SAML memberOf Group Issue

179 views
Skip to first unread message

Daniel Anner

unread,
Feb 4, 2020, 1:29:20 PM2/4/20
to munkireport

Hello,

So I am integrating SAML for our MR instance, and everything is setup correctly except for group privileges. In our Shibboleth instance I have released email and memberOf, which looks like this (CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED)

The release looks like this:

        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>REDACTED ( email was here )</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="memberOf" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>


In my env config, I have:
AUTH_SAML_GROUP_ATTR=http://schemas.xmlsoap.org/claims/Group
AUTH_SAML_ALLOWED_GROUPS="CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED"


I am not able to get the env config working, and I have 3 groups I need to add, MunkiReport_Admins being one of them. I have tried every combination of 'CN=MunkiReport_Admins', just 'MunkiReport_Admins', and the full string like above.

Any assistance in figuring out how to troubleshoot this/set it up correctly would be great. Thank you.

A.E. van Bochoven

unread,
Feb 4, 2020, 1:32:06 PM2/4/20
to 'A.E. van Bochoven' via munkireport
After logging in, you can retrieve the SAML group info by visiting:

index.php?/auth/set_session_props/1

-Arjen

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munkireport...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/83ab3baa-a0b6-4cc4-9c1d-db881a11faab%40googlegroups.com.

Daniel Anner

unread,
Feb 4, 2020, 1:39:42 PM2/4/20
to munkireport
What i get is: {"error":"unauthorized"}[]

On Tuesday, February 4, 2020 at 1:32:06 PM UTC-5, Arjen van Bochoven wrote:
After logging in, you can retrieve the SAML group info by visiting:

index.php?/auth/set_session_props/1

-Arjen

On 4 Feb 2020, at 19:29, Daniel Anner <danie...@danstechsupport.com> wrote:

Hello,

So I am integrating SAML for our MR instance, and everything is setup correctly except for group privileges. In our Shibboleth instance I have released email and memberOf, which looks like this (CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED)

The release looks like this:

        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>REDACTED ( email was here )</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="memberOf" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>


In my env config, I have:
AUTH_SAML_GROUP_ATTR=http://schemas.xmlsoap.org/claims/Group
AUTH_SAML_ALLOWED_GROUPS="CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED"


I am not able to get the env config working, and I have 3 groups I need to add, MunkiReport_Admins being one of them. I have tried every combination of 'CN=MunkiReport_Admins', just 'MunkiReport_Admins', and the full string like above.

Any assistance in figuring out how to troubleshoot this/set it up correctly would be great. Thank you.


--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

Daniel Anner

unread,
Feb 5, 2020, 2:24:17 PM2/5/20
to munkireport
So the question is, how do we debug what the code is looking for? I have passed it just the group name, the group name with CN in front, and the whole AD path which is the full string released.

A.E. van Bochoven

unread,
Feb 5, 2020, 3:09:17 PM2/5/20
to munki...@googlegroups.com
You need to remove the restrictions on which users are able to login and then check

index.php?/auth/set_session_props/1

to retrieve the correct information. SAML is kind of hard to debug so you may need some extra tooling. I used the SAML firefox plugin to inspect the traffic but I’m not sure that still works.

-Arjen

-- 
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munkireport...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/8ede1682-8425-4bf8-963f-ad6e1c01b3af%40googlegroups.com.

Message has been deleted

Daniel Anner

unread,
Feb 5, 2020, 3:37:12 PM2/5/20
to munkireport
Yeah I have a decoder to manually decode the SAML response, which I put a snip of in the original post. Here is the data that is transmitted when I open it to my user email

{
    "samlUserdata": {
        "urn:oid:0.9.2342.19200300.100.1.3": [ "Daniel.Anner@REDACTED" ],
        "http:\/\/schemas.xmlsoap.org\/claims\/Group": [
            "CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED"
        ]
    },
    "samlNameId": "Daniel.Anner@REDACTED",
    "samlNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "samlSessionIndex": "_e54b63174b599d7f89ff29b86b03e57f",
    "user": "Daniel.Anner@REDACTED",
    "groups": [ "CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED" ],
    "auth": "saml",
    "role": "user",
    "role_why": "Default role",
    "machine_groups": { "0": "1", "1": "3", "2": "4", "4": "2", "7": "5" },
    "initialized": true,
    "theme": "Slate"
}


So okay, this is the config I have setup:
AUTH_SAML_USER_ATTR=urn:oid:0.9.2342.19200300.100.1.3
AUTH_SAML_ALLOWED_USERS=""
AUTH_SAML_ALLOWED_GROUPS="CN=MunkiReport_Admins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED"


But now when I clear the cache and try to login I am presented with unauthorized again. Any idea what is wrong in this config?

