Flarum SAML

ornanovitch

askvortsov awesome, I test ASAP thanks!

ornanovitch

askvortsov It's working like a charm, thanks again 😀

askvortsov

v2.2.0

Update for beta 16

RecLast

askvortsov Greetings,
I am using a Laravel system for my blog. I want to use this SSO plugin for my site. Can I make my Flarum log in when logged in to my blog? I wonder if there is a document or a more detailed explanation? I do not fully understand the logic. Can you help me with this?

askvortsov

RecLast HI! This configures Flarum as a SAML service provider. SAML is an authentication process standard frequently used in enterprise environments. For most sites, Oauth (an alternative authentication system) might be a better option though. If your main site isn't already set up as a SAML service provider you'll probably want to look into other extensions for SSO, as setting up SAML can be a bit complex.

https://www.google.com/amp/s/auth0.com/blog/amp/how-saml-authentication-works/

ludup

Hi,

I'm trying to setup SAML with a custom Identity Provider built on OpenSAML.

I have configured Flarum with metadata URL (I also tried the XML option too with the same results).

However, clicking on the SAML button on the sign on form results in "Invalid SAML Configuration: Check Settings".

I see the following in Apache's error log:

[Fri Apr 09 10:27:56.128805 2021] [php7:warn] [pid 21053] [client 192.168.2.10:34256] PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/flarum/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 90, referer: https://xxxxxxxxxxxxxxx/

Using SAML tracer in Firefox shows no communication with the Idp.

What am I missing?

askvortsov

ludup Hi! Could you screenshot your configuration page for this extension, with any sensitive information redacted? It looks like it's having issues pulling in metadata

ludup

Thanks for the quick response. Please see below.

Is there anything specific about the metadata URL you require? Or anything specific in the metadata. However, I don't see it hitting our server to request metadata.

Any logs I can enable in Flarum to gather more information?

askvortsov

ludup Can you confirm that when you visit the URL, it returns the XML metadata?

ludup

Yes, I can go to that URL and download XML metadata.

But it looks like it never hits our web server.

askvortsov

ludup I've tagged v2.2.1, which probably won't fix the issue, but it should give us a better error message as to why it's not reaching your server. Please try that and share any errors.

ludup

Ok thanks, I've installed that and nothing appears to be different. Although I don't see the error in the apache log anymore.

Am I looking somewhere specific for log output?

askvortsov

ludup should be in the storage/logsfolder

ludup

askvortsov Not getting anything in that folder.
The Flarum folder is owned by www-data and is 775 permissions, the same for storage and log folders.

askvortsov

ludup Ah, looks like I missed another catch layer so errors just weren't getting logged. Could you try again with v2.2.2?

ludup

Just one line "Either a metadata URL or XML must be provided"

askvortsov

Alright, I think I've found and patched the issue. Try v2.2.3

ludup

askvortsov Thank you, it's now reading the metadata and it generated a useful error pointing to a couple of problems in our configuration. After correcting a couple of things on our side it's now working.

ludup

Now that we have SAML working, there are some immediate usability issues with the login process that are of some concern. I gave access to a couple of technical guys in our team and this is the feedback I've received. FYI I've enabled SAML only as we only want our existing users to access this, and new users will create an account on our Idp.

Is there a way to have the login remain solely within the browser flow? The popup can be confusing and the little dialog on the main page doesn't really have any purpose and the forgotten password link will not work because it won't integrate with the Idp. Just the option to send the user off to the Idp login page within the existing window would suffice and be perfect for ours, and I assume others' needs.

Logging out of the forum does not appear to call logout on the Idp, leaving me logged in. Again, an option to do this if at all possible so when a user logs out, they are not leaving a session open on the Idp.

The page after login that requests the username is a little sparse and confused someone I consider to be a very technical user! Can we have a little more text.. "One last step.. enter a username that will be used to identify you in public posts. Your email or real name will never be exposed". And, at this point, the user has passed SAML authentication so the "Already have an account" link is wrong and actually allows me to get back to the standard login page that I thought I had disabled. (Click login, then sign up).

ludup

Following on from the points I raised in my last post and for anyone with similar issues. I was able to hide a few items via CSS. This also updated the text to direct the user as to why we are asking for a username.

`.SignUpModal-logIn {
display: none;
}

.LogInModal-forgotPassword {
display: none;
}

.LogInModal-signUp {
display: none;
}

.item-signUp {
display: none !important;
}

#modal > div > .SignUpModal > div > form > div.Modal-header > h3:after {
content: ' what username do you want to use in discussions?';
visibility: visible;
}`

Other than the log-out link not redirecting to the IdP logout configured in the metadata the extension is working great. Is this log-out behavior considered a bug?

I'd also love to see the ability to call /auth/saml/login from my own website, and have the user automatically logged in (since they will already be logged in when they click the link) without all the popups. Whilst this method appears to work and I get the login from my Idp in the main window, we end up at /auth/saml/acs which is a blank page that appears to be hardcoded to work in the popup via a script.

Thanks to @askvortsov for your continuing effort on this.

« Previous Page Next Page »