jaredhendrickson13 / pfsense-saml2-auth Goto Github PK

Hello,

I would like to integrate an metadata XML file from the SAML provider and I don't know how.
Without it I get an error while accessing the SSO login " Unable to retrieve the application's configuration for the Entity ID https://X.X.X.X:443/saml2_auth/sso/metadata/ because there is no match found".

Thank you

Hi,
I found a bug where the Service Provider (pfsense-saml2-auth) can't see the multiple "Role" in the SAML response sent by my identity provider (Keycloak in my case).

This is the error I got from pfsense-saml2-auth.

Fatal error: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819 Stack trace: #0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name') #1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes() #2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL) #3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs() #4 {main} thrown in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php on line 819 PHP ERROR: Type: 1, File: /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php, Line: 819, Message: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819 Stack trace: #0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name') #1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes() #2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL) #3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs() #4 {main} thrown

It was also creating this crash report in pfSense:

[24-Jan-2022 03:00:43 America/MyTimeZone] PHP Fatal error:  Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819
Stack trace:
#0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name')
#1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes()
#2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL)
#3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs()
#4 {main}
  thrown in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php on line 819

Here is the "AttributeStatement" section in my SAML response. As you can see, it accepts multiple groups because there is a single "Attribute" and multiple "AttributeValue". The "Role" are sent individually and not all in the same "Attribute".

        <saml:AttributeStatement>
            <saml:Attribute FriendlyName="Groups membership mapper"
                            Name="memberOf"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >/admins</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >/test</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >default-roles-perso</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >manage-account</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >view-profile</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >admin</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >pfSense</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >offline_access</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >manage-account-links</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >uma_authorization</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>

I tried with a user without any role and I didn't get any error, so I believe this was causing the issue.

Thanks,
Olivier Turcot

I'm getting this error. Checked twice but io can't find anywhere where the url is configured as http instead of https

Hi

I have tested your software (only tested this will not be used on production env) but if you use Application username format as Custom and user.nickName (example only) you don't have to create any local user.
All works fine based on Remote Groups.

Hi, in pfsense 2.6.0-RELEASE, the User Manager -> Settings tab, throws a php error if the below mentioned patch is installed, via this package: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html. The patch also does not cleanly revert after then installation of the package.

Add user preference to choose password hash algorithm (Redmine #12855)

Fix: uninstall pfsense-saml2-auth, then revert patch, then reinstall pfsense-saml2-auth.

If it is possible i would appreciate some additional explanation on how to use the custom settings.

Even after reading the referenced oneLogin doc i am still struggling as to what exactly is expected in like an example.

This would be highly appreciated from my end.

• Glowsome

Hi

Have you ever tried to connect using AWS SSO?

When try to install on pfSense Plus 23.01 I see this error: ld-elf.so.1: /usr/local/sbin/pkg: Undefined symbol "__libc_start1@FBSD_1.7"

Describe the bug
"User - Config: Deny Config Write" right doesn't apply to a user if the right is applied on a group

To Reproduce
Steps to reproduce the behavior:

1. Make SAML2 usable on pfsense with Privilege Mapping from group
2. Create a group with access to some pages and add "User - Config: Deny Config Write"
3. log in with a user member of this group
4. try to add aliases

Expected behavior
The alias must not be added

Screenshots
N/A

pfSense Version & Package Version:

• pfSense Version: pfSense 2.7
• Package Version latest --> 1.2.1

Identity Provider Information:

• IdP Name: xxxxxxxxxxxxxxxxxxxxxxx (redacted for privacy)
• IdP Type: internal
• IdP Website: xxxxxxxxxxxxxxxxxxxxx

Additional context
Behavior specific to SAML2 user.
LDAP user as correct behavior
Local user as correct behavior
If a local user with same login as SAML2 user is created and added to a group with Deny Config Write privilege, the behavior is correct for the SAML2 user.

Using Azure AD as IdP, I get the following error:

AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

This appears to be a problem with parameters passed by the SAML request.
https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts75011-auth-method-mismatch

Is this something that can be fixed?

pfSense Version & Package Version:

• pfSense Version: 2.6.0
• Package Version: pfSense SAML2 Auth v1.1.2

Identity Provider Information:

• IdP Name: Azure AD

when I try to install the package from the shell in pfsense 2.6 it gives me the following message "Authentication error"

In having set up a working SSO setup, and also having (corectly) defined the SLo endpoint.
behaviour :

• If an IDP-initiated logout is done then the underlying OneLogin module will respond accordingly, however my session within pfSense is still valid and i can continue to make use of it.
• If i click the logout button in the Admin-UI it will make me logout ( dropping me to the login selection screen ( local credentials or SSO option), but it is not logging me out of the IDP, where a simple refresh just gives me access to the Admin-UI.