Daniel Anner

unread,
Feb 5, 2020, 4:07:11 PM2/5/20
to munkireport
I also noticed that the AUTH_SAML_ALLOWED_GROUPS= automatically wraps your input in [], so I tried with and without quotes and still no dice. I honestly believe I have tried every combo, even with *'s. I am not sure where to go beyond modifying code to try to debug it further. Does php-saml have a debug option that works? I turned on debug and auth_saml_debug and neither have shown me more info.. Is there any server logging I can turn on, and if so how?

I did notice the /storage/logs/ folder but it is empty

Daniel Anner

unread,
Feb 7, 2020, 8:53:04 AM2/7/20
to munkireport
Do you happen to have any ideas?

A.E. van Bochoven

unread,
Feb 7, 2020, 12:47:52 PM2/7/20
to munki...@googlegroups.com
AUTH_SAML_ALLOWED_USERS Is working for you?

Sent from my iPad

On 7 Feb 2020, at 14:53, Daniel Anner <daniel...@danstechsupport.com> wrote:


Do you happen to have any ideas?

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munkireport...@googlegroups.com.

Daniel Anner

unread,
Feb 7, 2020, 1:06:52 PM2/7/20
to munki...@googlegroups.com
Yes it is, adding my email to allowed users works perfectly fine. 

A.E. van Bochoven

unread,
Feb 7, 2020, 1:18:01 PM2/7/20
to munki...@googlegroups.com
Any chance your SAML admin is able to map the group to something shorter, without commas?

Sent from my iPhone

On 7 Feb 2020, at 19:05, Daniel Anner <daniel...@danstechsupport.com> wrote:



Daniel Anner

unread,
Feb 7, 2020, 1:32:31 PM2/7/20
to munki...@googlegroups.com
We cannot as we have multiple other applications that require memberOf, which are already setup using this format. None of these other applications have issues with the format either. I can try escaping the commas if you think that may be the issue?

To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/338FB379-4CB8-471A-87DB-BAED26ADCDAA%40mac.com.


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

Daniel Anner

unread,
Feb 7, 2020, 1:36:54 PM2/7/20
to munki...@googlegroups.com
Nevermind, that does not work: Failed to parse dotenv file due to an unexpected escape sequence. Failed at ["CN=MunkiReport_Admins\,OU=FSMunki\,OU=Groups\,OU=Admins\,OU=Root\,DC=ac\,DC=REDACTED"].

A.E. van Bochoven

unread,
Feb 8, 2020, 3:12:07 AM2/8/20
to 'A.E. van Bochoven' via munkireport
I pushed a fix for your issue to a new branch:


Please check out this code and see if that fixes your issue. Note that the code is now replacing ‘,’ with ‘_’ in the group names, so you would need to change the group name in .env to 

CN=MunkiReport_Admins_OU=FSMunki_OU=Groups_OU=Admins_OU=Root_DC=ac_DC=REDACTED

-Arjen

Daniel Anner

unread,
Feb 10, 2020, 9:34:18 AM2/10/20
to munki...@googlegroups.com
I will give it a shot, I am currently receiving a 500 error but I do not see errors in my NGINX or php-fpm logs. I'll keep digging into it and see if I can figure out what the issue is

To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/95DAB3E1-C641-4F32-90CE-93B216CFD5A7%40mac.com.

Daniel Anner

unread,
Feb 10, 2020, 9:48:41 AM2/10/20
to munki...@googlegroups.com
Figured it out, I tested the fix and I am experiencing a weird issue. I have my config as following:
AUTH_SAML_USER_ATTR=urn:oid:0.9.2342.19200300.100.1.3
AUTH_SAML_ALLOWED_USERS=""
AUTH_SAML_GROUP_ATTR="http://schemas.xmlsoap.org/claims/Group"
AUTH_SAML_ALLOWED_GROUPS=""

And when I attempt to login, it allows me in without any issue. Any idea why I would be able to login without any groups defined?

