Hi!

I'm getting "Not found" error after clicking on "Login with SAML" .. and I'm stuck here.

Can you please give me some directions for debugging further..

Thanks,
Alen

Environment:
Redmine version 3.1.1.stable
Ruby version 2.1.5-p273 (2014-11-13) [x86_64-linux-gnu]
Rails version 4.2.4
Environment production
Database adapter Mysql2
SCM:
Git 2.1.4
Filesystem
Redmine plugins:
redmine_omniauth_saml 0.0.1

Hi I need help for sort out this problem.

I got this error when I click the configuration Link in plug in tab.

Hi,

I have config:

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://host.domain.com/login", # The redmine application hostname
    :issuer                         => "https://host.domain.com/",                 # The issuer name
    :idp_sso_target_url             => "https://auth.dom.com/simplesaml/saml2/idp/SSOService.php", # SSO login endpoint
    :idp_cert_fingerprint           => "bd:56:ce:72:94:72:af:f5:8d:18:a5:a4:75:9a:99:a1:66:9b:c2:13", # SSO ssl certificate fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
    :signout_url                    => "https://auth.dom.com/simplesaml/saml2/idp/SingleLogoutService.php",
    :idp_slo_target_url             => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
    :name_identifier_value          => "uid", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.username',
      :uid      => 'extra.raw_info.username',
      :firstname  => 'extra.raw_info.first_name',
      :lastname   => 'extra.raw_info.last_name',
      :mail       => 'extra.raw_info.email'
    }
  }

  config.on_login do |omniauth_hash, user|
    # Implement any hook you want here
  end
end

I can successfuly authenticate yet after redirecting to Redmine from IDP I have error:

Page not found

The page you were trying to access doesn't exist or has been removed.

Back

And in the log:

Started GET "/" for 62.111.45.33 at 2016-09-21 10:16:46 +0200
Processing by WelcomeController#index as HTML
  Current user: anonymous
Redirected to http://host.domain.com/login?back_url=http%3A%2F%2Fhost.domain.com%2F
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 3ms (ActiveRecord: 0.2ms)
Started GET "/login?back_url=http%3A%2F%2Fhost.domain.com%2F" for 62.111.45.33 at 2016-09-21 10:16:46 +0200
Processing by AccountController#login as HTML
  Parameters: {"back_url"=>"http://host.domain.com/"}
  Current user: anonymous
  Rendered plugins/redmine_omniauth_saml/app/views/redmine_omniauth_saml/_view_account_login_top.html.erb (1.8ms)
  Rendered account/login.html.erb within layouts/base (3.8ms)
Completed 200 OK in 14ms (Views: 9.7ms | ActiveRecord: 0.6ms)
Started GET "/auth/saml?origin=http%3A%2F%2Fhost.domain.com%2F" for 62.111.45.33 at 2016-09-21 10:16:53 +0200
Started POST "/" for 62.111.45.33 at 2016-09-21 10:16:54 +0200

ActionController::RoutingError (No route matches [POST] "/"):
  actionpack (4.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:21:in `call'
  actionpack (4.2.6) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.6) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.6) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.6) lib/active_support/tagged_logging.rb:68:in `block in tagged'

What is the reason?

Hi,
I have been trying to understand the reason why I cannot use the plugin.
Here's the version information :

  Redmine version                4.0.5.stable.19090
  Ruby version                   2.5.1-p57 (2018-03-29) [x86_64-linux-gnu]
  Rails version                  5.2.3
  Environment                    production
  Database adapter               PostgreSQL
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                smtp
SCM:
  Subversion                     1.9.7
  Git                            2.17.1
  Filesystem                     
Redmine plugins:
  easy_gantt                     1.12
  redmine_checklists             3.1.14
  redmine_impersonate            1.0.0
  redmine_omniauth_saml          0.0.1
  redmine_zenedit                1.0.2

I have installed the plugin by clonng from GIT, then went into the plugin directory, ran bundle install and migrated the plugin as per instructions.

Looking at the production.log I see the SAML conversation starting and I see that WelcomeController is processing the SAML response but at the end it fails:

Processing by WelcomeController#index as HTML
  Parameters: {"SAMLResponse"=>"[hashed response]"}
Can't verify CSRF token authenticity.
  AnonymousUser Load (0.5ms)  SELECT  "users".* FROM "users" WHERE "users"."type" IN ('AnonymousUser') AND "users"."lastname" = $1 LIMIT $2  [["lastname", "Anonymous"], ["LIMIT", 1]]
  Rendering common/error.html.erb within layouts/base
  Rendered common/error.html.erb within layouts/base (0.8ms)
  Rendered plugins/redmine_zenedit/app/views/zenedit/_additional_assets.html.erb (0.0ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 14ms (Views: 10.7ms | ActiveRecord: 0.5ms)

Could you please point me as to what I am doing wrong ?

TIA

Hello, installed this plugin with the last stable redmine (2.5.1) and I got the following error when trying to login (my real domain is replaced with mydoma.in):

Started GET "/auth/saml?origin=http%3A%2F%2Ftest.redmine.mydoma.in%2F" for 127.0.0.1 at 2014-04-23 13:56:26 -0300

