SAML auth with Azure

[Jordi Casadevall]

I'm trying to configure SAML authentication with Azure. I've achieved that Jorani redirects to Microsoft login and authenticates me. But when putting the right password, then redirects to myhost.com/api/acs with a blank screen 

My question is what URL's have to put in Azure SAML configuration?

At the "id" section i have    myhost.com/api/metadata which seems to be good. But what i have to put in "reply" section?

This is my saml.php with fake id's&cert:

 'idp' => array(

        'entityId' => 'https://sts.windows.net/227f73bf-6f00-57a7-a32e-03b6e95c7562/',

        'singleSignOnService' => array(

            'url' => 'https://login.microsoftonline.com/227f73bf-6f00-57a7-a32e-03b6e95c7562/saml2',

        ),

        'singleLogoutService' => array(

            'url' => 'https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0',

        ),

        'x509cert' => '-----BEGIN CERTIFICATE-----

safasdfsadff  certificate content adsfasdfasdfasdf

-----END CERTIFICATE-----',

[Benjamin BALET]

I never tried with Azure but I was successful with many others (GSuite, Auth0, and OneLogin)

I'm not sure about "reply", I would bet for the base url.

Have a look on this answer:

https://groups.google.com/g/jorani/c/PVtQf6ugHuo/m/-3yfbEsYBwAJ

--
You received this message because you are subscribed to the Google Groups "jorani" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jorani+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/a78aafc8-b6dd-451d-9de8-9f97a3bb364an%40googlegroups.com.

[Jordi Casadevall]

Thanks, I've seen here:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps

that in the reply section in the Azure configuration, must be:  "***/acs"  in the case of Jorani:  "myjoranihost.com/api/acs".

Now when I try to sign in, Jorani redirects me to Microsoft, I authenticate, then I am redirected to myjoranihost.com/api/acs, but it shows me a blank page with and empty body (vieweing source html code with navigagor). It seems that Azure is doing its work. Based on that, could you help me, there is something more I have to do in the Jorani configuration?  I've already changed de "login" field of an user to put my e-mail that is used to authenticate in Microsoft.

Thanks in advance.

[Benjamin BALET]

The prerequisite to use SAML is to have an already existing user into Jorani database with the email that matches with a MS AD user.

In Jorani, let's say you have created the user John DOE with the email jd...@example.org into Jorani DB

In MS AD you have an Active Directory record for John DOE and its email is the same than into the Jorani DB, namely  email jd...@example.org

Side note: activating SAML authentication doesn't replicate the AD into Jorani DB and it doesn't create the user into the database.

Another prerequisite is to map the NameId with the user's email into Azure.

Let's say you have created the SAML endpoint into Azure and configure Jorani with the Azure URLs and the key, this is the process:

1. You open https://jorani.host/ (I'm not sure about Azure but some Identity providers require you to use an application with SSL).
2. Jorani detects that SAML authentication is enable, so it redirects you to  https://jorani.host/api/sso
3. Jorani checks if the session created with the Identity Provider (IDP or Azure AD in your case) is still valid and may try to renew this session, if possible.
4. If the IDP session is no more valid, Jorani redirects you to the IDP. This is why you see a login form from Azure.
5. If Azure is able to authenticate you, it redirects you to https://jorani.host/api/acs
6. Into the ACS "page" (it doesn't display something), Jorani reads the reply from the IDP and extracts the NameId (which contains the user's email).
7. Jorani checks if the user's email (authenticated with Azure) exits into its own database.
8. If the user exists you are granted the access to Jorani application or the failure page is displayed.

Now if everything is properly configured and that a blank page appears, there are two things that you can check:

• The log file into application/logs, provided that you gave write permission to this folder to Apache or nginx.
• After acs page is displayed, try to change the url to  https://jorani.host/leaves to check if you are authenticated or not

And please tell me the version of Jorani and PHP.

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/3a262977-dc96-4237-bb4b-5704d6e2d2e6n%40googlegroups.com.

[Jordi Casadevall]

Thanks a lot.

-The PHP version is 7.4.11, the Jorani is 1.0.  It's working with Docker built frome a clone of https://github.com/bbalet/jorani. 

-There is a nginx proxy for the required https. Without SAML, Jorani works well. Only requests to 443 port are allowed.

-There is an user with my MS e-mail in the Jorani DB, in the email field (not login field)

-I changed Azure configuration in order NameId is e-mail user. I attach several images with Azure configuration.

-The content of the last log application/logs/log-2020-11.php is serveral lines as the following:

ERROR - 2020-11-11 13:06:41 --> {controllers/session/acs} SSO Errors=invalid_response

After authenticating in the MS page with my e-mail, and redirected to a blank https://jorani.host/acs, if I change de URL to https://jorani.host/leaves, it redirects me again to https://jorani.host/acs

Thanks in advance

[Jordi Casadevall]

Hello, can I contribute something more to help achieving the solution?

