Flarum SAML

askvortsov Greetings,
I am using a Laravel system for my blog. I want to use this SSO plugin for my site. Can I make my Flarum log in when logged in to my blog? I wonder if there is a document or a more detailed explanation? I do not fully understand the logic. Can you help me with this?

Hi,

I'm trying to setup SAML with a custom Identity Provider built on OpenSAML.

I have configured Flarum with metadata URL (I also tried the XML option too with the same results).

However, clicking on the SAML button on the sign on form results in "Invalid SAML Configuration: Check Settings".

I see the following in Apache's error log:

[Fri Apr 09 10:27:56.128805 2021] [php7:warn] [pid 21053] [client 192.168.2.10:34256] PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/flarum/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 90, referer: https://xxxxxxxxxxxxxxx/

Using SAML tracer in Firefox shows no communication with the Idp.

What am I missing?

Thanks for the quick response. Please see below.

Is there anything specific about the metadata URL you require? Or anything specific in the metadata. However, I don't see it hitting our server to request metadata.

Any logs I can enable in Flarum to gather more information?

Yes, I can go to that URL and download XML metadata.

But it looks like it never hits our web server.

Ok thanks, I've installed that and nothing appears to be different. Although I don't see the error in the apache log anymore.

Am I looking somewhere specific for log output?

Just one line "Either a metadata URL or XML must be provided"

askvortsov Thank you, it's now reading the metadata and it generated a useful error pointing to a couple of problems in our configuration. After correcting a couple of things on our side it's now working.

Now that we have SAML working, there are some immediate usability issues with the login process that are of some concern. I gave access to a couple of technical guys in our team and this is the feedback I've received. FYI I've enabled SAML only as we only want our existing users to access this, and new users will create an account on our Idp.

Is there a way to have the login remain solely within the browser flow? The popup can be confusing and the little dialog on the main page doesn't really have any purpose and the forgotten password link will not work because it won't integrate with the Idp. Just the option to send the user off to the Idp login page within the existing window would suffice and be perfect for ours, and I assume others' needs.

Logging out of the forum does not appear to call logout on the Idp, leaving me logged in. Again, an option to do this if at all possible so when a user logs out, they are not leaving a session open on the Idp.

The page after login that requests the username is a little sparse and confused someone I consider to be a very technical user! Can we have a little more text.. "One last step.. enter a username that will be used to identify you in public posts. Your email or real name will never be exposed". And, at this point, the user has passed SAML authentication so the "Already have an account" link is wrong and actually allows me to get back to the standard login page that I thought I had disabled. (Click login, then sign up).

Following on from the points I raised in my last post and for anyone with similar issues. I was able to hide a few items via CSS. This also updated the text to direct the user as to why we are asking for a username.

`.SignUpModal-logIn {
display: none;
}

.LogInModal-forgotPassword {
display: none;
}

.LogInModal-signUp {
display: none;
}

.item-signUp {
display: none !important;
}

#modal > div > .SignUpModal > div > form > div.Modal-header > h3:after {
content: ' what username do you want to use in discussions?';
visibility: visible;
}`

Other than the log-out link not redirecting to the IdP logout configured in the metadata the extension is working great. Is this log-out behavior considered a bug?

I'd also love to see the ability to call /auth/saml/login from my own website, and have the user automatically logged in (since they will already be logged in when they click the link) without all the popups. Whilst this method appears to work and I get the login from my Idp in the main window, we end up at /auth/saml/acs which is a blank page that appears to be hardcoded to work in the popup via a script.

Thanks to @askvortsov for your continuing effort on this.

askvortsov If you need access to an IdP that provides log out then just let me know. We are an IDM vendor so can spin up a copy of our user directory with SAML support whenever you need it.

The logout issue is probably the biggest issue out of these. With the CSS changes, I've mitigated most of the problems the users initially have.

I'd certainly like to be able to do some work and provide a PR although probably in a similar position to you and trying to fit it in will be difficult. I am familiar with SAML being involved in our IdP implementation but I would have to learn Flarum development before I can truly get there.