NameError (uninitialized constant OmniAuth::Strategies::SAML::Onelogin):
  omniauth-saml (1.0.0) lib/omniauth/strategies/saml.rb:12:in `request_phase'
  omniauth (1.2.1) lib/omniauth/strategy.rb:215:in `request_call'
  omniauth (1.2.1) lib/omniauth/strategy.rb:183:in `call!'
  omniauth (1.2.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.1) lib/omniauth/builder.rb:59:in `call'
  rack-openid (1.4.2) lib/rack/openid.rb:98:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
  rack (1.4.5) lib/rack/etag.rb:23:in `call'
  rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/head.rb:14:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/flash.rb:242:in `call'
  rack (1.4.5) lib/rack/session/abstract/id.rb:210:in `context'
  rack (1.4.5) lib/rack/session/abstract/id.rb:205:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/cookies.rb:341:in `call'
  activerecord (3.2.17) lib/active_record/query_cache.rb:64:in `call'
  activerecord (3.2.17) lib/active_record/connection_adapters/abstract/connection_pool.rb:479:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
  activesupport (3.2.17) lib/active_support/callbacks.rb:405:in `_run__4373252301085912597__call__867108286685851341__callbacks'
  activesupport (3.2.17) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.17) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
  activesupport (3.2.17) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.17) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.17) lib/rails/rack/logger.rb:32:in `call_app'
  railties (3.2.17) lib/rails/rack/logger.rb:16:in `block in call'
  activesupport (3.2.17) lib/active_support/tagged_logging.rb:22:in `tagged'
  railties (3.2.17) lib/rails/rack/logger.rb:16:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/request_id.rb:22:in `call'
  rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
  rack (1.4.5) lib/rack/runtime.rb:17:in `call'
  activesupport (3.2.17) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
  rack (1.4.5) lib/rack/lock.rb:15:in `call'
  actionpack (3.2.17) lib/action_dispatch/middleware/static.rb:63:in `call'
  rack-cache (1.2) lib/rack/cache/context.rb:136:in `forward'
  rack-cache (1.2) lib/rack/cache/context.rb:245:in `fetch'
  rack-cache (1.2) lib/rack/cache/context.rb:185:in `lookup'
  rack-cache (1.2) lib/rack/cache/context.rb:66:in `call!'
  rack-cache (1.2) lib/rack/cache/context.rb:51:in `call'
  railties (3.2.17) lib/rails/engine.rb:484:in `call'
  railties (3.2.17) lib/rails/application.rb:231:in `call'
  railties (3.2.17) lib/rails/railtie/configurable.rb:30:in `method_missing'
  unicorn (4.8.2) lib/unicorn/http_server.rb:572:in `process_client'
  unicorn (4.8.2) lib/unicorn/http_server.rb:666:in `worker_loop'
  unicorn (4.8.2) lib/unicorn/http_server.rb:521:in `spawn_missing_workers'
  unicorn (4.8.2) lib/unicorn/http_server.rb:140:in `start'
  unicorn (4.8.2) bin/unicorn_rails:209:in `<top (required)>'
  /usr/local/bin/unicorn_rails:19:in `load'
  /usr/local/bin/unicorn_rails:19:in `<main>'

Hello,

First of all, thanks for sharing your redmine plugin. I'm using your OmniAuth SAML plugin for Redmine SSO provisioning with an IdP Shibboleth 3.

• OS - CentOS 6.7
• Redmine version - 3.2.0 stable
• Ruby version - 2.2.1-p85
• Rails version - 4.2.5
• Gems version - 2.0.14
• Redmine plugins:
  • redmine_dmsf - 1.5.5
  • redmine_omniauth_saml - 0.0.1

Here's what I did to install the redmine_omniauth_saml plugin :

$ cd /var/www/redmine/plugins
$ git clone https://github.com/chrodriguez/redmine_omniauth_saml.git
$ cd ..
$ chown -R redmine:redmine redmine/plugins/
$ cd plugins/redmine_omniauth_saml
$ mkdir -p config/initializers/
$ vim redmine/plugins/redmine_omniauth_saml/config/initializers/saml.rb
$ bundle install --without development test rmagick
$ bundle exec rake redmine:plugins:migrate RAILS_ENV="production"
$ sudo service httpd restart

Here's my saml.rb config :

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "http://redminesrv.mydomain.com",                     # My Redmine Server
    :issuer                         => "http://redminesrv.mydomain.com",                         # 
    :idp_sso_target_url             => "https://idp.mydomain.com/idp/profile/SAML2/POST/SSO"     # URL used to send the assertion (url from the IdP Metadata
    :idp_cert_fingerprint           => "DE:84:0E:C9:57:CE:F9:73:......",             # My IdP certificate SHA1 fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"     
    :signout_url                    => "https://idp.mydomain.com/idp/profile/SAML2/POST/SLO",    # SLO URL taken from the IdP 
    :idp_slo_target_url             => "https://idp.mydomain.com/idp/profile/SAML2/POST/SLO",    # SLO URL taken from the IdP
    :name_identifier_value          => "uid",           # attribute used for authenticates domain users with Shibboleth
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.username',
      :firstname  => 'extra.raw_info.first_name',
      :lastname   => 'extra.raw_info.last_name',
      :mail       => 'extra.raw_info.email'
    }
  }

  config.on_login do |omniauth_hash, user|
    # Implement any hook you want here
  end
end

When I click on the SAML authentication button, below error message is created in my production.log:

Started GET "/auth/saml?origin=http%3A%2F%2Fredminesrv.mydomain.com%2F" for 192.168.253.44 at 2015-12-24 11:39:40 +0100
Processing by AccountController#login_with_saml_redirect as HTML
  Parameters: {"origin"=>"http://redminesrv.mydomain.com/", "provider"=>"saml"}
  Current user: anonymous
  Rendered text template (0.0ms)
Completed 404 Not Found in 3ms (Views: 0.5ms | ActiveRecord: 0.5ms)
Started GET "/auth/saml" for 192.168.253.44 at 2015-12-24 11:39:52 +0100
Processing by AccountController#login_with_saml_redirect as HTML
  Parameters: {"provider"=>"saml"}
  Current user: anonymous
  Rendered text template (0.0ms)
Completed 404 Not Found in 6ms (Views: 0.7ms | ActiveRecord: 0.8ms)

Could you confirm that "redmine_omniauth_saml" plugin is the Service Provider ? So how can I access to the SP metadata because I have to send it to the IdP Shibboleth 3 in order to create the trust relationship between my IdP and my Redmine Server ?

Thanks in advance for your assistance !

Hello, the (useful) plugin is not compatible with Redmine 4.0 branch.
Here is the error when using : rake redmine:plugins:migrate RAILS_ENV=production

NoMethodError: undefined method `alias_method_chain' for User (call 'User.connection' to establish a connection):Class
/var/www/html/plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:29:in `<class:User>'
/var/www/html/plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:3:in `<top (required)>'
/var/www/html/plugins/redmine_omniauth_saml/init.rb:4:in `<top (required)>'
/var/www/html/lib/redmine/plugin.rb:175:in `block in load'
/var/www/html/lib/redmine/plugin.rb:166:in `each'
/var/www/html/lib/redmine/plugin.rb:166:in `load'
/var/www/html/config/initializers/30-redmine.rb:21:in `<top (required)>'
/var/www/html/config/environment.rb:14:in `<top (required)>'
Tasks: TOP => redmine:plugins:migrate => environment

Any chance to make it compatible ?

Thank you !

I needed this in plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb
to prevent an issue with mass assignment:

    user = new user_attributes.except(:login)
    user.created_by_omniauth_saml = true
    user.login    = user_attributes[:login]

error:
Current user: anonymous
WARNING: Can't mass-assign protected attributes for User: login
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:12:in find_or_create_from_omniauth' plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/account_controller_patch.rb:32:in login_with_saml_callback'
lib/redmine/sudo_mode.rb:63:in `sudo_mode'
Completed 422 Unprocessable Entity in 11ms (ActiveRecord: 5.7ms)

Seems to be an issue.

