SAML Plugin | Not able to use AD groups on gerrit after saml implementation

[tech....@gmail.com]

Hi Team,

We have implemented SAML on our gerrit instance. We are able to login successfully  using ADFS SAML authentication.

But not able to use AD groups inside gerrit for access control. 

E:G  ldap/grou...@mail.com , These are not popping up  after saml. 

Please give us hint if we are missing anything on the configuration.

[auth]
        type = HTTP
        gitBasicAuthPolicy = LDAP

        logoutUrl = https://gerrit-sso.harman.com/logout
                httpHeader = X-SAML-UserName
                httpDisplaynameHeader = X-SAML-DisplayName
                httpEmailHeader = X-SAML-EmailHeader
                httpExternalIdHeader = X-SAML-ExternalId

[saml]
    keystorePath = /data/gerrit/etc/samlKeystore.jks
    keystorePassword = pac4j-demo-password
    privateKeyPassword = pac4j-demo-password
    metadataPath = https://sso4.888.com/FederationMetadata/2007-06/FederationMetadata.xml
    useNameQualifier = false

[tech....@gmail.com]

Hello Team,

Can we get help here.

how to get ldap groups if authenticating through saml in gerrit

[Rikard Almgren]

This would be of interest for us as well. We have a fairly heavy reliance on AD groups so we have not made a big push towards SSO yet, for the same reasons (and lack of time for investigating it in detail).

Has anyone combined SAML (or OAUTH) for Single Sign-On with AD groups for ACL from the LDAP auth method?

[Thomas Dräbing]

Yes, at SAP we are doing that. To do that we use the HTTP_LDAP auth-type together with the saml-plugin and kept the `[ldap]` section as it was before we migrated from LDAP to SAML. For gitBasicAuthPolicy we use the default (HTTP).

This works well for us.

HTH,

Thomas

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/cfcf65c9-184d-4e7b-b91f-aeb845edb1e0n%40googlegroups.com.

[anish....@gmail.com]

Can you share some excerpt of the configuration files for our review

[Matthias Sohn]

On Wed, Mar 8, 2023 at 6:44 PM anish....@gmail.com <anish....@gmail.com> wrote:

Can you share some excerpt of the configuration files for our review

Please avoid top posting on this list and use interleaved posting instead.

See https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

We use something like this at SAP:

gerrit.config:

[auth]

autoUpdateAccountActiveStatus = true

gitBasicAuthPolicy = HTTP

httpHeader = X-SAML-UserName

httpDisplaynameHeader = X-SAML-DisplayName

httpEmailHeader = X-SAML-EmailHeader

httpExternalIdHeader = X-SAML-ExternalId

logoutUrl = https://idp.example.com/logout

type = HTTP_LDAP

userNameCaseInsensitive = true

[ldap]

accountBase = ...

fetchMemberOfEagerly = false

groupBase = ...

localUsernameToLowerCase = true

readTimeout = 10s

server = ldaps://ldap.example.com

sslVerify = true

username = ...

[saml]

computedDisplayName = true

emailAddressAttr = email

firstNameAttr = first_name

keystorePath = /gerrit/site/etc/keystore

lastNameAttr = last_name

metadataPath = https://idp.example.com/metadata

userNameAttr = uid

put all secrets into secure.config:

[ldap]

password = ...

[saml]

keystorePassword = ...

privateKeyPassword = ...

 

-Matthias

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/2acaa3e1-d013-4a6e-8cf7-4b623471bacdn%40googlegroups.com.

[tech....@gmail.com]

The Plugin worked perfectly untill 3.4.x version, but after that we are not able to load login page. 

Placed latest saml plugin with 3.6 version. Below is config file

Target version is 3.6.4

[auth]
        autoUpdateAccountActiveStatus = true
        type = HTTP_LDAP
        #gitBasicAuthPolicy = LDAP
        gitBasicAuthPolicy = HTTP
        logoutUrl = https://gerrit-sso..com/static/logout.html

        httpHeader = X-SAML-UserName
        httpDisplaynameHeader = X-SAML-DisplayName
        httpEmailHeader = X-SAML-EmailHeader
        httpExternalIdHeader = X-SAML-ExternalId

          userNameCaseInsensitive = true


[saml]
    keystorePath = /data/gerrit-sso/etc/samlKeystore.jks
    #metadataPath = https://sso4..com/FederationMetadata/2007-06/FederationMetadata.xml
    metadataPath = file:///data/gerrit-sso/etc/FederationMetadata.xml
    #serviceProviderEntityId = https://gerrit-sso.com/plugins/saml/callback?client_name=SAML2Client
    #serviceProviderEntityId = SAML2Client
    useNameQualifier = false
    #emailAddressAttr = EmailAddress
    emailAddressAttr = email
    userNameAttr = uid
    computedDisplayName = true
    firstNameAttr = first_name
    lastNameAttr = last_name