In such the following requests for enhancement:

• IDP-initiated logout should ( if defined(via custom options)) also destroy the session to the above layer/ pfsense admin-UI, refresh should trigger re-auth (either local or if using SSO the IDP-authentication.
• Local logout is assumed in a SAML-setup to also from within the Admin-UI logout the SP, so it should also inform the SP to perform a logout, thus keeping the SLo feature intact if defined, this behaviour is not currently seen.
• or if a sort-of inform is not possible rewrite the link behind the logout-button so it forces both a local, aswell as a redirect to the global logout on the IDP.

Describe the bug
Not really a bug but an advisement if one is using a Microfocus AccessManager based IDP

The dependancy on which this code depends is from OneLogin-PHP, and this code implements (by default) Metadata tags 'validUntill' and 'cacheDuration'.
A microfocus AccessManager IDP does not (in its current form/version) have a mechanism to dynamically reload Metadata and coap with this tag - but if it is present it will honor it.

To Reproduce
Steps to reproduce the behavior:

1. this is default behaviour

Expected behavior
As stated above the most wishfull situation is that (as stated in the SAML specifications regarding this its optional) one would be able to omit this tag.
Current implementation however accepts a parameter to extend/reset a/the default, but has no option to omit the parameter in the generated Metadata.

pfSense Version & Package Version:

• pfSense Version: [e.g. pfSense 2.5.1]
• Package Version [e.g. v1.1.0]

Identity Provider Information:

• IdP Name: Microfocus AccessManager v 4.5.3
• IdP Type: internal/On-Site

Additional context
As this isnt a bug to the package itself, but more a 'limitation' as to a dependant package i just wanted to provide a solution/hack if one is using the mentioned IDP.

How to avoid this issue

The solution is 2-ways :

• either after the metadata has been generated you manually remove both tags from it ( validUntill, and cacheDuration)
• go into the code of the package and delete lines :
  

  pfsense-saml2-auth/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Metadata.php

  Line 178 in 27f9350

  validUntil="{$validUntilTime}"

  
  and line
  

  pfsense-saml2-auth/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Metadata.php

  Line 179 in 27f9350

  cacheDuration="PT{$cacheDuration}S"

After that save the file, and you are safe for aslong as you dont upgrade the package.

PS,
I am still in discussion with the dependant package-maintainer to see if i can change this behaviour.

Best regards,

• Glowsome

Hi

I don't know if that issue is related with this plugin or pfsense but I found this just after I installed your plugin.

Aug 22 14:02:55 nginx 2021/08/22 14:02:55 [error] 74361#100118: *173 open() "/usr/local/www/vendor/jquery/jquery-3.4.1.min.js" failed (2: No such file or directory), client: 172.27.0.2, server: , request: "GET /vendor/jquery/jquery-3.4.1.min.js?v= HTTP/2.0", host: "10.195.115.72", referrer: "https://10.195.115.72/"

Describe the bug
I have pfsense behind HAProxy plugin and im trying to figure out how to enable SAML Login with that setup.
When i try to log in, i get the following error:

The response was received at https://pfsense.domain.org:2020/saml2_auth/sso/acs/ instead of https://pfsense.domain.org/saml2_auth/sso/acs/
invalid_response
The response was received at https://pfsense.domain.org:2020/saml2_auth/sso/acs/ instead of https://pfsense.domain.org/saml2_auth/sso/acs/

To Reproduce
Steps to reproduce the behavior:

1. Pfsense behind haproxy plugin on port 2020 (frontend 443)
2. setup saml plugin
3. try to login

Expected behavior
Login works

pfSense Version & Package Version:

• pfSense Version: 2.7.2-RELEASE
• Package Version v1.3.0

Identity Provider Information:

• IdP Name: Zitadel
• IdP Type: Self-Hosted

Thank you very much in advance for all your help :)

Google SAML response in ACS page is not adequately parsed/handled.