Log:

Started POST "/auth/saml/callback" for 185.17.216.112 at 2015-08-14 13:51:07 +0000
Processing by AccountController#login_with_saml_callback as HTML
  Parameters: {"SAMLResponse"=>"*SNIP*", "provider"=>"saml"}
  Current user: anonymous
WARNING: Can't mass-assign protected attributes for User: login
    lib/redmine/sudo_mode.rb:63:in `sudo_mode'
Completed 422 Unprocessable Entity in 15ms (ActiveRecord: 5.4ms)

ActiveRecord::RecordInvalid (Validation failed: Email skal udfyldes, Login skal udfyldes, Fornavn skal udfyldes, Efternavn skal udfyldes):
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'

I've been trying to setup redmine SSO with Office 365 SAML (actually it is Azure AD) service.
I got it finally to work after minor modifications to code.

saml.rb

 :attribute_mapping              => {
      :login      => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
      :firstname  => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
      :lastname   => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
      :mail       => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
  }

And change i made to saml plugin.

--- redmine_omniauth_saml.rb.orig   2015-09-04 09:52:36.000000000 +0300
+++ redmine_omniauth_saml.rb    2015-09-04 09:52:24.000000000 +0300
@@ -64,11 +64,12 @@
         HashWithIndifferentAccess.new.tap do |h|
           required_attribute_mapping.each do |symbol|
             key = configured_saml[:attribute_mapping][symbol]
-            h[symbol] = key.split('.')                # Get an array with nested keys: name.first will return [name, first]
-              .map {|x| [:[], x]}                     # Create pair elements being :[] symbol and the key
-              .inject(omniauth) do |hash, params|     # For each key, apply method :[] with key as parameter
-                hash.send(*params)
-              end
+            h[symbol] = omniauth.extra.raw_info[key]
+#            h[symbol] = key.split('.')                # Get an array with nested keys: name.first will return [name, first]
+#              .map {|x| [:[], x]}                     # Create pair elements being :[] symbol and the key
+#              .inject(omniauth) do |hash, params|     # For each key, apply method :[] with key as parameter
+#                hash.send(*params)
+#              end
           end
         end
       end

I'm not really ruby developer, but i hope you will find this helpful and can fix this in mainline.

Please create release tags, so the plugin looks more mature and suitable for production setups.

For various provisioning systems it would be much easier to work with versions and retrieving implicitly created zips from GitHub, but not live code.

Hello,
I am trying to configure Redmine to use this plugin with my university login service.

Environment:
  Redmine version                4.0.5.stable
  Ruby version                   2.5.5-p157 (2019-03-15) [x86_64-linux-gnu]
  Rails version                  5.2.3

I go to my redmine login page, then click the link to login wih SAML, get to the University server and provide my details, and press enter. Then I get the message "Invalid saml_ticket". Looking in "/var/log/apache2/error.log" I see the following lines appear:

App 24371 stdout: I, [2020-01-26T10:39:22.407507 #24371]  INFO -- omniauth: (saml) Request phase initiated.
App 24371 stdout: I, [2020-01-26T10:39:22.511633 #24371]  INFO -- omniauth: (saml) Callback phase initiated.
App 24371 stdout: E, [2020-01-26T10:39:22.523927 #24371] ERROR -- omniauth: (saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition

So, google to the rescue... According to "https://github.com/onelogin/ruby-saml#clock-drift" there is an option

To allow for a small amount of clock drift, you can initialize the response by passing in an option named :allowed_clock_drift.

I have tried to login many times, and some times I don't get this error, so I think the allowed time is just a bit too small. I would like to increase it to avoid this error. An example is given at the page, but I don't see how I can apply this to the redmine_omniauth_saml plugin. Could you please advise?
Kind regards
Eskil

The communication is OK between my SSO and Redmine instance but I have the following error when I got redirected to http://issues.bud01.atlasoft.lan/auth/saml. I can check the SAML respnse in Chrome's SAML plugin, it's ok but I'm not sure that my attribute mapping is correct.

I have the following in the production.log:

Started POST "/auth/saml/callback" for 192.168.1.43 at 2016-10-28 10:56:50 +0200
Processing by AccountController#login_with_saml_callback as HTML
  Parameters: {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIH ...", "provider"=>"saml"}
  Current user: anonymous
Completed 500 Internal Server Error in 3ms (ActiveRecord: 0.5ms)

RuntimeError (Redmine::OmniAuthSAML must be configured from an initializer. See README of redmine_omniauth_saml for instructions):
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'

My config looks like as follows:

RedmineSAML = HashWithIndifferentAccess.new(
    :assertion_consumer_service_url => "http://issues.bud01.atlasoft.lan/auth/saml/callback", # The redmine application hostname
    :issuer                         => "http://issues.bud01.atlasoft.lan",   # The issuer name
    :idp_sso_target_url             => "http://auth.bud01.atlasoft.lan/simplesaml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "7B:FB:41:E0:83:04:ED:23:6F:69:0C:E8:51:4E:B2:99:FE:FB:7A:1F", # SSL fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:email",
    :name_identifier_value          => "email",
    :logout_admin                   => "http://auth.bud01.atlasoft.lan/simplesaml/saml2/idp/SingleLogoutService.php", # SSO logout
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :username      => 'extra.raw_info.username',
      :username  => 'extra.raw_info.first_name',
      :username   => 'extra.raw_info.last_name',
      :email       => 'extra.raw_info.personal_email'
    }
)

Hi,

I'm trying to install the plugin on a Redmine 4.0 but when after cloning GIT project, I run RAILS_ENV=production rake redmine:plugins and I got this error

(in /opt/bitnami/apps/redmine/htdocs)
rake aborted!
NoMethodError: undefined method alias_method_chain' for User (call 'User.connection' to establish a connection):Class Did you mean? alias_method /opt/bitnami/apps/redmine/htdocs/plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:29:in class:User'
/opt/bitnami/apps/redmine/htdocs/plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:3:in <top (required)>' /opt/bitnami/apps/redmine/htdocs/plugins/redmine_omniauth_saml/init.rb:4:in <top (required)>'
/opt/bitnami/apps/redmine/htdocs/lib/redmine/plugin.rb:173:in block in load' /opt/bitnami/apps/redmine/htdocs/lib/redmine/plugin.rb:164:in each'
/opt/bitnami/apps/redmine/htdocs/lib/redmine/plugin.rb:164:in load' /opt/bitnami/apps/redmine/htdocs/config/initializers/30-redmine.rb:21:in <top (required)>'
/opt/bitnami/apps/redmine/htdocs/config/environment.rb:14:in <top (required)>' /opt/bitnami/apps/redmine/htdocs/lib/tasks/redmine.rake:57:in block (2 levels) in <top (required)>'
Tasks: TOP => redmine:plugins:migrate => environment
(See full trace by running task with --trace)

Ruby version -> ruby 2.4.5p335 (2018-10-18 revision 65137) [x86_64-linux]

Thank you for your help,
Alexandre

Thanks for your work! Could you define a licence for using this plugin?