Thank you so much

[Jordi Casadevall]

Hi, although I have tried what you proposed, I have not found the solution, can you help me?

-The PHP version is 7.4.11, the Jorani is 1.0.  It's working with Docker built frome a clone of https://github.com/bbalet/jorani. 

-There is a nginx proxy for the required https. Without SAML, Jorani works well. Only requests to 443 port are allowed.

-There is an user with my MS e-mail in the Jorani DB, in the email field (not login field)

-I changed Azure configuration in order NameId is e-mail user. I attach several images with Azure configuration.

-The content of the last log application/logs/log-2020-11.php is serveral lines as the following:

ERROR - 2020-11-11 13:06:41 --> {controllers/session/acs} SSO Errors=invalid_response

After authenticating in the MS page with my e-mail, and redirected to a blank https://jorani.host/acs, if I change de URL to https://jorani.host/leaves, it redirects me again to https://jorani.host/acs

I appreciate your help a lot

[Benjamin BALET]

I quickly setup a Jorani instance and open a free Azure account.

This is my config on Azure Portal

Everything is working fine.

The login url set to  https://azure.jorani.org/api/sso  is a mistake but it has no effect

I recommend you to set it at the root, namely  https://azure.jorani.org/

I see no difference with your configuration.

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/7b858dd0-e420-4350-9e82-38fa3e2cedf4n%40googlegroups.com.

[Jordi Casadevall]

Thank you so much for your answer.

I've set the same configuration in azure and it happens the same. After authenticated, blank page with URL https://myjoranihost.com/api/acs

In application/log/log-2020-12-01.php, I see:

ERROR - 2020-12-01 16:26:45 --> {controllers/session/acs} SSO Errors=invalid_response

ERROR - 2020-12-01 16:27:05 --> {controllers/session/acs} SSO Errors=invalid_response

ERROR - 2020-12-01 16:30:36 --> {controllers/session/acs} SSO Errors=invalid_response

ERROR - 2020-12-01 16:30:51 --> {controllers/session/acs} SSO Errors=invalid_response

ERROR - 2020-12-01 16:31:12 --> {controllers/session/acs} SSO Errors=invalid_response

ERROR - 2020-12-01 16:31:30 --> {controllers/session/acs} SSO Errors=invalid_response

Searching about this error i've found that this could be due to the certificate. Then if I change de certificate with any other string, the result is the same, also in the log.

This is how I have the certificate, is it correct or shuld a path to the cert go here?

        'x509cert' => '-----BEGIN CERTIFICATE-----

AIIC8DCCAdigAwIBAgIQXPWqy/Ia5YtDLiTJQ4NE3TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD

... ... ... 

Yh4WYhuiiEiMmJgiF1RvCbPXkdTsO3Vk0ihqxxA28vPbS71h88Ki7nJliAJFkBG0rVGbbNiMP1Va

WNNpQNj27/Cljm8eTqKE

-----END CERTIFICATE-----',

[Benjamin BALET]

One more thing to check is if you don't have any error:

 - into the php or server log

 - this part of code needs PHP xml, date, and zlib to be enabled.

You have a requirements script at the root of your installation, see mine for example:

https://azure.jorani.org/requirements.php

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/1a2ad998-5778-42f6-b2c7-a956d789faa2n%40googlegroups.com.

[Benjamin BALET]

And my configuration on the server side:

[Jordi Casadevall]

Ok, my saml.php is the same, is ok.

No errors at php or apache server. It's running with docker with the Dockerfile from Jorani github repo:

https://github.com/bbalet/jorani/blob/master/Dockerfile

And attached is the result of requirements. xml, date, and zlib are enabled.

OPCache is not loaded in my requirements, Instead, in yours is loaded. Could be this?

Thanks in advance

[Benjamin BALET]

No. Opcache is a bytecode cache used with a PHP fpm architecture.

It doesn't work with mod_php Apache module (your configuration).

This error is at the SAML protocol level.

It can be small things such as a case issue (here the email must be in the same case everywhere), or a problem of time between servers, etc.

Each ID provider (Azure, GSuite, OAuth0, OneLogin) has its own SAML debug tool, see : https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/debug-saml-sso-issues

As I told you, I've used many SAML identity providers in the past and the configuration is pretty straightforward.

I am running out of ideas.

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/82345c4f-999b-499f-8a54-6c3836376ff4n%40googlegroups.com.

[Jordi Casadevall]

Well, it's solved! 

The issue was this:  

$_SERVER['HTTPS'] = 'off';

At one point a changed http to https here:

$config['base_url'] = 'https://myjorani.com';

And I didn't see there was another thing to change. Well, configuring well Azure settings, and discarding problems here, helps me to find the real problem.

Sorry and thanks a lot for your help.

[Benjamin BALET]

I'm happy for you.

But I'm not clear about the root cause. Where did you change this ?

I never ever change the base url setting as it should be automatically guessed by the PHP code that is below the setting.

Everything else is the responsibility of the web server (apache or nginx).

