jaredhendrickson13 / pfsense-saml2-auth Goto Github PK
View Code? Open in Web Editor NEWA SAML2 authentication extension for the pfSense UI
License: Apache License 2.0
A SAML2 authentication extension for the pfSense UI
License: Apache License 2.0
Hello,
I would like to integrate an metadata XML file from the SAML provider and I don't know how.
Without it I get an error while accessing the SSO login " Unable to retrieve the application's configuration for the Entity ID https://X.X.X.X:443/saml2_auth/sso/metadata/ because there is no match found".
Thank you
Hi,
I found a bug where the Service Provider (pfsense-saml2-auth) can't see the multiple "Role" in the SAML response sent by my identity provider (Keycloak in my case).
This is the error I got from pfsense-saml2-auth.
Fatal error: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819 Stack trace: #0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name') #1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes() #2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL) #3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs() #4 {main} thrown in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php on line 819 PHP ERROR: Type: 1, File: /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php, Line: 819, Message: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819 Stack trace: #0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name') #1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes() #2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL) #3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs() #4 {main} thrown
It was also creating this crash report in pfSense:
[24-Jan-2022 03:00:43 America/MyTimeZone] PHP Fatal error: Uncaught OneLogin\Saml2\ValidationError: Found an Attribute element with duplicated Name in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php:819
Stack trace:
#0 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php(781): OneLogin\Saml2\Response->_getAttributesByKeyName('Name')
#1 /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Auth.php(238): OneLogin\Saml2\Response->getAttributes()
#2 /etc/inc/saml2_auth/SAML2Auth.inc(56): OneLogin\Saml2\Auth->processResponse(NULL)
#3 /usr/local/www/saml2_auth/sso/acs/index.php(24): SAML2Auth->acs()
#4 {main}
thrown in /etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Response.php on line 819
Here is the "AttributeStatement" section in my SAML response. As you can see, it accepts multiple groups because there is a single "Attribute" and multiple "AttributeValue". The "Role" are sent individually and not all in the same "Attribute".
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Groups membership mapper"
Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>/admins</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>/test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>default-roles-perso</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-account</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>view-profile</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>pfSense</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>offline_access</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-account-links</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>uma_authorization</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
I tried with a user without any role and I didn't get any error, so I believe this was causing the issue.
Thanks,
Olivier Turcot
Hi
I have tested your software (only tested this will not be used on production env) but if you use Application username format as Custom and user.nickName (example only) you don't have to create any local user.
All works fine based on Remote Groups.
Hi, in pfsense 2.6.0-RELEASE, the User Manager -> Settings tab, throws a php error if the below mentioned patch is installed, via this package: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html. The patch also does not cleanly revert after then installation of the package.
Add user preference to choose password hash algorithm (Redmine #12855)
Fix: uninstall pfsense-saml2-auth, then revert patch, then reinstall pfsense-saml2-auth.
If it is possible i would appreciate some additional explanation on how to use the custom settings.
Even after reading the referenced oneLogin doc i am still struggling as to what exactly is expected in like an example.
This would be highly appreciated from my end.
Hi
Have you ever tried to connect using AWS SSO?
When try to install on pfSense Plus 23.01 I see this error: ld-elf.so.1: /usr/local/sbin/pkg: Undefined symbol "__libc_start1@FBSD_1.7"
Describe the bug
"User - Config: Deny Config Write" right doesn't apply to a user if the right is applied on a group
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The alias must not be added
Screenshots
N/A
pfSense Version & Package Version:
Identity Provider Information:
Additional context
Behavior specific to SAML2 user.
LDAP user as correct behavior
Local user as correct behavior
If a local user with same login as SAML2 user is created and added to a group with Deny Config Write privilege, the behavior is correct for the SAML2 user.
Using Azure AD as IdP, I get the following error:
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.
This appears to be a problem with parameters passed by the SAML request.
https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts75011-auth-method-mismatch
Is this something that can be fixed?
pfSense Version & Package Version:
Identity Provider Information:
when I try to install the package from the shell in pfsense 2.6 it gives me the following message "Authentication error"
In having set up a working SSO setup, and also having (corectly) defined the SLo endpoint.
behaviour :
In such the following requests for enhancement:
Describe the bug
Not really a bug but an advisement if one is using a Microfocus AccessManager based IDP
The dependancy on which this code depends is from OneLogin-PHP, and this code implements (by default) Metadata tags 'validUntill' and 'cacheDuration'.
A microfocus AccessManager IDP does not (in its current form/version) have a mechanism to dynamically reload Metadata and coap with this tag - but if it is present it will honor it.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
As stated above the most wishfull situation is that (as stated in the SAML specifications regarding this its optional) one would be able to omit this tag.
Current implementation however accepts a parameter to extend/reset a/the default, but has no option to omit the parameter in the generated Metadata.
pfSense Version & Package Version:
Identity Provider Information:
Additional context
As this isnt a bug to the package itself, but more a 'limitation' as to a dependant package i just wanted to provide a solution/hack if one is using the mentioned IDP.
How to avoid this issue
The solution is 2-ways :
After that save the file, and you are safe for aslong as you dont upgrade the package.
PS,
I am still in discussion with the dependant package-maintainer to see if i can change this behaviour.
Best regards,
Hi
I don't know if that issue is related with this plugin or pfsense but I found this just after I installed your plugin.
Aug 22 14:02:55 nginx 2021/08/22 14:02:55 [error] 74361#100118: *173 open() "/usr/local/www/vendor/jquery/jquery-3.4.1.min.js" failed (2: No such file or directory), client: 172.27.0.2, server: , request: "GET /vendor/jquery/jquery-3.4.1.min.js?v= HTTP/2.0", host: "10.195.115.72", referrer: "https://10.195.115.72/"
Describe the bug
I have pfsense behind HAProxy plugin and im trying to figure out how to enable SAML Login with that setup.
When i try to log in, i get the following error:
The response was received at https://pfsense.domain.org:2020/saml2_auth/sso/acs/ instead of https://pfsense.domain.org/saml2_auth/sso/acs/
invalid_response
The response was received at https://pfsense.domain.org:2020/saml2_auth/sso/acs/ instead of https://pfsense.domain.org/saml2_auth/sso/acs/
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Login works
pfSense Version & Package Version:
Identity Provider Information:
Thank you very much in advance for all your help :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.