I am using your OmniAuth SAML plugin for Bitnami Redmine SSO provisioning with an IDP. Redmine version - 3.0.3, Ruby version - 2.0.0, Rails version - 4.2.1,Gems version - 2.0.14

When a login request is sent, below error massage is created

"translation missing: en.error_saml_invalid_ticket"

Production log is below(some information is masked as XXX)

Started GET "/auth/saml?origin=https%3A%2F%2FXXX.XXX.XXX.XXX%2F" for XXX.XXX.XXX.XXX at 2015-08-06 16:10:47 +0900
Started POST "/auth/saml/callback" for XXX.XXX.XXX.XXX at 2015-08-06 16:12:04 +0900
Started GET "/auth/failure?message=invalid_ticket&strategy=saml" for 170.248.146.33 at 2015-08-06 16:12:04 +0900
Processing by AccountController#login_with_saml_failure as HTML
Parameters: {"message"=>"invalid_ticket", "strategy"=>"saml"}
Current user: anonymous
Redirected to https://www.XXXXXX
Completed 302 Found in 6ms (ActiveRecord: 0.4ms)
Started GET "/login" for XXX.XXX.XXX.XXX at 2015-08-06 16:12:04 +0900
Processing by AccountController#login as HTML
Current user: anonymous
Rendered plugins/redmine_omniauth_saml/app/views/redmine_omniauth_saml/_view_account_login_top.html.erb (0.9ms)
Rendered account/login.html.erb within layouts/base (2.2ms)

Completed 200 OK in 12ms (Views: 8.8ms | ActiveRecord: 0.3ms)

I don't know what is trigger of this error massage.
I guess it's not about language error. I think it is connection error.
I think I should write IdP's token(Public Key) other place. Now I wrote token on saml.rb like below

:idp_cert_fingerprint           => "MIIFKzCCBBOgAwIBAgIQDErRv....

Is it wrong??
I would like to know it is correct or not.

Regards,

Yoshito

After installing the plugin I get an error on the callback action:

NameError (uninitialized constant User::RedmineSAML):
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:27:in `saml_attribute'

What can be done to make the plugin work?

Hi,
my attribute_mapping looks like this:

:attribute_mapping => { :login => 'urn:oid:0.9.2342.19200300.100.1.1', :mail => 'urn:oid:0.9.2342.19200300.100.1.3', :firstname => 'urn:oid:2.5.4.42', :lastname => 'urn:oid:2.5.4.4' }

This results in the error message translation missing: de.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.

To stay compatible with our federation, we have to use oid instead of mace.

Unfortunately the code splits at the dot

Have located the problem correctly?
Is there any hint how to circumvent this?
Can anyone give me a hint how to connect redmine else wise with a SimpleSAMLphp IdP?

Kind regards,
viegelinsch

Hello,
I am trying to configure Redmine to use this plugin with my university login service.
Environment:
Redmine version 4.0.5.stable
Ruby version 2.5.5-p157 (2019-03-15) [x86_64-linux-gnu]
Rails version 5.2.3

I go to my redmine login page, then click the link to login wih SAML, get to the University server and provide my details, and press enter. Then I get a message on screen like

Internal error

An error occurred on the page you were trying to access.
If you continue to experience problems please contact your Redmine administrator for assistance.

If you are the Redmine administrator, check your log files for details about the error.

Investigating I check "/var/log/apache2/error.log" but I only find one relevant line:
App 24371 stdout: I, [2020-01-26T10:45:04.288274 #24371] INFO -- omniauth: (saml) Callback phase initiated.
Looking further in "/opt/redmine/log/debug.log" I see a lot more info (where I have REMOVED some potentially sensitive information):

I, [2020-01-26T10:45:04.287710 #24371]  INFO -- : Started POST "/redmine/auth/saml/callback" for 94.255.250.60 at 2020-01-26 10:45:04 +0100
I, [2020-01-26T10:45:04.311045 #24371]  INFO -- : Processing by AccountController#login_with_saml_callback as HTML
I, [2020-01-26T10:45:04.311341 #24371]  INFO -- :   Parameters: {"SAMLResponse"=>"REMOVED", "provider"=>"saml"}
I, [2020-01-26T10:45:04.313357 #24371]  INFO -- :   Current user: anonymous
I, [2020-01-26T10:45:04.314952 #24371]  INFO -- : Completed 500 Internal Server Error in 3ms (ActiveRecord: 0.4ms)
F, [2020-01-26T10:45:04.315578 #24371] FATAL -- :   
F, [2020-01-26T10:45:04.315631 #24371] FATAL -- : NoMethodError (undefined method `[]' for nil:NilClass):
F, [2020-01-26T10:45:04.315657 #24371] FATAL -- :   
F, [2020-01-26T10:45:04.315702 #24371] FATAL -- : plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:70:in `block (3 levels) in user_attributes_from_saml'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:69:in `each'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:69:in `inject'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:69:in `block (2 levels) in user_attributes_from_saml'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:65:in `each'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:65:in `block in user_attributes_from_saml'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:64:in `tap'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:64:in `user_attributes_from_saml'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml.rb:21:in `user_attributes_from_saml'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:12:in `find_or_create_from_omniauth'
plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/account_controller_patch.rb:28:in `login_with_saml_callback'
lib/redmine/sudo_mode.rb:63:in `sudo_mode'

I suspect this has to do with me configuring my attributes the wrong way (I don't know much about this). Based on the example file I have configured /opt/redmine/config/initializers/saml.rb like this:

Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "REMOVED", # OmniAuth callback URL
:issuer => "REMOVED", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:single_logout_service_url => "REMOVED", # The SLS (logout) callback URL
:idp_sso_target_url => "REMOVED", # SSO login endpoint
:idp_cert_fingerprint => "REMOVED", # SSO ssl certificate fingerprint, SHA-1
# Alternatively, specify the full certifiate:
#:idp_cert => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
:signout_url => "", # Optional signout URL, not supported by all identity providers
:idp_slo_target_url => "",
:name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
:mail => 'extra.raw_info.urn:oid:0.9.2342.19200300.100.1.3',
:firstname => 'extra.raw_info.urn:oid:2.5.4.42',
:lastname => 'extra.raw_info.urn:oid:2.5.4.4'
}
}

config.on_login do |omniauth_hash, user|
# Implement any hook you want here
end
end