A.E. van Bochoven

unread,
Feb 10, 2020, 2:48:40 PM2/10/20
to munki...@googlegroups.com
Does that mean that the group is now working? 
Not specifying a user and a group assumes that everyone can login. We could change that behavior if that makes better sense 

Sent from my iPhone

On 10 Feb 2020, at 15:48, Daniel Anner <daniel...@danstechsupport.com> wrote:



Daniel Anner

unread,
Feb 10, 2020, 2:54:44 PM2/10/20
to munki...@googlegroups.com
I personally think if no group or user is defined, no one should be able to login, but that isnt a huge deal.

As for the group, I am still getting not authorized.. Do you think this is because of the _ in the CN name?

To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/AC6E26DA-CE27-4C33-BB7E-228B4199DA34%40mac.com.
Message has been deleted

Daniel Anner

unread,
Feb 11, 2020, 3:50:21 PM2/11/20
to munkireport
I changed the group name to MRAdmins and so there is no extra _ in the string and I still am getting Unauthorized.


On Monday, February 10, 2020 at 2:48:40 PM UTC-5, Arjen van Bochoven wrote:
Does that mean that the group is now working? 
Not specifying a user and a group assumes that everyone can login. We could change that behavior if that makes better sense 

Sent from my iPhone

On 10 Feb 2020, at 15:48, Daniel Anner <danie...@danstechsupport.com> wrote:


Figured it out, I tested the fix and I am experiencing a weird issue. I have my config as following:
AUTH_SAML_USER_ATTR=urn:oid:0.9.2342.19200300.100.1.3
AUTH_SAML_ALLOWED_USERS=""
AUTH_SAML_GROUP_ATTR="http://schemas.xmlsoap.org/claims/Group"
AUTH_SAML_ALLOWED_GROUPS=""

And when I attempt to login, it allows me in without any issue. Any idea why I would be able to login without any groups defined?

On Mon, Feb 10, 2020 at 9:34 AM Daniel Anner <danie...@danstechsupport.com> wrote:
I will give it a shot, I am currently receiving a 500 error but I do not see errors in my NGINX or php-fpm logs. I'll keep digging into it and see if I can figure out what the issue is

On Sat, Feb 8, 2020 at 3:12 AM 'A.E. van Bochoven' via munkireport <munki...@googlegroups.com> wrote:
I pushed a fix for your issue to a new branch:


Please check out this code and see if that fixes your issue. Note that the code is now replacing ‘,’ with ‘_’ in the group names, so you would need to change the group name in .env to 

CN=MunkiReport_Admins_OU=FSMunki_OU=Groups_OU=Admins_OU=Root_DC=ac_DC=REDACTED

-Arjen

On 7 Feb 2020, at 19:36, Daniel Anner <danie...@danstechsupport.com> wrote:

Nevermind, that does not work: Failed to parse dotenv file due to an unexpected escape sequence. Failed at ["CN=MunkiReport_Admins\,OU=FSMunki\,OU=Groups\,OU=Admins\,OU=Root\,DC=ac\,DC=REDACTED"].

On Fri, Feb 7, 2020 at 1:32 PM Daniel Anner <danie...@danstechsupport.com> wrote:
We cannot as we have multiple other applications that require memberOf, which are already setup using this format. None of these other applications have issues with the format either. I can try escaping the commas if you think that may be the issue?

On Fri, Feb 7, 2020 at 1:18 PM 'A.E. van Bochoven' via munkireport <munki...@googlegroups.com> wrote:
Any chance your SAML admin is able to map the group to something shorter, without commas?

Sent from my iPhone

On 7 Feb 2020, at 19:05, Daniel Anner <danie...@danstechsupport.com> wrote:


Yes it is, adding my email to allowed users works perfectly fine. 

On Fri, Feb 7, 2020, 12:47 'A.E. van Bochoven' via munkireport <munki...@googlegroups.com> wrote:
AUTH_SAML_ALLOWED_USERS Is working for you?

Sent from my iPad

On 7 Feb 2020, at 14:53, Daniel Anner <danie...@danstechsupport.com> wrote:


Do you happen to have any ideas?

-- 
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.


-- 
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator


-- 
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

-- 
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

A.E. van Bochoven

unread,
Feb 11, 2020, 4:35:29 PM2/11/20
to 'A.E. van Bochoven' via munkireport
To troubleshoot, only use mr_allowed_users and review the result of 

index.php?/auth/set_session_props/1

after logging in. It should show the group name with the underscores instead of comma’s.