[ldap]
        server = ldaps://ldap.ad.com:3269
        username = gerrit@ad
        accountBase = **
        groupBase = DC
        groupScope = subtree
        localUsernameToLowerCase = true

[Matthias Sohn]

On Thu, Mar 9, 2023 at 3:04 PM tech....@gmail.com <tech....@gmail.com> wrote:

The Plugin worked perfectly untill 3.4.x version, but after that we are not able to load login page. 

Placed latest saml plugin with 3.6 version. Below is config file

Which exact version of the saml plugin did you install ?

For 3.6 it should be the latest version from the master branch.

You can check the version at runtime using the Browse>Plugins menu.

Does it contain this fix https://gerrit-review.googlesource.com/c/plugins/saml/+/336517 ?

Are there any related errors in the error_log ?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/d4b1db40-daf4-4ae5-a4d3-7cf28fb25ea9n%40googlegroups.com.

[tech....@gmail.com]

On Thursday, 9 March 2023 at 20:05:59 UTC+5:30 Matthias Sohn wrote:

On Thu, Mar 9, 2023 at 3:04 PM tech....@gmail.com <tech....@gmail.com> wrote:

The Plugin worked perfectly untill 3.4.x version, but after that we are not able to load login page. 

Placed latest saml plugin with 3.6 version. Below is config file

Which exact version of the saml plugin did you install ?

For 3.6 it should be the latest version from the master branch.

You can check the version at runtime using the Browse>Plugins menu.

downloaded plugin from : https://gerrit-ci.gerritforge.com/job/plugin-saml-bazel-master-stable-3.6/ 

Does it contain this fix https://gerrit-review.googlesource.com/c/plugins/saml/+/336517 ? 

Are there any related errors in the error_log ?

[2023-03-09T16:53:58.725+01:00] [main] INFO  com.google.gerrit.pgm.Daemon : Gerrit Code Review 3.6.4 ready
[2023-03-09T16:54:04.026+01:00] [HTTP GET /login/ (N/A from 10.70.53.50)] ERROR com.google.gerrit.httpd.auth.container.HttpLoginServlet : Unable to authenticate user by X-SAML-UserName request header. Check container or server configuration..

[tech....@gmail.com]

Hi All,

DO you have any solution by seeing the error log and the configuration. 

Else please share if there is any config changes for saml/ auth  from 3.4 to 3.6.4  , also please provide exact fixed version link of saml plugin for 3.6.4 gerrit. 

1. downloaded plugin from : https://gerrit-ci.gerritforge.com/job/plugin-saml-bazel-master-stable-3.6/ 

2. error log: [2023-03-09T16:54:04.026+01:00] [HTTP GET /login/ (N/A from 10.70.53.50)] ERROR com.google.gerrit.httpd.auth.container.HttpLoginServlet : Unable to authenticate user by X-SAML-UserName request header. Check container or server configuration..

[tech....@gmail.com]

One more thing to add.

The issue occurs when we upgrade to 3.4.0 actually,  

error when we start gerrit

ERROR com.google.gerrit.pgm.Daemon : Unable to start daemon
com.google.inject.CreationException: Unable to create injector, see the following errors:

1) [Guice/ErrorInjectingConstructor]: IllegalArgumentException: Unable to instantiate front-end HTTP Filter SamlWebFilter
  at JettyServer.<init>(JettyServer.java:216)
  at JettyModule.configure(JettyModule.java:31)
  while locating JettyServer

[httpd]
        filterClass = com.googlesource.gerrit.plugins.saml.SamlWebFilter

this filterClass parameter giving the exception and after removing it, gerrrit some how comes up but login page doesnt load.

[Jiaquan He (何嘉权)]

Not sure if it's the same issue we're dealing with.

We got exactly the same issue complaining "Unable to authenticate user by X-SAML-UserName request header". And we saw a build error in the saml plugin on the master branch here. Then we just built the plugin as new as this change, and got a saml.jar that works.

Maybe some maintainer might rerun that failed build and upload a working jar artifact.

[Jiaquan He (何嘉权)]

Looks like this bug

https://bugs.chromium.org/p/gerrit/issues/detail?id=16912&q=&can=8