Parsing the SAMLResponse (which was REMOVED in the debug.log above) I find these attributes supplied by the login server:

<AttributeStatement>
<Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>Eskil Varenius</AttributeValue></Attribute>
<Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>Eskil</AttributeValue></Attribute>
<Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>Varenius</AttributeValue></Attribute>
<Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>REMOVED</AttributeValue></Attribute>
<Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>REMOVED</AttributeValue></Attribute>
<Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>REMOVED</AttributeValue>
<AttributeValue>REMOVED</AttributeValue></Attribute>
</AttributeStatement>

As far as I understand, it seems I get the right information back in the SAML response, but for some reason the plugin doesn't like it. Maybe I have matched the URN strings in the wrong format? Do you have any idea of where the error could be?

I see there has been a similar discussion in #21 (comment) but I could not get my stuff to work using the things in there. As this was from an older version (redmine <4) I thought it may be worth filing a new issue.

Kind regards
Eskil

The plugin works like a charm.
I know is not an issue but. Do you know how to disable it for a while?
i tried with
rake redmine:plugins:migrate NAME=redmine_omniauth_sam VERSION=0 RAILS_ENV=production
but nothing happen
(redmine 3.0)

Hi,
I have some general questions:

• Should/Can I configure LDAP in parallel with SAML? (it would be the same LDAP, that my IDP uses)
• Are users get created automatically in Redmine also from LDAP, when authenticating via SAML?
• Is it SP initiated or IDP initiated SAML flow?

However, I am currently not able to login via SAML. I have tried to create the user internally and also via LDAP login before trying SAML login.
I always get:
I, [2017-09-13T12:27:45.630647 #4371] INFO -- : Started POST "/redmine/auth/saml/callback" for 192.168.1.139 at 2017-09-13 12:27:45 +0200
I, [2017-09-13T12:27:45.721512 #4371] INFO -- : Processing by AccountController#login_with_saml_callback as HTML
I, [2017-09-13T12:27:45.721722 #4371] INFO -- : Parameters: {"RelayState"=>"", "SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDph\r
....
\r\nc3BvbnNlPg==", "provider"=>"saml"}
I, [2017-09-13T12:27:45.755122 #4371] INFO -- : Current user: anonymous
W, [2017-09-13T12:27:45.759974 #4371] WARN -- : Failed login for 'approver' from 192.168.1.139 at 2017-09-13 10:27:45 UTC
I, [2017-09-13T12:27:45.761588 #4371] INFO -- : Redirected to http://redmine.myhost.local/redmine/login

Has authentication succeeded, when I see this message and only user lookup failed?
Or do I still have a problem with authentication?

How do I configure debug/trace to nail this?

I've been using your OmniAuth SAML plugin for Redmine SSO provisioning with an IDP. Redmine version - 2.6.0, Ruby version - 1.9.3, Rails version - 3.2.19.

When a login request is sent, it redirects to the IDP and the session is also created but I'm getting a "422 - Invalid form authenticity token" error. I've attached a screen shot of the error below.

This is the SAML Request

GET https://localhost:9443/samlsso?SAMLRequest=nZFNb4JAEIb%2FCrc9IQuCyERIiNiERE2jtodemhWHSLLs0p2lH%2F%2B%2BiGmih%2FbQ%0A6%2BR55p2PBYlWdpD39qx2%2BNYjWScnQmMbrZZaUd%2Bi2aN5byp82q1Tdra2A8%2BT%0AuhLyrMnClHPOnGIQGyUu1pWhOygJw6l3iSLSzCmLlL3WceD7Uc1dwWPf5f40%0AcGfzY%2BDycF7PkmOVJCgGlKjHUpEVyqYs4H7k8sAN4gOPIJxBFL8w5xkNjbnB%0AZJjks5WKYFwrZb1RoAU1BEq0SGAr2OebNQwkdEZbXWnJssWFhjHK3Ph%2F6%2BLn%0ASizbrYpNuV0tvJs%2B16YdbAexLB61bKovJ5dSfywNCosps6ZH5jxo0wr7e5Q%2F%0A8cdKc3LrEQVsRSPz08kg0X%2FW9bLroPdfz74B%0A HTTP/1.1

SAML Response from IDP

<saml2p:Response Destination="http://localhost:3000"
ID="mocookobpeaobaongefdhldahiohlfahimomhljf"
InResponseTo="_f72115f0-a071-0132-68b2-048f69bc99ea"
IssueInstant="2015-02-27T05:47:03.059Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>localhost/saml2:Issuer
saml2p:Status
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
/saml2p:Status
<saml2:Assertion ID="fcogdnmhdbibbpgaapafkkcenibihahpfpnofcao"
IssueInstant="2015-02-27T05:47:03.059Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost/saml2:Issuer
saml2:Subject
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admina/saml2:NameID
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_f72115f0-a071-0132-68b2-048f69bc99ea"
NotOnOrAfter="2015-02-27T05:52:03.059Z"
Recipient="http://localhost:3000"
/>
/saml2:SubjectConfirmation
/saml2:Subject
<saml2:Conditions NotBefore="2015-02-27T05:47:03.059Z"
NotOnOrAfter="2015-02-27T05:52:03.059Z"
>
saml2:AudienceRestriction
saml2:AudienceREDMINE/saml2:Audience
/saml2:AudienceRestriction
/saml2:Conditions
<saml2:AuthnStatement AuthnInstant="2015-02-27T05:47:03.059Z"
SessionIndex="824f977c-ee4e-4f4c-9402-7b382d14f344"
>
saml2:AuthnContext
saml2:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:Password/saml2:AuthnContextClassRef
/saml2:AuthnContext
/saml2:AuthnStatement
/saml2:Assertion
/saml2p:Response

Rails back log

Started POST "/" for 127.0.0.1 at 2015-02-27 10:40:03 +0530
Processing by WelcomeController#index as HTML
Parameters: {"SAMLResponse"=>"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDozMDAwIiBJRD0ibGRvb2ZuZ2dtbGpvb2xnaGRrbWtwZ25kZGZubGloZm5obmhkZGZpaiIgSW5SZXNwb25zZVRvPSJfYjE4NzMwMjAtYTA2Yy0wMTMyLTY4YjAtMDQ4ZjY5YmM5OWVhIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDItMjdUMDU6MTA6MDEuNzQ5WiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmxvY2FsaG9zdDwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24gSUQ9Im9taGxtZ2FrYmNtbWVtY2dkcGFiZWJtb2trY2RkZGFtbmdmZmRicGgiIElzc3VlSW5zdGFudD0iMjAxNS0wMi0yN1QwNToxMDowMS43NDlaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5sb2NhbGhvc3Q8L3NhbWwyOklzc3Vlcj48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5hZG1pbmE8L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il9iMTg3MzAyMC1hMDZjLTAxMzItNjhiMC0wNDhmNjliYzk5ZWEiIE5vdE9uT3JBZnRlcj0iMjAxNS0wMi0yN1QwNToxNTowMS43NDlaIiBSZWNpcGllbnQ9Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTAyLTI3VDA1OjEwOjAxLjc0OVoiIE5vdE9uT3JBZnRlcj0iMjAxNS0wMi0yN1QwNToxNTowMS43NDlaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+UkVETUlORTwvc2FtbDI6QXVkaWVuY2U+PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTAyLTI3VDA1OjEwOjAxLjc0OVoiIFNlc3Npb25JbmRleD0iMGZhYzlmOWQtNWI1Zi00NmYzLTgyNDItMjM1ZTNhNzFkYWIzIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=", "RelayState"=>"null"}
WARNING: Can't verify CSRF token authenticity
AnonymousUser Load (0.1ms) SELECT users.* FROM users WHERE users.type IN ('AnonymousUser') LIMIT 1
Rendered common/error.html.erb within layouts/base (0.3ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 30.0ms (Views: 21.6ms | ActiveRecord: 0.1ms)

Rails back log says "AnonymousUser Load (0.1ms) SELECT users.* FROM users WHERE users.type IN ('AnonymousUser') LIMIT 1" and a user with type Anonymous is auto created when trying to login. I've attached a screen shot of the MySQL database table too.

Would you please be kind enough to look into this issue.

Hi,

We are experiencing some troubles with getting this plugin to work with our Redmine, below you can find related details:

Environment:
Redmine version 3.4.3.stable
Ruby version 2.2.5-p319 (2016-04-26) [x86_64-linux]
Rails version 4.2.8
Environment production
Database adapter Mysql2
SCM:
Subversion 1.6.11
Git 1.7.1
Filesystem
Redmine plugins:
redmine_omniauth_saml 0.0.1

Our saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "http://redmine.local/auth/saml/callback", # OmniAuth callback URL
:issuer => "http://redmine.local", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:single_logout_service_url => "http://redmine.example.com/auth/saml/sls", # The SLS (logout) callback URL
:idp_sso_target_url => "https://redacted]/login.html", # SSO login endpoint
:idp_cert_fingerprint => "[redacted]", # SSO ssl certificate fingerprint
# Alternatively, specify the full certifiate:
#:idp_cert => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
:signout_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php?ReturnTo=", # Optional signout URL, not supported by all identity providers
:idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
:name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.username',
:mail => 'extra.raw_info.email',
:firstname => 'extra.raw_info.firstname',
:lastname => 'extra.raw_info.firstname'
}
}
config.on_login do |omniauth_hash, user|
# Implement any hook you want here
end
end

Here is the log:

9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==", "provider"=>"saml"}
(0.4ms) SELECT MAX(settings.updated_on) FROM settings
AnonymousUser Load (0.3ms) SELECT users.* FROM users WHERE users.type IN ('AnonymousUser') ORDER BY users.id ASC LIMIT 1
Current user: anonymous
EmailAddress Load (0.1ms) SELECT email_addresses.* FROM email_addresses WHERE email_addresses.address IS NULL LIMIT 1
Failed login for '[email protected]' from [IP ADDRESS REDACTED] at 2017-11-14 15:39:49 UTC
Redirected to http://redmine.local/login
Completed 302 Found in 5ms (ActiveRecord: 0.9ms)

We will be waiting for your reply.

Hi

SSO function works perfectly fine , but when user try to signout from redmine , its not working

saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redminesso.ihk.com/auth/saml/callback", # The redmine application hostname
    :issuer                         => "https://redminesso.ihk.com",                 # The issuer name
    :idp_sso_target_url             => "https://172.16.2.14:9443/samlsso", # SSO login endpoint
    :idp_cert_fingerprint           => "6B F8 E1 36 EB 36 D4 A5 6E A0 5C 7A E4 B9 A4 5B 63 BF 97 5D", # SSO ssl certificate fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :signout_url                    => "https://172.16.2.14:9443/samlsso",
    :idp_slo_target_url             => "https://172.16.2.14:9443/samlsso",
    :name_identifier_value          => "mail", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
       :login      => 'http://wso2.org/claims/emailaddress',
       :firstname  => 'http://wso2.org/claims/givenname',
       :lastname   => 'http://wso2.org/claims/lastname',
       :mail       => 'http://wso2.org/claims/emailaddress'
    }

}

  config.on_login do |omniauth_hash, user|
    # Implement any hook you want here
  end
end

Authentication Saml response it properly have the Session index value

 </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-05-14T13:37:03.639Z"
                          NotOnOrAfter="2016-05-14T13:42:03.639Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://redminesso.ihk.com</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2016-05-14T13:37:03.641Z"
                              SessionIndex="2fffb2d6-38b9-453a-ac73-e99a4bb06487"
                              >
            <saml2:AuthnContext>

But when generating the Logout request SAML response dont have the Session index value

<samlp:LogoutRequest Destination="https://172.16.2.14:9443/samlsso"
                     ID="_eb506f40-fc06-0133-8f7c-0050569a3be9"
                     IssueInstant="2016-05-14T13:37:26Z"
                     Version="2.0"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <saml:Issuer>https://redminesso.ihk.com</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mail</saml:NameID>
</samlp:LogoutRequest>

And from the IDP side it print the following log

TID: [-1234] [] [2016-05-14 19:07:26,101] ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor} -  Session Index validation for Logout Request failed. Received: [null]. Expected: [2fffb2d6-38b9-453a-ac73-e99a4bb06487]

Can you please advice regarding this , is it due reconfiguration of saml.rb or its due to bug ?

Running on Redmine 3.4.5 SAML user creation fails (though I never tested SAML on older versions):

...
Completed 500 Internal Server Error in 17ms (ActiveRecord: 1.9ms)

NoMethodError (undefined method `created_by_omniauth_saml=' for #<User:0x00007fa14e4c0170>):
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:13:in `find_or_create_from_omniauth'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/account_controller_patch.rb:32:in `login_with_saml_callback'
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'
...

I am currently trying to connect Redmine with the KeyCloak Saml Adapter. I do get the following response from keycloak:

#<OmniAuth::AuthHash credentials=#<OmniAuth::AuthHash> 
extra=#<OmniAuth::AuthHash 
  raw_info=#<OneLogin::RubySaml::Attributes:0x007f7280408ae0 
  @attributes={"urn:oid:1.2.840.113549.1.9.1"=>["[email protected]"], 
               "urn:oid:2.5.4.42"=>["Firstname"], 
               "urn:oid:2.5.4.4"=>["Surename"], 

What should I define in the attributes mapping? The following does not work correctly:

    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.attributes["urn:oid:1.2.840.113549.1.9.1"].first',
      :mail       => 'extra.raw_info.attributes["urn:oid:1.2.840.113549.1.9.1"].first',
      :firstname  => 'extra.raw_info.attributes["urn:oid:2.5.4.42"].first',
      :lastname   => 'extra.raw_info.attributes["urn:oid:2.5.4.4"].first'
    }

trying to configure without success...
error.log is stating:
Message from application: uninitialized constant OmniAuth (NameError)
/usr/share/redmine/lib/plugins/redmine_omniauth_saml-master/lib/redmine_omniauth_saml.rb:119:in configure_omniauth_saml_middleware' /usr/share/redmine/lib/plugins/redmine_omniauth_saml-master/lib/redmine_omniauth_saml.rb:110:in validate_configuration!'
/usr/share/redmine/lib/plugins/redmine_omniauth_saml-master/lib/redmine_omniauth_saml.rb:60:in `configure'
Any ideas?

Anyone have a working saml-initializers.rb config for azure AD?

So far just getting this with the default config:
" Invalid user or password. You may want to close SSO session before trying an other username. "

Suspect I just have to pull and map the right attributes but I'm not sure.
Current SAML token attributes are: givenname, surname, emailaddress, name

Hello there,

I've been trying to get the proper configuration for authenticating users towards our ADFS server with no luck so far. Has anyone achieved that already?
Here's what I got so far:

saml.rb:
Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "https://redmine..com/auth/saml/callback", # OmniAuth callback URL
:issuer_name => "https://redmine..com",
:issuer => "https://redmine..com", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:idp_sso_target_url => "https://.com/adfs/ls/", # SSO login endpoint
:idp_cert_fingerprint => "", # SSO ssl certificate fingerprint
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
:idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
:name_identifier_value => "name_id", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.username',
:mail => 'extra.raw_info.email',
:firstname => 'extra.raw_info.firstname',
:lastname => 'extra.raw_info.lastname',
:name_id => 'extra.raw_info.nameidentifier'
}
}

the ADFS claim rules brings SAM-Account-Name through a transform claim to Name ID in Persistent identifier format.

end result on redline when clicking the login with SAML button:
translation missing: en.notice_account_invalid_creditentials. You may want to close SSO session before trying an other username.

thanks!

Hi

I'm getting this error
「translation missing: ja.error_saml_invalid_ticket」

When I try to access to Redmine from Windows ADFS, I got above error.

＜Access route＞
　 Client PC → ADFS → Redmine

I would like to test through plugin-test「add integration tests」 for this solution.
Please let me know, How to use it. If Does it work this error.

And How to solve this error?

Environment:
Redmine version 3.3.0.stable
Ruby version 2.1.10-p492 (2016-04-01) [x86_64-linux]
Rails version 4.2.6
Environment production
Database adapter Mysql2
SCM:
Subversion 1.9.4
Cvs 1.12.13
Git 2.7.4
Filesystem
Redmine plugins:
narrowdown 0.0.1
periodictask 3.2.1
redmine_assign_grouping 0.0.1
redmine_custom_workflows 0.1.6
redmine_issue_templates 0.1.4
redmine_omniauth_saml 0.0.1
redmine_slack 0.2

Looks like plugin is searching for some variable 'change_password_allowed_with_omniauth_saml' and cannot find it. How to sove this?

Started GET "/my/account" for 91.226.197.29 at 2016-08-04 21:33:35 +0200
Processing by MyController#account as HTML
Current user: test (id=14)
Rendered my/account.html.erb within layouts/base (25.4ms)
Completed 500 Internal Server Error in 31ms (ActiveRecord: 1.1ms)

ActionView::Template::Error (undefined method created_by_omniauth_saml?' for #<User:0x007f10411485e0> Did you mean? created_on_was): 1: <div class="contextual"> 2: <%= additional_emails_link(@user) %> 3: <%= link_to(l(:button_change_password), {:action => 'password'}, :class => 'icon icon-passwd') if @user.change_password_allowed? %> 4: <%= call_hook(:view_my_account_contextual, :user => @user)%> 5: </div> 6: plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:26:inchange_password_allowed_with_omniauth_saml?'
app/views/my/account.html.erb:3:in _app_views_my_account_html_erb__447364996123502152_69853895474700' lib/redmine/sudo_mode.rb:63:insudo_mode'

SSO and Redmine are communicating finaly.
But I have error:

I, [2016-10-07T14:44:09.934516 #24768]  INFO -- : Started GET "/auth/saml?origin=https%3A%2F%2Fhost%2F" for 21.15.7.3 at 2016-10-07 14:44:09 +0200
I, [2016-10-07T14:44:10.457142 #24768]  INFO -- : Started POST "/auth/saml/callback" for 21.15.7.3 at 2016-10-07 14:44:10 +0200
I, [2016-10-07T14:44:10.501476 #24768]  INFO -- : Processing by AccountController#login_with_saml_callback as HTML
I, [2016-10-07T14:44:10.501887 #24768]  INFO -- :   Parameters: {"SAMLResponse"=>"PHNhbWxwOlJlc3BOkF0dHJp...9uc2U+", "provider"=>"saml"}
I, [2016-10-07T14:44:10.504007 #24768]  INFO -- :   Current user: anonymous
W, [2016-10-07T14:44:10.507570 #24768]  WARN -- : WARNING: Can't mass-assign protected attributes for User: login
    plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:12:in `find_or_create_from_omniauth'
    plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/account_controller_patch.rb:32:in `login_with_saml_callback'
    lib/redmine/sudo_mode.rb:63:in `sudo_mode'
I, [2016-10-07T14:44:10.520688 #24768]  INFO -- : Completed 422 Unprocessable Entity in 19ms (ActiveRecord: 1.2ms)
F, [2016-10-07T14:44:10.522233 #24768] FATAL -- : 
ActiveRecord::RecordInvalid (Validation failed: Email cannot be blank, Login cannot be blank, First name cannot be blank, Last name cannot be blank):
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/user_patch.rb:17:in `find_or_create_from_omniauth'
  plugins/redmine_omniauth_saml/lib/redmine_omniauth_saml/account_controller_patch.rb:32:in `login_with_saml_callback'
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'

Where to search for the solution; Redmine does not get needed attributes or mapping is wrong?