Here is my config for https://azure.jorani.org/

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/e2653b55-7c56-471c-ab68-54986ddb4f18n%40googlegroups.com.

[Jordi Casadevall]

I have a docker container with nginx proxy with the certificate for https and the jorani docker is running with http in a docker container. Maybe because of this I need to force it at config.php

$_SERVER['HTTPS'] = 'on';

$config['base_url']     = 'https://myjorani.com';

[eric.c...@gmail.com]

hello Benjamin

i have same issue but no docker installation

do you think   my apache/php version  could be the problem ?

do you think  a config with  reverse-webproxy   could be the problem  ? (i have SSL on both side (external url and internal url)

jorani 1.0 is installed on promise and web proxy azure with custom url is configured ( DNS private.mydomain.com -> cname to proxy-appproxy-weur-ams01p-3.msappproxy.net)

jorani azure proxy works fine without saml

saml configured like sample in this post (like you)

result: blank page on  /api/acs

ERROR - 2021-10-20 09:03:25 --> {controllers/session/acs} SSO Errors=invalid_response

thanks !

[Eric Couasnet]

I have tried to make a test without reverse proxy, with jorani host direct with public IP, but same issue

after Azure login, result: blank page myjoranihost/api/acs

ERROR - 2021-10-20 09:03:25 --> {controllers/session/acs} SSO Errors=invalid_response

You received this message because you are subscribed to a topic in the Google Groups "jorani" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jorani/8XXVSgmMzcA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jorani+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/05b15b7e-c68c-4196-81b3-6edcbc9ffccen%40googlegroups.com.

--

Cordialement,

Eric Couasnet
mailto: eric.c...@gmail.com
Skype: couasnet.eric
Tel: +33 6 26 88 28 75

[Eric Couasnet]

it's works now ! with direct apps (without proxy) it was a probleme with x509cert in saml.php

I try to reproduce with proxified apps, no success for now, I will try again

i am not sure I have the good method to paste x509 certificat in saml.php file

Le mer. 20 oct. 2021 à 09:15, eric.c...@gmail.com <eric.c...@gmail.com> a écrit :

You received this message because you are subscribed to a topic in the Google Groups "jorani" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jorani/8XXVSgmMzcA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jorani+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/05b15b7e-c68c-4196-81b3-6edcbc9ffccen%40googlegroups.com.

[Benjamin BALET]

You have an example of an actual saml.php config file

No left spaces

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAJknY_QPjQxt3i9ST__Mvpu7A_9YYWeUBKN%2BMJgyzg9Pa3QqCw%40mail.gmail.com.

[Eric Couasnet]

thanks for your reply

ok for X509 in sample.

so, 

when i used SAML without azure webproxy to a JORANI HOST, it's now works fine (JORANI HOST with public IP ADDR)

when i used SAML with webproxy to a local JORANI HOST  it doesn"t work (JORANI HOST with private IP ADDR)

do you think is good way to use jorani on a public ip:443  and secure acces with saml ?

I think it's better to  user a webproxy in front, that's why I try to make this config to work. (in past, I have jorani0.6.5 with webproxy and SAML IDP: LEMON LDAP, reverse proxy APACHE and it works fine)

why saml config doesn't work behind azure webproxy ? that's my question

azure debug say:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '1d63acf7-1e9a-4840-853b-a9a423ebb896'.

I am not sure I can fix that; because azure proxy need a CNAM dns record

https://jorani-proxy.elephant-vert.com -> cname to orani-proxy-elephantvertfrance.msappproxy.net -> reverser proxy to local host -> https://jorani-azure-local.elephant-vert.com/

and maybe SAML don't love redirect and cname with different domain

please, can you tell me what you think about that ?

regards,

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPFJBOSkx5RoMK8z9FEeZm%2BsvfvpTJ1uE17TPK115xZBeTBU5Q%40mail.gmail.com.

[Benjamin BALET]

Sorry I'm a bit confused. Please define "webproxy" is it Azure's Application Proxy ?

Meaning that Jorani is hosted on-premises or in a private network in Azure ?

And then you are using the Azure's AD - which is public - to redirect to Jorani (which is not publicly available) ?

Is it this use case : https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAJknY_S1yLj2MYr6pRp6qzR07-ow_iofFcvTWha%2B6BZ2nhXVJw%40mail.gmail.com.

[Eric Couasnet]

Sorry I'm a bit confused. Please define "webproxy" is it Azure's Application Proxy ?

YES

Meaning that Jorani is hosted on-premises or in a private network in Azure ?

YES

And then you are using the Azure's AD - which is public - to redirect to Jorani (which is not publicly available) ?

YES

Is it this use case : https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps

I have  executed this documentation, but doesn"t work :/

So, I will not use Azure Application Proxy

regards,

To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPFJBORF1Yw8tB7kvbZkBUH8ixj6eK1Y4QcFAtJXne7J9GriRA%40mail.gmail.com.