustedEmail($email)
 THIS LINE  ->provideAvatar($saml->getAttribute('avatar')[0])
            ->suggestUsername('')
            ->setPayload([]);
   }

when I remove this line, it's working perfectly so we are not far from a working SAML solution ! 🙂

askvortsov

I'm pretty sure that Dynamics CRM SAML supports logging into Dynamics CRM via Active Directory, if that's what you're using, it should be possible to use this extension to log into Flarum via active directory as well. However I don't believe Dynamics CRM itself can work as a SAML IdP

askvortsov

v2.1.1

Don't set an avatar if one isn't provided (should fix ornanovitch )

ornanovitch

askvortsov awesome, I test ASAP thanks!

ornanovitch

askvortsov It's working like a charm, thanks again 😀

askvortsov

v2.2.0

Update for beta 16

RecLast

askvortsov Greetings,
I am using a Laravel system for my blog. I want to use this SSO plugin for my site. Can I make my Flarum log in when logged in to my blog? I wonder if there is a document or a more detailed explanation? I do not fully understand the logic. Can you help me with this?

askvortsov

RecLast HI! This configures Flarum as a SAML service provider. SAML is an authentication process standard frequently used in enterprise environments. For most sites, Oauth (an alternative authentication system) might be a better option though. If your main site isn't already set up as a SAML service provider you'll probably want to look into other extensions for SSO, as setting up SAML can be a bit complex.

https://www.google.com/amp/s/auth0.com/blog/amp/how-saml-authentication-works/

ludup

Hi,

I'm trying to setup SAML with a custom Identity Provider built on OpenSAML.

I have configured Flarum with metadata URL (I also tried the XML option too with the same results).

However, clicking on the SAML button on the sign on form results in "Invalid SAML Configuration: Check Settings".

I see the following in Apache's error log:

[Fri Apr 09 10:27:56.128805 2021] [php7:warn] [pid 21053] [client 192.168.2.10:34256] PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/flarum/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 90, referer: https://xxxxxxxxxxxxxxx/

Using SAML tracer in Firefox shows no communication with the Idp.

What am I missing?

askvortsov

ludup Hi! Could you screenshot your configuration page for this extension, with any sensitive information redacted? It looks like it's having issues pulling in metadata

ludup

Thanks for the quick response. Please see below.

Is there anything specific about the metadata URL you require? Or anything specific in the metadata. However, I don't see it hitting our server to request metadata.

Any logs I can enable in Flarum to gather more information?

askvortsov

ludup Can you confirm that when you visit the URL, it returns the XML metadata?

ludup

Yes, I can go to that URL and download XML metadata.

But it looks like it never hits our web server.

askvortsov

ludup I've tagged v2.2.1, which probably won't fix the issue, but it should give us a better error message as to why it's not reaching your server. Please try that and share any errors.

ludup

Ok thanks, I've installed that and nothing appears to be different. Although I don't see the error in the apache log anymore.

Am I looking somewhere specific for log output?

askvortsov

ludup should be in the storage/logsfolder

ludup

askvortsov Not getting anything in that folder.
The Flarum folder is owned by www-data and is 775 permissions, the same for storage and log folders.

askvortsov

ludup Ah, looks like I missed another catch layer so errors just weren't getting logged. Could you try again with v2.2.2?

« Previous Page Next Page »