In config I have:

      :login      => 'extra.raw_info.username',
       :uid      => 'extra.raw_info.username',
      :firstname  => 'extra.raw_info.first_name',
      :lastname   => 'extra.raw_info.last_name',
      :mail       => 'extra.raw_info.email'

How to check if SSO response deliveres login, uid, mail, firstname, lastname, mail?

In my Redmine application, whenever I click configure I get a 404 error: The page you were trying to access doesn't exist or has been removed.

On your install instructions you state: "Finaly you need to configure some minor options for the plugin to work, in “Administration” > “Plugins” > “Configure” on the OmniAuth SAML plugin line."

Should I be doing this from a command prompt rather than the GUI of the application. If possible, I need clear instructions please.

Redmine version 2.6.5.stable
Ruby version 2.1.6-p336 (2015-04-13) [x64-mingw32]
Rails version 3.2.21
redmine_omniauth_saml 0.0.1

Running on Windows Server 2012

Into init.rb file, there should not be quotes into the value of the enabled section

settings :default => { 'enabled' => **'true'**, 'label_login_with_saml' => '', 'replace_redmine_login' => false }

'true' should be true

Otherwise it is not evaluated (try to make it false to see)

I don't know much about ruby, or gems (yet), but when reading a bit it struck me that the gemfile for this module currently specifies
gem 'ruby-saml', '~> 0.9.2'
while there seems to have been a lot of important updates since this version (according to https://github.com/onelogin/ruby-saml#clock-drift which is now listing 1.11 as the latest version since more than 6 months.

For security reasons, I guess it would be worth updating the module to work with the most recent ruby-saml version?

Kind regards
Eskil

Hi,

I am new to Redmine and SAML and in charge of migrating Redmine to a new server. In the mean time there is no plan to upgrade Redmine to the new version but will be after the migration. I have moved the DB and plugins and now I am trying to implement SAML. Before raking in the plugin I am able to log into Redmine via LDAP but after raking in the plugin I get an error stating Not Found.

Redmine version 3.3.2-0
omniauth_saml version (not sure because I copied it from the old server, looking at the date it was downloaded back in 2017)
Gem omniauth-1.6.1
Gem omniauth-saml-1.0.0
Gem omniauth-saml-cespi-1.3.1

Do I need to create the saml.rb file first before going into Redmine and completing this step "Finaly you need to configure some minor options for the plugin to work, in "Administration" > "Plugins" > "Configure" on the OmniAuth SAML plugin line?"

Below is what I'm seeing in my log file I've replaced my server name with SERVERNAME:

Started GET "/redmine/login?back_url=http%3A%2F%2FSERVERNAME%2Fredmine%2F" for 127.0.0.1 at 2021-05-13 16:20:10 -0700
Processing by AccountController#login as HTML
Parameters: {"back_url"=>"http://SERVERNAME/redmine/"}
Current user: anonymous
Redirected to http://SERVERNAME/redmine/auth/saml?origin=http%3A%2F%2FSERVERNAME%2Fredmine%2F
Completed 302 Found in 7ms (ActiveRecord: 1.0ms)
Started GET "/redmine/auth/saml?origin=http%3A%2F%2FSERVERNAME%2Fredmine%2F" for 127.0.0.1 at 2021-05-13 16:20:10 -0700
Processing by AccountController#login_with_saml_redirect as HTML
Parameters: {"origin"=>"http://SERVERNAME/", "provider"=>"saml"}
Current user: anonymous
Rendered text template (0.0ms)
Completed 404 Not Found in 10ms (Views: 5.0ms | ActiveRecord: 1.0ms)
Started GET "/redmine/" for 127.0.0.1 at 2021-05-13 16:31:54 -0700
Processing by WelcomeController#index as HTML
Current user: anonymous
Redirected to http://SERVERNAME/login?back_url=http%3A%2F%2FSERVERNAME%2Fredmine%2F
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 4ms (ActiveRecord: 0.0ms)
Started GET "/redmine/login?back_url=http%3A%2F%2FSERVERNAME%2Fredmine%2F" for 127.0.0.1 at 2021-05-13 16:31:54 -0700
Processing by AccountController#login as HTML
Parameters: {"back_url"=>"http://SERVERNAME/redmine/"}
Current user: anonymous
Redirected to http://SERVERNAME/redmine/auth/saml?origin=http%3A%2F%2FSERVERNAME%2Fredmine%2F
Completed 302 Found in 8ms (ActiveRecord: 1.0ms)
Started GET "/redmine/auth/saml?origin=http%3A%2F%2FSERVERNAME%2Fredmine%2F" for 127.0.0.1 at 2021-05-13 16:31:54 -0700
Processing by AccountController#login_with_saml_redirect as HTML
Parameters: {"origin"=>"http://SERVERNAME/redmine/", "provider"=>"saml"}
Current user: anonymous
Rendered text template (0.0ms)
Completed 404 Not Found in 3ms (Views: 1.0ms | ActiveRecord: 2.0ms)

I had to some modify code or files for using Bitnami 3.0.3 Redmine.

■Modify Gemfile & Gemfile.lock
1st
Copy contents of Plugins-Gemfile & Gemfile.lock to Bitnami Gemfile&Gem.lock
Copy contents to : /opt/bitnami/apps/redmine/htdocs/Gemfile
2nd
Remove Gemfile & Gem.lock from plugin.
3rd
on "/opt/bitnami/apps/redmine/htdocs" @Bundle@

■Rename Plugins folder name as same as init.rb
Change plugin folder name from "redmine_omniauth_saml-master" to "redmine_omniauth_saml"
because We may use same name as plugins folder name and defined name by plugins init.rb

■saml.rb
When finished moving file "saml.rb" from plugin to "opt/bitnami/apps/redmine/htdoc/config/initializers", may remove saml.rb from plugins

Trying to get oneLogin to work, and keep getting

WARNING: Can't mass-assign protected attributes for User: login
        lib/redmine/sudo_mode.rb:63:in `sudo_mode'
Completed 422 Unprocessable Entity in 11ms (ActiveRecord: 1.6ms)

ActiveRecord::RecordInvalid (Validation failed: Login cannot be blank):
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'

Is it possible to some how do group synchronization for users. We're currently using LDAP with the https://github.com/thorin/redmine_ldap_sync plugin.