If in doubt, please post the redacted result of the session_props

-Arjen

Daniel Anner

unread,
Feb 12, 2020, 8:33:09 AM2/12/20
to munki...@googlegroups.com
It is not showing the underscored instead of the commas, and still only allowing me to login with the user email set:
{
    "samlUserdata": {
        "urn:oid:0.9.2342.19200300.100.1.3": [ "Daniel.Anner@REDACTED" ],
        "http:\/\/schemas.xmlsoap.org\/claims\/Group": [
            "CN=MRAdmins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED"
        ]
    },
    "samlNameId": "Daniel.Anner@REDACTED",
    "samlNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "samlSessionIndex": "_388a2fb9396f4c3402c7e70a37b16a0d",
    "user": "Daniel.Anner@REDACTED",
    "groups": [ "CN=MRAdmins,OU=FSMunki,OU=Groups,OU=Admins,OU=Root,DC=ac,DC=REDACTED" ],
    "auth": "saml",
    "role": "user",
    "role_why": "Default role",
    "machine_groups": { "0": "1", "1": "3", "2": "4", "4": "2", "7": "5" },
    "initialized": true,
    "theme": "Default"
}

This is in a new incognito window as well so cache is not in the way. I have also verified the munkireport-php branch is:
[report@REDACTED munkireport-php]$ git status
# On branch SAML_fix
nothing to commit, working directory clean

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munkireport...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/1DE60E55-C0C0-487F-BFA6-3B0AD43AC264%40mac.com.

A.E. van Bochoven

unread,
Feb 12, 2020, 3:44:25 PM2/12/20
to 'A.E. van Bochoven' via munkireport
Ok, I found a bug in the code. Could you please check out the branch again and test?

-Arjen

Daniel Anner

unread,
Feb 13, 2020, 8:30:31 AM2/13/20
to munki...@googlegroups.com
Perfect, everything is working as expected now. Roughly, when can we expect this to be merged into master?

To view this discussion on the web visit https://groups.google.com/d/msgid/munkireport/830F7DBC-AA17-4F23-AFB4-D3B7305F1407%40mac.com.

A.E. van Bochoven

unread,
Feb 13, 2020, 11:57:55 AM2/13/20
to munki...@googlegroups.com
It will be in the next release (5.2). But we’ll need some documentation, it would be great if you could write something about your SAML setup in the wiki

Arjen

Sent from my iPad

On 13 Feb 2020, at 14:30, Daniel Anner <daniel...@danstechsupport.com> wrote:



Daniel Anner

unread,
Feb 13, 2020, 12:43:57 PM2/13/20
to munkireport
I would be happy to. Thank you


On Thursday, February 13, 2020 at 11:57:55 AM UTC-5, Arjen van Bochoven wrote:
It will be in the next release (5.2). But we’ll need some documentation, it would be great if you could write something about your SAML setup in the wiki

Arjen

Sent from my iPad

On 13 Feb 2020, at 14:30, Daniel Anner <danie...@danstechsupport.com> wrote:


Perfect, everything is working as expected now. Roughly, when can we expect this to be merged into master?

On Wed, Feb 12, 2020 at 3:44 PM 'A.E. van Bochoven' via munkireport <munki...@googlegroups.com> wrote:
Ok, I found a bug in the code. Could you please check out the branch again and test?

-Arjen

To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

Daniel Anner

unread,
Feb 14, 2020, 12:13:07 PM2/14/20
to munkireport
I added my documentation setup, let me know if you need anything clarified further.



On Thursday, February 13, 2020 at 11:57:55 AM UTC-5, Arjen van Bochoven wrote:
It will be in the next release (5.2). But we’ll need some documentation, it would be great if you could write something about your SAML setup in the wiki

Arjen

Sent from my iPad

On 13 Feb 2020, at 14:30, Daniel Anner <danie...@danstechsupport.com> wrote:


Perfect, everything is working as expected now. Roughly, when can we expect this to be merged into master?

On Wed, Feb 12, 2020 at 3:44 PM 'A.E. van Bochoven' via munkireport <munki...@googlegroups.com> wrote:
Ok, I found a bug in the code. Could you please check out the branch again and test?

-Arjen

To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.


--
--
Regards,

Daniel W. Anner
Dan's Tech Support Unlimited
Owner/Operator

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages